XSecurty, SSH, XDMCP, xauth, etc.

[s243a]

So, I got something more working with ssh. Here's a draft tutorial (Will post an actual tutorial when I figure everything out). Right now, I'm doing ssh XForwarding on my local machine and displaying on a Xephry window. The distribution I'm using is tahrpup. The point of this is to experiment with ssh XForwarding on a single machine, but it could also have applications for setting up chroot environments.

Here are the steps:
1. install openSSH via the puppy package manager.
2. optionally install xauth from the puppy package manager #May not be necessary. Need to experiment more.
3. install Xephyr from the puppy package manager.
4. install twm from the puppy package manager #Not necessary but it will work better for this than jwm.
5. edit /etc/hosts.allow as follows:

Code: Select all

ALL: LOCAL
ALL: 127.0.0.1

the blank line at the end of the file is necessary.
Configure your ssh client and server. My configuration files are:
/etc/ssh/sshd_config #for the server
/etc/ssh/ssh_config #for the client

clink on the above links to see my configuration. My configureation files at this point are fairly permissive because I'm just trying to get things working.

6. Start Xephyr. Here is the script that I created to do so:

Code: Select all

#!/bin/bash
set -xv
exec &> /mnt/sdc6/start_Xephyr.log
export HOME=${HOME:-/root}
export NESTDISPLAY=${NESTDISPLAY:-':10'}
export DISPLAY=${DISPLAY:-':0'}
exec /usr/bin/Xephyr \
  -ac "$NESTDISPLAY" -screen 768X768 -reset -terminate  \
  -nolisten inet6 -keybd ephyr,,,xkbmodel=pc102,xkblayout=us,xkbrules=xorg,xkboption=keypad:pointerkeys,terminate:ctrl_alt_bksp

use "setxkbmap -query " to adapt the script to your keyboard. Also as noted above for better security remove the -ac option and specify the location of the Xautority file. However, it might be better to try to make things work first before tightening up the security.

7. Start the ssh server:

Code: Select all

/etc/init.s/ssh start

8. Connect to the ssh server

Code: Select all

ssh -Y root@127.0.0.1

Either the -Y or -X option should work to give X11 Forwarding but in my case it isn't doing anything because I get this error:

Code: Select all

Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0

You can try doing the following before logging in with ssh

Code: Select all

export DISPLAY=:10

but this didn't work for me. All is not lost. Make sure the display variable is set with the above export statment and then type

Code: Select all

twm & #if you want you can use a different window manager such as jwm but twm is better here. 

and hit enter twice.

It seems that in an ssh shell I have to start the window manager first but if I do it in a regular console the order doesn't seem to mater. You can now start other aps:

Code: Select all

geany &

or

Code: Select all

rox &

I'll figure out later how to start them without having to press enter twice.

[s243a]

Some notes for me. You can see which ports are being used by X11 as follows:

Code: Select all

root# netstat -atunp
Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp        0      0 0.0.0.0:6010   0.0.0.0:*        LISTEN  24423/Xephyr

https://askubuntu.com/questions/90920/x ... -listening

I was able to solve some errors with xauth by adding
to ~/.profile the following:

Code: Select all

case $DISPLAY:$XAUTHORITY in
  :*:?*)
    # DISPLAY is set and points to a local display, and XAUTHORITY is
    # set, so merge the contents of `$XAUTHORITY` into ~/.Xauthority.
    XAUTHORITY=~/.Xauthority xauth merge "$XAUTHORITY";;
esac

https://unix.stackexchange.com/question ... 0126#10126

If I start Xephyr on display :10 ssh forwarding seems to use the next available display for the forwarding. So if my sshoffset is 10, then DISPLAY=:11 would be the next available. The display variable looks like this

Code: Select all

echo "$DISPLAY"
puppypc25156:11.0

which is in the format (HOSTNAME:DISPLAY:SCREEN).

This isn't a valid format for the display input to Xephyr. Rather Xephyr should be called like

Code: Select all

Xephyr :11

if we actually wanted to use display 11, which we don't. One could get the host name as follows:

Code: Select all

NESTDISPLAY=":${DISPLAY##*:}"

and IP address as follows:

Code: Select all

IP_Addr=$(getent -i hosts ${NESTDISPLAY%%:*} | cut -d$' ' -f1)

https://serverfault.com/questions/49850 ... -etc-hosts
Note that the host command won't work because it doesn't look in your host file. Instead it does a direct DNS lookup, and even if you installed either bind or dig, the host command won't work because the libgost.so library is missing from the openssh package in tahrpup. This can be fixed by installing libssl1.0.0 from ubuntu.com but as I noted wouldn't be what we want anyway.