| 1 |
I've three independent hosts - imaginatively called A, B and C. |
| 2 |
|
| 3 |
Firewall rules dictate that A can be directly accessed from B, but not |
| 4 |
from C... A and B run the openssh sshd, and C is a terminal with a |
| 5 |
working X-Windows display. C has a ssh session opened with B which |
| 6 |
tunnels port 22 on C to 22 on A. Thereafter, it is possible to ssh to |
| 7 |
localhost on C and get a ssh connection to A, which in turn I |
| 8 |
successfully use to tunnel IMAP, SMTP, Squid - etc. I'd have expected |
| 9 |
to be able to tunnel X11 over this link from C to A - but it fails... |
| 10 |
I'm unclear if the reason for the failure is the additional |
| 11 |
tunnelling... Is this technique incompatible with X11 tunnelling? Is |
| 12 |
there a way to make it work with a reverse-tunnel or something like |
| 13 |
that? Am I barking up the wrong tree entirely? |
| 14 |
|
| 15 |
-- |
| 16 |
HostC# echo $DISPLAY |
| 17 |
:0.0 |
| 18 |
HostC# cat .ssh/config |
| 19 |
ForwardX11 yes |
| 20 |
HostC# ssh localhost -X |
| 21 |
HostA# echo $DISPLAY |
| 22 |
|
| 23 |
HostA# exit |
| 24 |
HostC# ssh localhost -Y |
| 25 |
HostA# echo $DISPLAY |
| 26 |
|
| 27 |
HostA# exit |
| 28 |
HostC# |
| 29 |
-- |
| 30 |
|
| 31 |
If I use -v -v I get this output... Curiously I have |
| 32 |
/usr/X11R6/bin/xauth on HostC, but xauth in in /usr/bin on host A. |
| 33 |
-- |
| 34 |
HostC# ssh localhost -Y |
| 35 |
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 |
| 36 |
debug1: Reading configuration data /home/user/.ssh/config |
| 37 |
debug2: ssh_connect: needpriv 0 |
| 38 |
debug1: Connecting to localhost [127.0.0.1] port 22. |
| 39 |
debug1: Connection established. |
| 40 |
debug1: identity file /home/user/.ssh/identity type -1 |
| 41 |
debug1: identity file /home/user/.ssh/id_rsa type -1 |
| 42 |
debug2: key_type_from_name: unknown key type '-----BEGIN' |
| 43 |
debug2: key_type_from_name: unknown key type '-----END' |
| 44 |
debug1: identity file /home/user/.ssh/id_dsa type 2 |
| 45 |
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 |
| 46 |
debug1: match: OpenSSH_4.3 pat OpenSSH* |
| 47 |
debug1: Enabling compatibility mode for protocol 2.0 |
| 48 |
debug1: Local version string SSH-2.0-OpenSSH_4.3 |
| 49 |
debug2: fd 4 setting O_NONBLOCK |
| 50 |
debug1: SSH2_MSG_KEXINIT sent |
| 51 |
debug1: SSH2_MSG_KEXINIT received |
| 52 |
debug2: kex_parse_kexinit: |
| 53 |
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 |
| 54 |
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss |
| 55 |
debug2: kex_parse_kexinit: |
| 56 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
| 57 |
debug2: kex_parse_kexinit: |
| 58 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
| 59 |
debug2: kex_parse_kexinit: |
| 60 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
| 61 |
debug2: kex_parse_kexinit: |
| 62 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
| 63 |
debug2: kex_parse_kexinit: |
| 64 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
| 65 |
debug2: kex_parse_kexinit: |
| 66 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
| 67 |
debug2: kex_parse_kexinit: |
| 68 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
| 69 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib |
| 70 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib |
| 71 |
debug2: kex_parse_kexinit: |
| 72 |
debug2: kex_parse_kexinit: |
| 73 |
debug2: kex_parse_kexinit: first_kex_follows 0 |
| 74 |
debug2: kex_parse_kexinit: reserved 0 |
| 75 |
debug2: kex_parse_kexinit: |
| 76 |
