Subject: | |
From: | |
Reply To: | Fernando M. Roxo da Motta |
Date: | Thu, 7 Dec 2006 08:49:00 -0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Wed, Dec 06, 2006 at 04:59:22PM -0600, Troy Dawson wrote:
> Alex Finch wrote:
> >I find that X11 forwarding over ssh does not work on SL 4.4. I get the
> >message
> >_X11TransSocketINETConnect() can't get address for localhost:6011: Name
> >or service not known
=================8<-----------------------------
>
> The easiest fix I know of is to edit
> /etc/ssh/ssh_config
> and add the line
> ForwardX11 yes
> I usually put it at the end, so that it looks like
>
> ForwardX11Trusted yes
> ForwardX11 yes
>
Just as an aditional information, the first option above
(ForwardX11Trusted) will export the DISPLAY with all, or almost all,
extensions available. See the output of xdpyinfo(1) command in local and
remote hosts to get the available X11 extensions. Without that option
only a few extensions are made available in the remote (X11 client)
machine and many applications fail, due to the lack of resources, with some
cryptic message that explains nothing.
Anyway it is neccessary some care in order to avoid export all resources
to the world, as it may represent some security threat. Perhaps a
solution like :
=============8<------- cut here -----------
# Inside my network -------------------------
# This one is not trusted at all
Host noexport.at.mynet
ForwardX11 no
# This one is not all trusted
Host partial.at.mynet
ForwardX11Trusted no
ForwardX11 yes
# I trust all others
Host *.at.mynet
ForwardX11Trusted yes
ForwardX11 yes
# Outside my network -------------------------
# The ones I trust
Host somehost.at.some.place
ForwardX11Trusted yes
ForwardX11 yes
# I trust "ma non troppo"
Host other.not.so.trusted
ForwardX11Trusted no
ForwardX11 yes
# Global Defaults
Host *
ForwardX11 no
=============8<------- cut here -----------
Points to note in config above, from ssh_config(5) :
Since the first obtained value for each parameter is used, more host-
specific declarations should be given near the beginning of the file,
and general defaults at the end.
...
Host Restricts the following declarations (up to the next Host
keyword) to be only for those hosts that match one of the
patterns given after the keyword. * and ? can be used as
wildcards in the patterns. A single * as a pattern can be
used to provide global defaults for all hosts. The host
is the hostname argument given on the command line (i.e.,
the name is not converted to a canonicalized host name before
matching).
Some of these can (should?) be inside the sitewide '/etc/ssh/ssh_config'
and those that differs must be in '~/.ssh/config'. A question to ALL,
can this config be in a NIS map or some sort of LDAP directory ?
An extra information learned from experience. If the home directory
and/or the '~/.ssh' have insecure access permissions the personal
configuration is silently ignored. So if you change configs and it takes
no effect, look at those permissions.
HTH
Roxo
--
---------------- Non luctari, ludare -------------------+ WYSIWYG Editor ?
Fernando M. Roxo da Motta <[log in to unmask]> | VI !!
Except where explicitly stated I speak on my own behalf.| I see text,
( Usuário Linux registrado #39505 ) | I get text !
|
|
|