RE: [MLUG] linux xterm on win X client

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: EMAIL:PROTECTED
Subject: RE: [MLUG] linux xterm on win X client
From: Mark Donnelly <EMAIL:PROTECTED>
Date: Mon, 3 Apr 2000 08:59:32 -0500
In-Reply-To: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED>
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED
User-Agent: IMP/PHP3 Imap webMail Program 2.0.12-cvs

Quoting Jason Youngquist <EMAIL:PROTECTED>:

> It should do it automatically.  All you need to do is
> put xhost + on the machine you want the Xwindows to
> forward to.  You don't need to mess with the target
> display stuff...

Umm, this is *not* the way to go.  What you're 
basically doing with this is encrypting your data 
stream from the remote host to your local host so that 
nobody can read it (which is good!), but then opening 
up your local host so that it will feel absolutely free 
to tell anyone who cares to ask what is going on with 
your X server (like what is being displayed, what 
you're typing, etc.).  There's an old program out there 
called 'xkey' that will read keystrokes from any such 
open X servers.  The SGI supercluster has fallen victim 
to this at least once in its history!

What's going on with the SSH forwarding is that SSH is 
creating a tunnel of sorts.  It starts listening on, 
say, port 6010 on the remote machine.  It then takes 
any data that gets put on remote:6010 and sends that 
data to local:6000.  (6000 is the default X port.)  It 
forwards goes local:6000 to remote:6010 as well.  It 
then sets as part of your login your DISPLAY 
environment variable to :10.  This is the localhost to 
that remote machine, which then gets cryptographically 
tunnelled to your local machine.

Now, SSH is nice in that it will, by default, deny 
connections to remote:6010 that do not originate on the 
remote machine.  (one and only one host can connect.)  

If you feel that this is sufficient for security, then 
you can just tell your local X server to accept any 
localhost connections (xhost +localhost).  This leaves 
two things open:

* Connections from your local host (not an issue on
  Windows)
* Connections to remotehost:6010 from someone else on 
  remotehost.

If either of these bothers you, what you need to do is 
set up an .xauthority.  xauth (creator and user 
of .xauthority files) will, simply put, ask for a bit 
of data that supposedly identifies you as being you, 
wherever you are on the network.  When you start a 
session from something like XDM, this is created for 
you.  If not, there's a way to get xauth to create one 
by command.  In order for a connection to succeed when 
xauth is being used, the bits of data on both ends 
(server and client) must match.
  
If you're going from UNIX to UNIX, the transfer of this 
information is done automagically.  If you're going 
from Windows to UNIX, you'll have to look at the 
documentation that comes with your X server on how to 
set up an xauthority file, and go from there.  Remember 
to transmit the contents of that xauthority file only 
over an encrypted line!

Hope this helps,
--Mark
--
To unsubscribe, send a new message with no subject and the words
"unsubscribe members" in the body to EMAIL:PROTECTED

Archives are available at http://mlug.missouri.edu/list-archives/

References:
- RE: [MLUG] linux xterm on win X client
  - From: Jason Youngquist <EMAIL:PROTECTED>

Prev by Date: RE: [MLUG] FTP Server
Next by Date: [MLUG] pppd problems
Previous by thread: RE: [MLUG] linux xterm on win X client
Next by thread: RE: [MLUG] linux xterm on win X client
Index(es):
- Date
- Thread