Status of Bugzilla #1153
Simon Vallet
svallet at genoscope.cns.fr
Wed Feb 22 04:09:16 EST 2006
On Tue, 21 Feb 2006 11:20:54 -0500
Carson Gaspar <carson at taltos.org> wrote:
> --On Tuesday, February 21, 2006 5:02 PM +0100 Simon Vallet
> <svallet at genoscope.cns.fr> wrote:
>
> Your "solution" will _break_ many sane setups. In the exact setup you
> describe (ssh from a less trusted network to a bastion host, then
> connecting to more trusted hosts), I don't _want_ the DISPLAY variable to
> have the FQDN of the _external_ interface, as nothing internal will be able
> to connect to it.
OK, I understand this is a legitimate concern, however you might want
to check the routing behaviour on your bastion host : I personally don't
see any reason why only one interface of the bastion would be reachable
from the trusted side -- we're not talking about forwarding packets to
an untrusted zone, of course.
> Or give your users init scripts that do whatever DISPLAY/xauth transforms you wish.
That was also discussed here, but we found it cleaner to solve the
problem at the SSH level instead of some ugly post-treatment hack.
> Don't break ssh for the rest of us because you have some religious belief that
> hostname() should return an ambiguous name.
Of course my purpose wasn't to break ssh for *anybody* -- I never
experienced problems reaching the "other" interface(s) of any
forwarding host, that's all. Which OS are you using ?
Simon
More information about the openssh-unix-dev
mailing list