X11 forwards and libwrap support
Ed Phillips
ed at UDel.Edu
Fri Nov 16 02:52:58 EST 2001
On Thu, 15 Nov 2001, Osmo Paananen wrote:
> Date: Thu, 15 Nov 2001 13:59:57 +0200
> From: Osmo Paananen <osmo.paananen at sonera.com>
> To: Markus Friedl <markus at openbsd.org>
> Cc: Osmo Paananen <odie at rotta.media.sonera.net>, openssh-unix-dev at mindrot.org,
> openssh at openbsd.org
> Subject: Re: X11 forwards and libwrap support
>
> > it's about complexity.
> > currently: the x11 proxy listens listen to inaddr-any.
> > nice to have: listen to localhost or inaddr-any.
>
> Did I understand correctly, that openssh's x11 forwards do not
> support unix-domain sockets? And that some aplications revert to
> unix domain sockets if the display is localhost:*?
>
> Then I think that just converting openssh to use localhost
> as the interface for the forwarded x11 tcp socket is not the solution.
>
> Or if it is then support for the unix-domain sockets is required, too.
>
> > other options: too much complexity/code/bugs in openssh.
>
> tcp-wrapper is already included, would it really add too much
> complexity to use it with the x11-forwards?
This doesn't work in OpenSSH? I hadn't realized...
I always used the "sshdfwd-X11" service in /etc/hosts.allow to control
forwarding with ssh-1.2.x... although I always thought it was confusing
the way it was implemented. Putting something like:
sshdfwd-X11: thishost.do.dum
... to enable forwarding for everything seemed kinda strange. OpenSSH has
the "X11Forwarding yes" switch in sshd_config that would do the same
thing.
What I'd like is to control what hosts we allow forwarding TO in
/etc/hosts.allow instead of forwarding FROM. I guess I'm just too dense
to understand how it works in detail... :-(
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list