Re: yet another question re: X11 tunneling via ssh
Re: yet another question re: X11 tunneling via ssh
- Subject: Re: yet another question re: X11 tunneling via ssh
- From: Itai Seggev <email@hidden>
- Date: Tue, 4 Jul 2006 21:02:41 -0700
A reply to an old email while cleaning out a mail forder, since it
appears nobody replied to these.
> A few questions I have are:
>
> 1. Which port(s) does a tunneled ssh X11 connection use? It seems ssh
> uses TCP 22, and some sources indicate TCP 6000 is used for tunneled X
> connections, whereas other sources indicate TCP 6000-6010. What about
> UDP port 177? Is that at all relevant for ssh X11 tunneling? With
> the OS X firewall off in the Sharing panel of System Preferences, do I
> need to do anything else to explicitly open these ports?
A tunelled SSH connection uses (by default) remote_machine_ip_addr:22
localhost:6010 (on the remote machine), xserver:random_high_number_port.
The data from the xserver to the remote machine is sent to port 22
like all the other ssh data. The ssh client on the xserver binds to a
high numbered (unprivledged) port. There is no need to open this port
because it is an outgoing connection[1]. The client program on the
remote machine opens a connection to port localhost:6010, which would
correspond to an X DISPLAY of localhost:10. However, rather than the X
server binary on the remote machine being bound to the port, an ssh
program is listening and transmiting it to random_high_number_port on
the xserver, where it gets rerouted to the named pipe in /etc which is
the primary access to point to the xserver. Port 177 (XDMCP) is not
involved at all in this process. XDMCP is a protocal that basically
allows one xserver to ensalve itself completely to the clients
(including xdm, hence the name XDM Communications Protocol). SSH
tunneling allows individual clients to talk to a server over a secure
connection.
Now everything should be clear. :)
[1] If you have a horribly misconfigured firewall this might not be
true. However, the fact that SSH works at all shows that reverse
trafiic is not being blocked.
> 2. Is there a way for me to tell from the remote machine whether the
> required ports are indeed open? I do know that at least port 22 is
> open, as I can ssh back to my Mac from the remote machine.
See above.
> 3. Is there anything explicit I need to do in X11 on my Mac to enable
> listening for remote connections? When I do "netstat -a" on my local
> Mac, I see port 22 marked as "LISTEN", but I don't see anything for
> any ports in the 6000-6010 range, or for UDP 177.
Again, there is no need to UDP 177 at all. The ports in the 6000+
range are for "traditional" remote connections. These are when the
client on the remote machine contacts the xserver directly using the
_unencrypted_, builtin X communications protocol. These connections
are disabled by default on Tiger (and most modern unices) for security
reasons. Communications between the tunneled SSH programs and the X
server use unix sockets and not TCP/IP.
--
Itai
Itai Seggev, University of Mississippi, Department of Physics and Astronomy
In 1997 a group of programmers started writing a desktop environment
to fix a travesty they didn't create. Their program promptly found
its way onto un*x systems everywhere. Today, still opposed by a
software monopolist, they survive as soldiers of fortune. If you share
their vision, if you know you can help, and if you can connect to
internet, maybe you can join... the K-Team.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden