secure Xapps tunnel

Jim Knoble jmknoble at pobox.com
Fri Feb 26 18:42:14 EST 2010


On 2010-02-25 10:52, Deutschem wrote:

: i want to show remote X-apps on my desktop.
: 
: now, i know from google that xhost and xauth is not the way to
: so that very secure.
: 
: now, i have a ssh_config with X forwarding enabled and a server with
: forwarding enabled, too.
: 
: now when i connect to server i read that ssh creates automaticaly a
: Xauthory file.
: So i know that this is the xauth way with supercookies etc.
: 
: but i dont want to use the xauth way, i want only tunnel xapps through
: ssh.
  [...]
: ok, now, how can i securely show xapps on my xserver with ssh ?

When X11 forwarding is turned on, OpenSSH does the following:

(1) Create a local X11 display on the remote host (usually the first
    free display beginning with "DISPLAY=:10").  This display is
    tunneled back to the originating host's display.

(2) Create a cookie in an XAUTHORITY file (usually ~/.Xauthority) on the
    remote host which allows access to the display it created on the
    remote host.

For example:

--------------------
localhost$ echo $DISPLAY
:0.0
localhost$ ssh -X -Y remotehost
remotehost$ echo $DISPLAY
:10.0
remotehost$ xauth list $DISPLAY
remotehost/unix:10  MIT-MAGIC-COOKIE-1  0d599f0ec05c3bda8c3b8a68c32a1b47
remotehost$ xterm &
(xterm appears on localhost's display ":0.0")
--------------------

The manual page explains more about '-X' and '-Y'.

(Falls das Vorgehende nicht ganz klar ist, bitte schreiben Sie mir
persoenlich, dann koennen wir auf deutsch versuchen.)

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)


More information about the openssh-unix-dev mailing list