On Fri, 12 Oct 2001, Jay Strauss wrote: > Is this possible, I have (crappy) linksys dsl router/NAT devices set up > on other sides of the internet. Behind one is my SSH client, behind the > other is my SSH server (on my deb box):
It can be done if you can establish an ssh session from the source NAT-ed host to the destintaion NAT-ed host. > SSH SSHd > Client Debian > (putty) 192.168.5.102 > 192.168.5.100 > | | > | | > | | > | internet | > 192.168.5.254 =================== 192.168.5.254 > Linksys Linksys > NAT NAT > xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy Cool ASCII Drawing. (ME likes it) > I am able to SSH from the client to the server, but when I try to start an > xterm: Whoah! Dejavu! > 192.168.5.102:jstrauss> xterm -display xxx.xxx.xxx.xxx In this case, you are probably trying to tell the remote machine to use an X $DISPLAY that would try to connect to the NAT-ed IP address and there is no service on the NAT linksys router to perform this by default. Also, the remote host does not know how to get to your reserved network IP address used in the NAT LAN at "home". By default most new ssh clients/servers seem to be shipping with disabled X forwarding by default due to security conerns with X. > It just hangs. Now I figure I can't really send the display to the linksys > device in front of my client, but where > else can I send it? I can't send it to 192.168.5.100, cause it will try to > route to it's local LAN. Is what I'm trying impossible? I thought you > could run X through (some sort of encrypted tunnel) ssh all the way back to > the client. You can generally offer X updates/draw through an ssh session, but there are security implications with this. If you have one of the newer ssh varients (openssh or ssh2) then check the options when starting ssh. For one, I think you can add "-X" and the other you can add "-x" to explicitly state you want to tunnel X through SSH. (Not exactly sure, which is which ans which one uses "-X" for enable, but one seems to use -x for disable, so check your man pages to be sure.) Once you have enabled X through SSH, you will/should have a new env var on the remote machine called $DISPLAY. echo $DISPLAY in the shell on the remote machine to see if it is set. It will probably be a local high port like "yourhostname:11.0" You should be able to then start X apps on the remote location and have them appear on your local screen automagically. The cost of X through ssh is you will take a processor hit, and smooth graphics and video won't be so smooth. You will/should notice more lag than when you compare it to a non-encrypted session. If you are going from one NAT-ed host to another NAT-ed host, using an ssh session is the easiest way to get the stuff to yourself, but with the cost of speed and the X security issue. > One more thing, when I'm pick up my laptop and bring it home (onto the LAN > where my sshd is located). I'm able to get an xterm sent sent locally, but > how do I know its even using the ssh tunnel and not just sending it clear > text? Use a sniffer. :-) Or you can examine your env variable $DISPLAY to see if it is set to send to the remote host, or is using the localhost and then SSH. Also, I just noticed that you mention "putty" as your client side. Most of the above (-X flag for enabling X session stuff) is/was for the openssh/fsecure ports of client ssh. I have not used this client (putty), so you should check to see if it offers X11 forwarding/redirection. If it does, then make sure you have enabled this option. If this is on Windows (Win32) then you need to have an X11 Server for windows (or if on the mac, then one for the mac). If you do not have an X-Server for your windows/mac machine, i think you can get one for trial for Mac or Windows called MI/X http://tnt.microimages.com/www/html/freestuf/mix/ I used that before (or at least an earlier one) and it seemed to work for most of the things I wanted to use at the time. It was rather feature limited, but the price at the times sounded right. There was one out there called Hummingbird Exceed or soemthing like that but I think it co$t a bit more. People that have used said they liked it, but what do people know anyway? They are only human. ;-) Others here may have more up-to-date suggestions on W32 based XServers that are fresh on the menu. -ME P.S. Just found from from putty docs: http://www.tartarus.org/~simon/puttydoc/output.txt 3.16.1 X11 forwarding If your server lets you run X Window System applications, X11 forwarding allows you to securely give those applications access to a local X display on your PC. This feature will only be useful if you have an X server on your PC, such as Exceed or XWin32. To enable X11 forwarding, check the `Enable X11 forwarding' box. If your X display is not the primary display on your local machine (which it almost certainly will be unless you have deliberately arranged otherwise), you need to enter its location in the `X display location' box. Which really answers your last Q more more directly. That options should set the env var $DISPLAY on the remote machine. Check echo $DISPLAY to see if it does. -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z? ------END GEEK CODE BLOCK------ decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html Systems Department Operating Systems Analyst for the SSU Library
