X11 forwarding--with a wrinkle

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,
   I have a slightly odd situation in using X11 forwarding, possibly  
unsolvable, but I
want to hear that from the experts. Starting from my home machine, I need  
to multi-hop
to reach my workstations in my office. First I ssh to the accessible  
"gateway" machine
inside the firewall, then must connect to a "portal" machine that provides  
an inner
gateway to the networks in my building, from which I can then connect to  
my office
workstations. Problem is with the inner "portal" machine, which in  
principle allows X
forwarding, and server is configured to do the right thing, but this  
machine has been
set up in a minimalist fashion, so that anybody connecting to it is  
expected to be doing
so purely to connect to a machine in the building network. For this  
reason, all logins go
to the same home directory, to which the user has no write permissions on  
files or directories.
This trashes "xauth", because it can't modify the locks files in any way,  
so X11
authorizations fail. As a result, further ssh from this machine inward to  
my office is stripped of
the X11 connection, and I can't access X apps on the innermost machines.  
Is there any type of
tunnelling trick that might allow me to "sneak" the X11 access through  
this machine without
having to deal with xauth? From my readings, I suspect not, because I  
don't see any way to
pass the X11 channels cleanly (or "collapse" them on entry and  
"re-channelize" them at the
next connection) under these conditions. I'm told these portal machine  
constraints will be
addressed "eventually", but do the experts see any way to make this  
possible before that?
Many thanks in advance.

Eric Henry

Using Opera's revolutionary e-mail client: http://www.opera.com/mail /

Re: X11 forwarding--with a wrinkle

Quoted text here. Click to load it

You could manually configure tunnels across each link and also handle
xauth manually.  (X11 forwarding is just regular tunneling with some
automation that works in simple situations.)

When I get into multi-hop situations like this I usually punt and
configure a VPN.


Re: X11 forwarding--with a wrinkle

Quoted text here. Click to load it

You could tunnel an end-to-end ssh session with X11 forwarding through a
chain of ssh sessions that don't need to do X11 forwarding. Something
like this:

1. ssh -t -L2222:localhost:2222 gateway ssh -N -L2222:final:22 portal
2. ssh -Y -p 2222 localhost

Doing X11 forwarding "by hand" using -R as suggested in the other
followup is sort-of possible, though I can't really see a way to get X
auth to work with that (enlightenment welcome). But doing without it by
means of a 'xhost +localhost' may be acceptable, depending on the

--Per Hedeland

PS You would do well to keep the length of your lines below the point
where your news-posting program folds them - your posting is almost

Site Timeline