|
X11Forwarding problem when xauth cannot write to /home mounted via NFS
In our organization we use about a hundred openSUSE clients connected to one central server that acts as file and authentication server (let's call this machine "mainserver"). Home directories for all users are mounted via NFS on the local clients. One of these clients acts as a gateway and allows users to log in using SSH to do some work etc. The use case at hand now is that a user want to connect from an outside machine with X11-forwarding to this gateway machine, and I am pretty sure I have narrowed down the reason it does not work to the following: xauth normally writes an .Xauthority file to the home directory when handling sessions. However, since sshd is run as root@gateway it doesn't have permissions to read/write files in the home directory of the user on the main server (mainserver:/home/user). I have checked all other settings with X11-forwarding that can cause problems, and the testing outside machine can connect with X11 to the mainserver itself and other machines, that is not the issue.
Now, this could be solved by making all home directories r/w accessible by all, but that is obviously a terrible thing to do from a security point of view. Can any of you think of a workaround so I can make X11-forwarding work? I am aware of the potential security problems with X11-forwarding in itself. Thanks in advance! =) |
Ok, something here doesn't make sense to me. AFAIK, sshd is ALWAYS run as root.
It's not that root doesn't have write access. The user who is logging onto the target machine is not root. Have you tried Code:
ssh -Y target-machine-ip-address firefoxI find the -Y option gets around xauth issues nicely. Also, to get around issues with X-11 forwarding, I normally run vncserver on the target host. That way, you can get a full desktop and let vnc manage the auth issues. Then, you can use vncviewer to connect to the desktop on the target host, or if you want it encrypted, you can use sshvnc or a ssh tunnel to start the vncviewer on the target machine. You can run a vnc server using x11vnc or vncserver. There are a couple different ways to do it. If you don't like vnc, you can probably run xrdp and use rdesktop to connect to that server. It's easier to get vnc working than plain ol'X-11 forwarding and using ssh, it's more secure too. I've done vnc various ways over the years, so if you decide to use that, I can point you in the direction of various configs that have worked for me. I set vnc up on every network I have ever managed and it works pretty well. There are other ways to do the same thing, most of which have some kind of security built in. Some of them are pretty cool, but vnc works well enough for me. YMMV. |
Thank you for great suggestions Rhamel, especially since no-one seemed to give an answer in this thread - kudos to you!
Regarding sshd: yes it is always run as root, but root on the gateway machine. Since the user's home directory is on another server and only mounted via NFS on the gateway, root@gateway cannot access this home directory, only user@gateway can. Does this make sense, or do you see some way to change that? As you suggested, for all my tests i used the -Y option since it seemed to be the most permissive, but to no avail (I also tried with -X). However, your solution to use vnc may be a much better one, thanks for pointing me in that direction. I will try to switch to that solution instead, and if you have some pointers and tips (or links etc) on how to make good configs and/or tweaks for vnc, I would sincerely appreciate it. |
A tutorial on using VNC with XDMCP to improve user authentication
https://www.ibm.com/developerworks/l...insvnc/#N101F6 |
Also, a page describing x11vnc, a vncserver with encryption built in and ssvnc, a vnc viewer with ssh tunnelling built in.
http://www.karlrunge.com/x11vnc/ I have used both of these successfully. |
Ok, sorry to be harping on this point. You've probably moved on from this, but I've spent the morning on this thing for another project I've working on.
Ok, so what I've realised (really late in the game for me), is that ssvncviewer comes with a utility called 'tsvnc' which is very useful. 1. it connects to the remote host via ssh. 2. it starts up x11vnc on the remote host as the user who just logged in. Since the user then owns the session, there is no xauth problems. 3. it then starts up a vncviewer session from the local host to the x11vnc session running on the remote host as the same user. So, on the target host, you just need to have x11vnc in the PATH of the user you will be logging in as. You don't have to set up anything else on the remote server. Well, you need to have sshd running, of course. Since you are logging in using ssh,you can use ~/.ssh/authorized_keys to avoid entering passwords, which I always prefer. More detail here http://www.karlrunge.com/x11vnc/ssvnc.html#tsvnc |
| All times are GMT -5. The time now is 07:04 AM. |