l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:11

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] X, SSH across Internet through NAT
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] X, SSH across Internet through NAT



Thanks ME,

That's a lot of information, I'm going to have to digest for a little while.
I neglected to tell you, but yes, I do have hummingbird (exceed) on my win32
box.  I'll have to look around for the settings for X11 stuff

Jay
----- Original Message -----
From: "ME" <dugan@passwall.com>
To: <vox-tech@franz.mother.com>
Sent: Friday, October 12, 2001 2:22 PM
Subject: Re: [vox-tech] X, SSH across Internet through NAT


> On Fri, 12 Oct 2001, Jay Strauss wrote:
> > Is this possible, I have (crappy) linksys dsl router/NAT devices set up
> > on other sides of the internet.  Behind one is my SSH client, behind the
> > other is my SSH server (on my deb box):
>
> It can be done if you can establish an ssh session from the source NAT-ed
> host to the destintaion NAT-ed host.
>
> > SSH                                  SSHd
> > Client                               Debian
> > (putty)                              192.168.5.102
> > 192.168.5.100
> >      |                                  |
> >      |                                  |
> >      |                                  |
> >      |               internet           |
> > 192.168.5.254   ===================  192.168.5.254
> > Linksys                              Linksys
> > NAT                                  NAT
> > xxx.xxx.xxx.xxx                      yyy.yyy.yyy.yyy
>
> Cool ASCII Drawing. (ME likes it)
>
> > I am able to SSH from the client to the server, but when I try to start
an
> > xterm:
>
> Whoah! Dejavu!
>
> > 192.168.5.102:jstrauss> xterm -display xxx.xxx.xxx.xxx
>
> In this case, you are probably trying to tell the remote machine to use an
> X $DISPLAY that would try to connect to the NAT-ed IP address and there is
> no service on the NAT linksys router to perform this by default. Also, the
> remote host does not know how to get to your reserved network IP address
> used in the NAT LAN at "home".
>
> By default most new ssh clients/servers seem to be shipping with disabled
> X forwarding by default due to security conerns with X.
>
> > It just hangs.  Now I figure I can't really send the display to the
linksys
> > device in front of my client, but where
> > else can I send it?  I can't send it to 192.168.5.100, cause it will try
to
> > route to it's local LAN.  Is what I'm trying impossible?  I thought you
> > could run X through (some sort of encrypted tunnel) ssh all the way back
to
> > the client.
>
> You can generally offer X updates/draw through an ssh session, but there
> are security implications with this. If you have one of the newer ssh
> varients (openssh or ssh2) then check the options when starting ssh. For
> one, I think you can add "-X" and the other you can add "-x" to explicitly
> state you want to tunnel X through SSH. (Not exactly sure, which is which
> ans which one uses "-X" for enable, but one seems to use -x for disable,
> so check your man pages to be sure.)
>
> Once you have enabled X through SSH, you will/should have a new env var on
> the remote machine called $DISPLAY. echo $DISPLAY in the shell on the
> remote machine to see if it is set. It will probably be a local high port
> like "yourhostname:11.0"
>
> You should be able to then start X apps on the remote location and have
> them appear on your local screen automagically.
>
> The cost of X through ssh is you will take a processor hit, and smooth
> graphics and video won't be so smooth. You will/should notice more lag
> than when you compare it to a non-encrypted session. If you are going from
> one NAT-ed host to another NAT-ed host, using an ssh session is the
> easiest way to get the stuff to yourself, but with the cost of speed and
> the X security issue.
>
> > One more thing, when I'm pick up my laptop and bring it home (onto the
LAN
> > where my sshd is located).  I'm able to get an xterm sent sent locally,
but
> > how do I know its even using the ssh tunnel and not just sending it
clear
> > text?
>
> Use a sniffer. :-) Or you can examine your env variable $DISPLAY to see if
> it is set to send to the remote host, or is using the localhost and then
> SSH.
>
> Also, I just noticed that you mention "putty" as your client side. Most of
> the above (-X flag for enabling X session stuff) is/was for the
> openssh/fsecure ports of client ssh. I have not used this client (putty),
> so you should check to see if it offers X11 forwarding/redirection. If it
> does, then make sure you have enabled this option. If this is on Windows
> (Win32) then you need to have an X11 Server for windows (or if on the mac,
> then one for the mac).
>
> If you do not have an X-Server for your windows/mac machine, i think you
> can get one for trial for Mac or Windows called MI/X
> http://tnt.microimages.com/www/html/freestuf/mix/
> I used that before (or at least an earlier one) and it seemed to work for
> most of the things I wanted to use at the time. It was rather feature
> limited, but the price at the times sounded right.
>
> There was one out there called Hummingbird Exceed or soemthing like that
> but I think it co$t a bit more. People that have used said they liked it,
> but what do people know anyway? They are only human. ;-)
>
> Others here may have more up-to-date suggestions on W32 based XServers
> that are fresh on the menu.
>
> -ME
>
> P.S. Just found from from putty docs:
> http://www.tartarus.org/~simon/puttydoc/output.txt
> 3.16.1 X11 forwarding
>
>        If your server lets you run X Window System applications, X11
>        forwarding allows you to securely give those applications access to
>        a local X display on your PC.
>
>        This feature will only be useful if you have an X server on your
PC,
>        such as Exceed or XWin32.
>
>        To enable X11 forwarding, check the `Enable X11 forwarding' box. If
>        your X display is not the primary display on your local machine
>        (which it almost certainly will be unless you have deliberately
>        arranged otherwise), you need to enter its location in the `X
>        display location' box.
>
> Which really answers your last Q more more directly.
> That options should set the env var $DISPLAY on the remote machine. Check
> echo $DISPLAY to see if it does.
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$)
P+$>+++
> L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
> t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
> ------END GEEK CODE BLOCK------
> decode: http://www.ebb.org/ungeek/ about:
http://www.geekcode.com/geek.html
>      Systems Department Operating Systems Analyst for the SSU Library


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!