YamSeng
asked on
SSH X Forwarding
I do understand that SSH X Forwarding can be done in this manner. (correct me if I'm wrong) ie.
SSH Client logins to SSH Server.
runs a X Window application in the connected SSH terminal, such as "xterm" or "xeyes" and SSH automatically(usually) forwards the X display to the SSH Client machine.
a.com$>ssh b.com
login successfully
b.com$>xeyes
And xeyes will be displayed on a.com.
If my understanding of SSH X Forwarding is correct, then is it possible for the server to establish a connection from SSH server to the client instead and open up xeyes?
Assuming that client also has a SSH server running.
ie. b.com ssh to a.com and runs the X Window application on a.com's X server.
regards
Yam
SSH Client logins to SSH Server.
runs a X Window application in the connected SSH terminal, such as "xterm" or "xeyes" and SSH automatically(usually) forwards the X display to the SSH Client machine.
a.com$>ssh b.com
login successfully
b.com$>xeyes
And xeyes will be displayed on a.com.
If my understanding of SSH X Forwarding is correct, then is it possible for the server to establish a connection from SSH server to the client instead and open up xeyes?
Assuming that client also has a SSH server running.
ie. b.com ssh to a.com and runs the X Window application on a.com's X server.
regards
Yam
ASKER
hmm......but -display would actually use the X Window System to display the graphics using the X Server at c.com right?
If it's so, then the channel between c.com and a.com would just be a purely data channel. Not encrypted.
I was thinking of using the SSH X Forwarding instead of the X Window System.
I think my previous example of what I want to do may not be too clear. Let me have another go.
server.com ssh to client.com, runs a X client on server, but display it on client.com. All of these done using SSH X Forwarding, and not X Window System.
Yam
If it's so, then the channel between c.com and a.com would just be a purely data channel. Not encrypted.
I was thinking of using the SSH X Forwarding instead of the X Window System.
I think my previous example of what I want to do may not be too clear. Let me have another go.
server.com ssh to client.com, runs a X client on server, but display it on client.com. All of these done using SSH X Forwarding, and not X Window System.
Yam
<<If my understanding of SSH X Forwarding is correct, then is it possible for the server to establish
a connection from SSH server to the client instead and open up xeyes?>>
The server _never_ initiates the session.
a connection from SSH server to the client instead and open up xeyes?>>
The server _never_ initiates the session.
> runs a X client on server, but display it on client.com.
this is encrypted, 'cause ssh tunnels X
this is encrypted, 'cause ssh tunnels X
ASKER
ahoffman,
so to use ssh to tunnel the X, I should use the command you mentioned earlier right? ie
a.com$> ssh b@b.com ssh a@a.com xterm -display c.com:0
so for this command, how many ssh connections would there be? will there be 1 from b.com to a.com and another one from a.com to b.com?
I can only initiate 1 ssh connection from server.com (with X client) out to a client.com (with X server).
so to use ssh to tunnel the X, I should use the command you mentioned earlier right? ie
a.com$> ssh b@b.com ssh a@a.com xterm -display c.com:0
so for this command, how many ssh connections would there be? will there be 1 from b.com to a.com and another one from a.com to b.com?
I can only initiate 1 ssh connection from server.com (with X client) out to a client.com (with X server).
hmm, as I understand your questions in previous comment, you do not yet know what you want to do.
Could you please clarify for you, and then print it for me here:
- at which host do you want have the application diplayed
- at which host should the application run
- at which host are you typing on the keyboard
- which connection should/must be encrypted
Meanwhile, just answering question from previous comment:
> .. I should use the command you mentioned ..
depends
> .. how many ssh connections ..
2
> will there be ..
yes
> I can only initiate 1 ssh connection ..
my command does only initiate one connection per host
Could you please clarify for you, and then print it for me here:
- at which host do you want have the application diplayed
- at which host should the application run
- at which host are you typing on the keyboard
- which connection should/must be encrypted
Meanwhile, just answering question from previous comment:
> .. I should use the command you mentioned ..
depends
> .. how many ssh connections ..
2
> will there be ..
yes
> I can only initiate 1 ssh connection ..
my command does only initiate one connection per host
ASKER
Hi ahoffman,
Initially I was using the X Window to forward the DISPLAY. So I ran my application (X Client) on my server, and display it on my client(X Server), with the keyboard and everything on the client as well. So it was something like this:
server.com$>setenv DISPLAY client.com:0.0
server.com$>xeyes
And xeyes will be displayed on client.com and also receiving keyboard and mouse entries from there too. However, between server.com and client.com there is a data channel from server.com to client.com. 1 way. And it was not encrypted.
I was thinking of replacing this with SSH X Forwarding instead. However, I cannot let client.com to establish a connection from client.com to server.com as my server.com has a firewall blocking incoming tcp traffic. That is why my initial X Window System method works as it's just going out of the server.com.
I hope the above information is clear enough now. Sorry about the initial posts, I think I wasn't clear enough.
client.com - at which host do you want have the application diplayed
server.com - at which host should the application run
client.com - at which host are you typing on the keyboard
- which connection should/must be encrypted: I need only 1 encrypted connection from server.com going to client.com. Just like the way I use X Window System to set the display to another machine.
regards
Yam
Initially I was using the X Window to forward the DISPLAY. So I ran my application (X Client) on my server, and display it on my client(X Server), with the keyboard and everything on the client as well. So it was something like this:
server.com$>setenv DISPLAY client.com:0.0
server.com$>xeyes
And xeyes will be displayed on client.com and also receiving keyboard and mouse entries from there too. However, between server.com and client.com there is a data channel from server.com to client.com. 1 way. And it was not encrypted.
I was thinking of replacing this with SSH X Forwarding instead. However, I cannot let client.com to establish a connection from client.com to server.com as my server.com has a firewall blocking incoming tcp traffic. That is why my initial X Window System method works as it's just going out of the server.com.
I hope the above information is clear enough now. Sorry about the initial posts, I think I wasn't clear enough.
client.com - at which host do you want have the application diplayed
server.com - at which host should the application run
client.com - at which host are you typing on the keyboard
- which connection should/must be encrypted: I need only 1 encrypted connection from server.com going to client.com. Just like the way I use X Window System to set the display to another machine.
regards
Yam
client.com$> ssh user@server.com
# then you're on server.com, ssh should have set DISPLAY proper
server.com$> xeyes
this way you have encryption in both ways, 'cause ssh uses its private port to tunnel all the X-traffic (if X-Forwarding is enabled).
# then you're on server.com, ssh should have set DISPLAY proper
server.com$> xeyes
this way you have encryption in both ways, 'cause ssh uses its private port to tunnel all the X-traffic (if X-Forwarding is enabled).
ASKER
but if the firewall blocks all incoming traffic to server.com, the first statement:
client.com$>ssh user@server.com
will not be successful isn't it?
client.com$>ssh user@server.com
will not be successful isn't it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, you should not set the DISPLAY variable explicitly
when using SSH X-forwarding. It will be set for you
by the SSH server
when using SSH X-forwarding. It will be set for you
by the SSH server
Yes.
If a.com runs sshd with X-Forwarding enabled.
Then the only important part is the DISPLAY environment variable, or the -display option passed to the application.
A more or less usefull example:
a.com$> ssh b@b.com ssh a@a.com xterm -display c.com:0
(assuming that X ports are available, and xauth allows it)