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 |
| 77 |
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss |
| 78 |
debug2: kex_parse_kexinit: |
| 79 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
| 80 |
debug2: kex_parse_kexinit: |
| 81 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
| 82 |
debug2: kex_parse_kexinit: |
| 83 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
| 84 |
debug2: kex_parse_kexinit: |
| 85 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
| 86 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com |
| 87 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com |
| 88 |
debug2: kex_parse_kexinit: |
| 89 |
debug2: kex_parse_kexinit: |
| 90 |
debug2: kex_parse_kexinit: first_kex_follows 0 |
| 91 |
debug2: kex_parse_kexinit: reserved 0 |
| 92 |
debug2: mac_init: found hmac-md5 |
| 93 |
debug1: kex: server->client aes128-cbc hmac-md5 none |
| 94 |
debug2: mac_init: found hmac-md5 |
| 95 |
debug1: kex: client->server aes128-cbc hmac-md5 none |
| 96 |
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent |
| 97 |
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP |
| 98 |
debug2: dh_gen_key: priv key bits set: 121/256 |
| 99 |
debug2: bits set: 483/1024 |
| 100 |
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent |
| 101 |
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY |
| 102 |
debug1: Host 'localhost' is known and matches the RSA host key. |
| 103 |
debug1: Found key in /home/user/.ssh/known_hosts:4 |
| 104 |
debug2: bits set: 540/1024 |
| 105 |
debug1: ssh_rsa_verify: signature correct |
| 106 |
debug2: kex_derive_keys |
| 107 |
debug2: set_newkeys: mode 1 |
| 108 |
debug1: SSH2_MSG_NEWKEYS sent |
| 109 |
debug1: expecting SSH2_MSG_NEWKEYS |
| 110 |
debug2: set_newkeys: mode 0 |
| 111 |
debug1: SSH2_MSG_NEWKEYS received |
| 112 |
debug1: SSH2_MSG_SERVICE_REQUEST sent |
| 113 |
debug2: service_accept: ssh-userauth |
| 114 |
debug1: SSH2_MSG_SERVICE_ACCEPT received |
| 115 |
debug2: key: /home/user/.ssh/identity (0x0) |
| 116 |
debug2: key: /home/user/.ssh/id_rsa (0x0) |
| 117 |
debug2: key: /home/user/.ssh/id_dsa (0x1002ac08) |
| 118 |
debug1: Authentications that can continue: publickey |
| 119 |
debug1: Next authentication method: publickey |
| 120 |
debug1: Trying private key: /home/user/.ssh/identity |
| 121 |
debug1: Trying private key: /home/user/.ssh/id_rsa |
| 122 |
debug1: Offering public key: /home/user/.ssh/id_dsa |
| 123 |
debug2: we sent a publickey packet, wait for reply |
| 124 |
debug1: Server accepts key: pkalg ssh-dss blen 432 |
| 125 |
debug2: input_userauth_pk_ok: fp |
| 126 |
a5:97:1e:c3:8b:72:0c:91:69:13:32:25:95:8b:8d:c7 |
| 127 |
debug1: read PEM private key done: type DSA |
| 128 |
debug1: Authentication succeeded (publickey). |
| 129 |
debug1: channel 0: new [client-session] |
| 130 |
debug2: channel 0: send open |
| 131 |
debug1: Entering interactive session. |
| 132 |
debug2: callback start |
| 133 |
debug2: x11_get_proto: /usr/X11R6/bin/xauth list :0.0 2>/dev/null |
| 134 |
debug1: Requesting X11 forwarding with authentication spoofing. |
| 135 |
debug2: channel 0: request x11-req confirm 0 |
| 136 |
debug2: client_session2_setup: id 0 |
| 137 |
debug2: channel 0: request pty-req confirm 0 |
| 138 |
debug2: channel 0: request shell confirm 0 |
| 139 |
debug2: fd 4 setting TCP_NODELAY |
| 140 |
debug2: callback done |
| 141 |
debug2: channel 0: open confirm rwindow 0 rmax 32768 |
| 142 |
debug2: channel 0: rcvd adjust 131072 |
| 143 |
-- |
| 144 |
|
| 145 |
|
| 146 |
-- |
| 147 |
gentoo-user@g.o mailing list |
Archives