LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 01-31-2003, 10:56 AM   #1
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Rep: Reputation: 30
VNC and SSH Tunnel


hello all,
this question has been asked before, but after doing numerous searches here and on google i'm still coming up short on an answer.

i'd like to establish a vnc connection in order to run some X applications (file sharing agents). i'm connecting from within an internal network (10.x.x.x) to my network, which runs a firewall (IP MASQ) and forwards ports to specified machines. my workstation in the office is a winxp system (putty ssh client), and i'm attempting to connect to a slack8.1 box. btw, this all needs to be done remotely, as my network is some 3 hours away and i only go back there once every 10 days.

thus far, what i've done is this:
connect with putty. specified port 5901 in the ssh tunnel source, and my.network.com:5955 as the destination.
got the vnc binaries, and started vncserver (i've started it with and without X running in the background).
started up the windows vncviewer binary, and attempted to connect to "localhost:1".

i've tried different variations... but this seems the most promising. when i attempt to connect with the configuration above, the vncviewer process on my windows system hangs up and the process will eventually die.

so at this point i'm rather confused and stuck. i'd appreciate any advice offered. :-)
 
Old 01-31-2003, 11:03 AM   #2
rockdw
Member
 
Registered: Nov 2002
Location: Chicago, IL
Distribution: Gentoo, CentOS
Posts: 62

Rep: Reputation: 15
Try localhost:5901 - to reference the ssh tunnel, you need to use the whole port value, not just the display value. Another tack you could take with this is using cygwin's port of ssh and XFree86 and do it via X11Forwarding, rather than using VNC.
 
Old 01-31-2003, 02:51 PM   #3
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Original Poster
Rep: Reputation: 30
thanx. i decided to try the cygwin approach, as it seemed to be a little more of what i was looking for.

i got cygwin installed on my workstation, and can open up xterm to ssh into my network at home. i have enabled x11 forwarding in my /etc/ssh/sshd_config file. however, i still can't open up x applications from my home network.

is there something i'm missing?
 
Old 01-31-2003, 03:24 PM   #4
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
What you have done is authorize X Forwarding on the server side.

You will have to edit the client conf file ssh_config ( on the cygwin side ) or use ssh -X -l<you> <yourserver> for it to work.
 
Old 01-31-2003, 03:49 PM   #5
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Original Poster
Rep: Reputation: 30
i've done that... however, when i log into my networking, using:

ssh -X -l root blah.com

i get the following error after i authenticate:

Warning: No xauth data; using fake authentication data for X11 forwarding.

ideas? :-)
 
Old 01-31-2003, 04:07 PM   #6
rockdw
Member
 
Registered: Nov 2002
Location: Chicago, IL
Distribution: Gentoo, CentOS
Posts: 62

Rep: Reputation: 15
That's just a warning. It comes up because the cygwin environment doesn't have a true xauth setup. The X11 Forwarding will still work. Have you tried running any X apps anyway?

Also, make sure you are actually using an X server so it has somewhere to display to. you should be running /usr/X11R6/bin/startxwin.sh or startxwin.bat to accomplish that.

One more thing, those scripts just run XWin.exe with a couple other items. try changing the XWin.exe line to include the -rootless option. It will start the X server without the root window. I guarantee you will think it's REALLY cool ;-)
 
Old 01-31-2003, 04:23 PM   #7
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Original Poster
Rep: Reputation: 30
unfortunately, it's still not working. i had tried to start an x app (like emacs) but without any success.

i was executing the .bat file:

:STARTUP


REM
REM Startup the programs
REM

REM Startup the X Server.

start XWin -rootless

REM Startup an xterm, using bash as the shell.
run xterm -sl 1000 -sb -rightbar -ms red -fg yellow -bg black -e /usr/bin/bash

REM Startup the twm window manager.

run twm

REM Set a background color.

run xsetroot -solid aquamarine4



should or shouldn't i have X running on the machine before i ssh into it from cygwin? login would suggest i not have it running, but you never know.

and you're right, i really do like the -rootless option much better. much easier to work with. :-)

Last edited by Syncrm; 01-31-2003 at 04:25 PM.
 
Old 01-31-2003, 04:38 PM   #8
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
Quote:
Originally posted by Syncrm
i've done that... however, when i log into my networking, using:

ssh -X -l root blah.com

i get the following error after i authenticate:

Warning: No xauth data; using fake authentication data for X11 forwarding.

ideas? :-)
First of all, you should NEVER allow a direct remote login as root. The first thing would be to disable root login on the server side by saying PermitRootLogin no. You should also stick to pubkeyauth and disable passwd auth if you haven't already done so. Login as a regular user and 'su -' whenever you want to become root. It may also cause problems if you login as root, since root's Xauthority data is usually not stored in ~/.Xauthority.

You should have an X server running on the ssh client side before you attempt running an x client program on the ssh server side. Have a look at the following URL for the underlying concepts.
http://www.manualy.sk/seminar/Papers96/ssh/x11.html
http://csociety.ecn.purdue.edu/~sigo...sh/forwarding/

Last edited by nxny; 01-31-2003 at 04:42 PM.
 
Old 01-31-2003, 05:05 PM   #9
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Original Poster
Rep: Reputation: 30
yeah, i've heard the whole "never log in as root" argument a hundred times. i'm very paranoid about security, but am also very confident in my network security. port 22 forwards to a "gateway" box which doesn't have any sensitve information. any servers which do have info on them i want to protect use separate passwds. i'm not a newbie to *nix systems by any means, but most everything i do is from console or ssh. i'm just interested in this so i can use X applications like file sharing agents which don't really exist for console.

anyway, onward with the problem. i created a normal user and ssh'ed in as that user. when i attempted to type "xhost +" it would not work. same with xterm or any other x app.
 
Old 01-31-2003, 05:10 PM   #10
rockdw
Member
 
Registered: Nov 2002
Location: Chicago, IL
Distribution: Gentoo, CentOS
Posts: 62

Rep: Reputation: 15
After running startxwin.bat, you should be getting an xterm. Try running ssh -v -X user@machine (user@ is an alternate for -l user)
This will run ssh in verbose mode and will give you a LOT more information about what is going on. If it's not obvious what is wrong at that point, post the results for the rest of us to look at it.
 
Old 01-31-2003, 05:39 PM   #11
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
Quote:
Originally posted by Syncrm
yeah, i've heard the whole "never log in as root" argument a hundred times. i'm very paranoid about security, but am also very confident in my network security. port 22 forwards to a "gateway" box which doesn't have any sensitve information. any servers which do have info on them i want to protect use separate passwds. i'm not a newbie to *nix systems by any means, but most everything i do is from console or ssh. i'm just interested in this so i can use X applications like file sharing agents which don't really exist for console.

anyway, onward with the problem. i created a normal user and ssh'ed in as that user. when i attempted to type "xhost +" it would not work. same with xterm or any other x app.
Well, I told you because I'm paranoid about security issues too. If you are an experienced *nix user, you may understand that there is no such thing as absolute network security apart from physical disconnection to the network. And the possiblity of a direct root login is something that every script kiddie out there would consider a golden opportunity. The odds that they can spawn a root shell somehow is so much higher than otherwise. And a million network admins would swear by it. Your call.

After you logon as the normal ssh user with X forwarding enabled, type xauth list at the prompt. And post what the DISPLAY env variable holds.

try a simple xclient such as xeyes. And post the literal error message. Like rockdw suggested, increasing the verbosity of the ssh connection will also help if something isnt right.
 
Old 02-01-2003, 11:50 AM   #12
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by nxny
Well, I told you because I'm paranoid about security issues too. If you are an experienced *nix user, you may understand that there is no such thing as absolute network security apart from physical disconnection to the network. And the possiblity of a direct root login is something that every script kiddie out there would consider a golden opportunity. The odds that they can spawn a root shell somehow is so much higher than otherwise. And a million network admins would swear by it. Your call.
well, you said it yourself... i'm not worried at all about script kiddies. the fact is that the best security is good password management, tight firewalling (i only allow ssh connections from trusted hosts), and minimizing your services which send plain text passwords across open networks (ftp, imap, pop3, apache auth w/o ssl). though i appreciate the advice, it's something i've heard a thousand times. in fact, many of the people who gave me the advice have since been hacked. :-)

anyway, back to the problem. :-) i decided to take one variable out of the equation and booted my laptop into slack so i could have a true x11 running. i logged into my network from aterm like so:

ssh -X -v -l jeff my.network.com

and this was the most interesting portion of the messages:

jeff@my.network.com's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug1: client_init id 0 arg 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384

this was the output of xauth (before cmd prompt):

Using authority file /home/jeff/.Xauthority

but .Xauthority is an empty file. my DISPLAY variable is still "" . and when i attempt to start up some sort of X app, i get this error message:

jeff@aya:~$ xeyes
Error: Can't open display:

so i'd say the problem definitely lies on the server end, since i'm running a real x11 environment now. hmmmmmm
 
Old 02-01-2003, 05:31 PM   #13
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
Quote:
Originally posted by Syncrm
, it's something i've heard a thousand times. in fact, many of the people who gave me the advice have since been hacked. :-)
Sorry to hear that you have had to hear it a thousand times and you *still* havent understood. You've been lucky, because no one really wanted to break into your machine so bad Let us leave it at that.

Regarding your problem:

I have ssh-ed from my redhat desktop and even remotely to my Laptop on Slack, running sshd at port 22 . And I have configured kernels with make xconfig using X11forwarding. So believe me, if I can do it and you cant, I'm sure it is in the basics somewhere.

Boot up your laptop, logon as jeff. startx.
From within your aterm, do

Code:
xauth list;echo $DISPLAY;echo $XAUTHORITY
and post what you see.

Also make sure that sshd is listening at 22.
by running
Code:
netstat -ntla
now try ssh -X localhost and see if you can run xeyes from within the new shell.
 
Old 04-06-2003, 05:46 PM   #14
shadowdark
LQ Newbie
 
Registered: Apr 2003
Location: Midwest, USA
Posts: 1

Rep: Reputation: 0
I just ran through similar troubles and figured out that I needed to set ForwardX11 yes in my client .ssh/config

Once I did that I was golden.
Hope it helps.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
setting up ssh tunnel for vnc jr0 Linux - Networking 3 10-22-2005 12:38 PM
tunnel vnc through openssh disorderly Linux - Security 9 08-22-2005 03:56 PM
SSH tunnel reversed for VNC...Possible? silence Linux - Networking 1 07-22-2004 10:42 AM
VNC with Putty Tunnel port ziggie216 Linux - Software 10 12-02-2003 09:32 PM
VNC with Putty Tunnel LinuxHaven Linux - Security 15 08-30-2003 02:16 AM


All times are GMT -5. The time now is 07:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration