HPE Community
Operating System - HP-UX
1825811 Members
2595 Online
109688 Solutions
New Discussion

X11 Forwarding in sshd

 
YLTan
Frequent Advisor

‎03-25-2003 10:29 PM

‎03-25-2003 10:29 PM

X11 Forwarding in sshd

I need to put up SSH for Xwindows. I have Xwindow client such Exceed on client PC, what do I need to configure to enable at sshd to enable X11 forwarding?? I saw these parameters at sshd_config, should i enable all these?? Over at the client side, I am using these SecureCRT, SSH client from SSH Communication, KEA!X, Exceed.
tyl
0 Kudos
Reply
5 REPLIES 5
Michael Tully
Honored Contributor

‎03-25-2003 10:46 PM

‎03-25-2003 10:46 PM

Re: X11 Forwarding in sshd

Hi,

Have a look at this posting.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x0d1c6049dbb6d611abdb0090277a778c,00.html

Cheers
Michael
Anyone for a Mutiny ?
0 Kudos
Reply
YLTan
Frequent Advisor

‎03-25-2003 11:11 PM

‎03-25-2003 11:11 PM

Re: X11 Forwarding in sshd

Hi Micheal,

Thanks for the posting.

One question;

Do i need to disable some daemon or process for X11 when I use it for encrytped X11, like what I disable telnet services from inetd.conf?? Does X11 have something similar?
tyl
0 Kudos
Reply
Colin Topliss
Esteemed Contributor

‎03-26-2003 03:17 AM

‎03-26-2003 03:17 AM

Re: X11 Forwarding in sshd

If you mean you want to disable CDE on the server, then just stop dtlogin from starting (have a look in /etc/rc3.d and have a look for dtlogin.rc). Stopping that will prevent anyone from doing an XDMCP broadcast/query/passive connection to the CDE login server on that system.

However, there are a few things you need to consider.

Firstly, have you thought about how you are going to be able to connect to the system if dtlogin and telnet are disabled and a problem occurs with the sshd (which is not unknown). Do you have GSP access, or physical access to the system? If not, how do you intend to get access to be able to fix the problem?

Despite what some security people may say, you can make a system too secure (great until a problem occurs - I've seen it and had to deal with it)
0 Kudos
Reply
YLTan
Frequent Advisor

‎03-26-2003 06:25 AM

‎03-26-2003 06:25 AM

Re: X11 Forwarding in sshd



I don't want to disable dtlogin altogether but more a restricted access. Since Xwindows access is go by displaynumber and screennumber, and sshd X11 Forwarding default is :10.0 ,can I make Xwindows to accept connection only on :10.0 and not others suchs :0.0 or 1:0 or 1:1 or :0.1 etc...

I'm not sure if this possible.

Another thing I need to ask is, do I need to port forward port 6000 and 7000 together with X11 forwarding enable at the client? How do I know if the Xwindows traffic is going via encrypted channel?
tyl
0 Kudos
Reply
John Payne_2
Honored Contributor

‎03-28-2003 06:29 AM

‎03-28-2003 06:29 AM

Re: X11 Forwarding in sshd

XL,

In the link that Micheal gives, Rick Beldin explains the problem with X11 forwarding. The fix he gives is to modify sshd_conf to say X11UseLocalhost no.

This is a fix for Openssh, not the ssh from the ssh.com people. About a month ago, I searched and searched for the same fix for the ssh.com ssh, and could not find it. I tried recompiling their ssh and tried to point it away from the X11R5 stuff, but that didn't seem to work. (We have the educational institution version. It doesn't come with support of any kind...)

Installing the Openssh HP bundles into the Applications CD's installs quickly, and after editing the sshd_config file (At a maxium of 1 minute for that..) You are up and running on ssh with X11 forwarding works in about 2 minutes. (At least I was.)

If you have the commercial version of ssh from ssh.com, (meaning you paid for it.) I suggest calling them and asking what the deal is. (You already know now, maybe you need to enlighten them.) They may or may not have a fix. If not, HP's port of Openssh is freely available to you.

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.