[wplug] Tunneling X across multiple SSH hops?

Edward Walter ewalter at walterama.com
Thu Apr 21 16:00:49 EDT 2005 

It's a bit kludgy, but you can tunnel SSH through SSH.  I haven't tested
the X11 forwarding bit recently, but this used to work:

ssh -L 8022:host.behind.nat:22 user at public.host.address

and then

ssh -X user at localhost -p 8022

The downside is that you're encrypting everything twice...

-Ed


>
>> -----Original Message-----
>> From: wplug-bounces+don.vanco=agilysys.com at wplug.org
>> [mailto:wplug-bounces+don.vanco=agilysys.com at wplug.org] On
>> Behalf Of Poyner, Brandon
>> Sent: Thursday, April 21, 2005 1:34 PM
>> To: General user list
>> Subject: RE: [wplug] Tunneling X across multiple SSH hops?
>>
>>
>> The first hop machine does not need to have X installed but it must at
>> least have xauth installed.  If you run 'xauth list' after connecting
>> through ssh does it report magic cookie information?  Does the
>> $DISPLAY environment variable get set?
>
> 	Well, that hoses that idea - the first hop is a (old) VMWare ESX
> box - no xauth on there.
>
>
>
>> -----Original Message-----
>> From: wplug-bounces+bpoyner=ccac.edu at wplug.org
>> [mailto:wplug-bounces+bpoyner=ccac.edu at wplug.org] On Behalf Of Vanco,
>> Don Sent: Thursday, April 21, 2005 1:14 PM
>> To: General user list
>> Subject: RE: [wplug] Tunneling X across multiple SSH hops?
>>
> wplug-bounces+don.vanco=agilysys.com at wplug.org <> scribbled on :
>
>>> On Fri, Apr 15, 2005 at 02:06:08PM -0400, Vanco, Don wrote:
>>>> Anyone have a quick-n-dirty set of instructions for getting X to
>>>> "play nice" across multiple SSH hops?
>>>
>>> Just use "-X" (forward X connection) along each hop:    A$ ssh -X B
>>>    B$ ssh -X C
>>>    C$ xclock
>>> displays the clock on A.
>>>
>>> You might have to make sure that X forwarding is enabled in your
>>> configuration (ForwardX11 in ssh_config, X11Forwarding in
>>> sshd_config)
>>
>> 	This is what I expected to work - but it does not:
>> first hop (via SSH):
>> login as: vancod
>> Sent username "vancod"
>> vancod at 206.132.103.194's password:
>> Last login: Tue Apr 22 13:17:02 2003 from psefw-web.agilysys.com
>>
>> Second hop:
>> [vancod at claw vancod]$ ssh root at 10.10.10.113
>> root at 10.10.10.113's password:
>> Last login: Thu Apr 21 12:54:38 2005 from 10.10.10.200 [root at titan
>> root]# xclock Error: Can't open display:
>>
>> 	All of the SSH config files are set to forward X.
>>
>> 	One key thing I forgot to mention - the firewall...
>> 	I am guessing that because I access server one _through_ a
>> Microsoft ISA <ahem> firewall that the relevant port data is
>> not passing
>> through.  As these are not Internet routable I have to go via gateway
>> devices...
>>
>>
>> Don
>>
>> _______________________________________________
>> wplug mailing list
>> wplug at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug
>>
>>
>> _______________________________________________
>> wplug mailing list
>> wplug at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
>

More information about the wplug mailing list