1 |
I've three independent hosts - imaginatively called A, B and C. |
2 |
|
3 |
Firewall rules dictate that A can be directly accessed from B, but not |
4 |
from C... A and B run the openssh sshd, and C is a terminal with a |
5 |
working X-Windows display. C has a ssh session opened with B which |
6 |
tunnels port 22 on C to 22 on A. Thereafter, it is possible to ssh to |
7 |
localhost on C and get a ssh connection to A, which in turn I |
8 |
successfully use to tunnel IMAP, SMTP, Squid - etc. I'd have expected |
9 |
to be able to tunnel X11 over this link from C to A - but it fails... |
10 |
I'm unclear if the reason for the failure is the additional |
11 |
tunnelling... Is this technique incompatible with X11 tunnelling? Is |
12 |
there a way to make it work with a reverse-tunnel or something like |
13 |
that? Am I barking up the wrong tree entirely? |
14 |
|
15 |
-- |
16 |
HostC# echo $DISPLAY |
17 |
:0.0 |
18 |
HostC# cat .ssh/config |
19 |
ForwardX11 yes |
20 |
HostC# ssh localhost -X |
21 |
HostA# echo $DISPLAY |
22 |
|
23 |
HostA# exit |
24 |
HostC# ssh localhost -Y |
25 |
HostA# echo $DISPLAY |
26 |
|
27 |
HostA# exit |
28 |
HostC# |
29 |
-- |
30 |
|
31 |
If I use -v -v I get this output... Curiously I have |
32 |
/usr/X11R6/bin/xauth on HostC, but xauth in in /usr/bin on host A. |
33 |
-- |
34 |
HostC# ssh localhost -Y |
35 |
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 |
36 |
debug1: Reading configuration data /home/user/.ssh/config |
37 |
debug2: ssh_connect: needpriv 0 |
38 |
debug1: Connecting to localhost [127.0.0.1] port 22. |
39 |
debug1: Connection established. |
40 |
debug1: identity file /home/user/.ssh/identity type -1 |
41 |
debug1: identity file /home/user/.ssh/id_rsa type -1 |
42 |
debug2: key_type_from_name: unknown key type '-----BEGIN' |
43 |
debug2: key_type_from_name: unknown key type '-----END' |
44 |
debug1: identity file /home/user/.ssh/id_dsa type 2 |
45 |
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 |
46 |
debug1: match: OpenSSH_4.3 pat OpenSSH* |
47 |
debug1: Enabling compatibility mode for protocol 2.0 |
48 |
debug1: Local version string SSH-2.0-OpenSSH_4.3 |
49 |
debug2: fd 4 setting O_NONBLOCK |
50 |
debug1: SSH2_MSG_KEXINIT sent |
51 |
debug1: SSH2_MSG_KEXINIT received |
52 |
debug2: kex_parse_kexinit: |
53 |
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 |
54 |
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss |
55 |
debug2: kex_parse_kexinit: |
56 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
57 |
debug2: kex_parse_kexinit: |
58 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
59 |
debug2: kex_parse_kexinit: |
60 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
61 |
debug2: kex_parse_kexinit: |
62 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
63 |
debug2: kex_parse_kexinit: |
64 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
65 |
debug2: kex_parse_kexinit: |
66 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
67 |
debug2: kex_parse_kexinit: |
68 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
69 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib |
70 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib |
71 |
debug2: kex_parse_kexinit: |
72 |
debug2: kex_parse_kexinit: |
73 |
debug2: kex_parse_kexinit: first_kex_follows 0 |
74 |
debug2: kex_parse_kexinit: reserved 0 |
75 |
debug2: kex_parse_kexinit: |
76 |
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 |
77 |
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss |
78 |
debug2: kex_parse_kexinit: |
79 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
80 |
debug2: kex_parse_kexinit: |
81 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
82 |
debug2: kex_parse_kexinit: |
83 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
84 |
debug2: kex_parse_kexinit: |
85 |
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
86 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com |
87 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com |
88 |
debug2: kex_parse_kexinit: |
89 |
debug2: kex_parse_kexinit: |
90 |
debug2: kex_parse_kexinit: first_kex_follows 0 |
91 |
debug2: kex_parse_kexinit: reserved 0 |
92 |
debug2: mac_init: found hmac-md5 |
93 |
debug1: kex: server->client aes128-cbc hmac-md5 none |
94 |
debug2: mac_init: found hmac-md5 |
95 |
debug1: kex: client->server aes128-cbc hmac-md5 none |
96 |
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent |
97 |
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP |
98 |
debug2: dh_gen_key: priv key bits set: 121/256 |
99 |
debug2: bits set: 483/1024 |
100 |
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent |
101 |
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY |
102 |
debug1: Host 'localhost' is known and matches the RSA host key. |
103 |
debug1: Found key in /home/user/.ssh/known_hosts:4 |
104 |
debug2: bits set: 540/1024 |
105 |
debug1: ssh_rsa_verify: signature correct |
106 |
debug2: kex_derive_keys |
107 |
debug2: set_newkeys: mode 1 |
108 |
debug1: SSH2_MSG_NEWKEYS sent |
109 |
debug1: expecting SSH2_MSG_NEWKEYS |
110 |
debug2: set_newkeys: mode 0 |
111 |
debug1: SSH2_MSG_NEWKEYS received |
112 |
debug1: SSH2_MSG_SERVICE_REQUEST sent |
113 |
debug2: service_accept: ssh-userauth |
114 |
debug1: SSH2_MSG_SERVICE_ACCEPT received |
115 |
debug2: key: /home/user/.ssh/identity (0x0) |
116 |
debug2: key: /home/user/.ssh/id_rsa (0x0) |
117 |
debug2: key: /home/user/.ssh/id_dsa (0x1002ac08) |
118 |
debug1: Authentications that can continue: publickey |
119 |
debug1: Next authentication method: publickey |
120 |
debug1: Trying private key: /home/user/.ssh/identity |
121 |
debug1: Trying private key: /home/user/.ssh/id_rsa |
122 |
debug1: Offering public key: /home/user/.ssh/id_dsa |
123 |
debug2: we sent a publickey packet, wait for reply |
124 |
debug1: Server accepts key: pkalg ssh-dss blen 432 |
125 |
debug2: input_userauth_pk_ok: fp |
126 |
a5:97:1e:c3:8b:72:0c:91:69:13:32:25:95:8b:8d:c7 |
127 |
debug1: read PEM private key done: type DSA |
128 |
debug1: Authentication succeeded (publickey). |
129 |
debug1: channel 0: new [client-session] |
130 |
debug2: channel 0: send open |
131 |
debug1: Entering interactive session. |
132 |
debug2: callback start |
133 |
debug2: x11_get_proto: /usr/X11R6/bin/xauth list :0.0 2>/dev/null |
134 |
debug1: Requesting X11 forwarding with authentication spoofing. |
135 |
debug2: channel 0: request x11-req confirm 0 |
136 |
debug2: client_session2_setup: id 0 |
137 |
debug2: channel 0: request pty-req confirm 0 |
138 |
debug2: channel 0: request shell confirm 0 |
139 |
debug2: fd 4 setting TCP_NODELAY |
140 |
debug2: callback done |
141 |
debug2: channel 0: open confirm rwindow 0 rmax 32768 |
142 |
debug2: channel 0: rcvd adjust 131072 |
143 |
-- |
144 |
|
145 |
|
146 |
-- |
147 |
gentoo-user@g.o mailing list |