X11 forwarding through jails

[gentleman]

Hi everybody, I am new to the forum, and I am new as BSD system administrator. I am having a problem with X11 forwarding via ssh through a jail. The configuration is the following.

A FreeBSD 8.1 machine is used as gateway between the outer world and a private local network (all linux boxes). A jail is configured such that users can log in into the jail of the gateway only. Then they can log in into some machines in the local network. Connection is through ssh. No X11 is installed in the FreeBSD machine for security reasons. The following configuration is set in /etc/ssh/sshd_conf

    AllowTcpForwarding yes
    X11Forwarding yes
    X11DisplayOffset 10
    X11UseLocalhost no

Users would connect via ssh from the outern world into the FreeBSD jail and then into the internal network. ssh works, but X11 is not forwarded, the DISPLAY variable remains unset. X11 applications are not run in the FreeBSD gateway, so it is not strictly necessary. Is X11 necessary for X11 forwarding? Is it possible to forward X11 from the internal network to the outern world without the need to install X11 in the gateway?

Hope I am not missing anything trivial.

 

[anomie]

With the caveat that I haven't played around with X11 on FreeBSD for a long time, I believe you'll need x11/xauth.

 

[gentleman]

Thanks, I imagined that the problem was the communication through Xauthority. However, we didn't install X11 in the jail in purpose for enhanced security. Can xauth be installed without the entire X11? Does it introduce security vulnerabilities of the system?

 

[anomie]

Read the manpages for ports(7), and run:

% cd /usr/ports/x11/xauth && make pretty-print-build-depends-list

% cd /usr/ports/x11/xauth && make pretty-print-run-depends-list

It's up to you and your organization to determine whether that's an appropriate level of risk for the payoff. Note that ports-mgmt/portaudit will help.

 

[gentleman]

I have installed xauth but still no success:

- xauth does not create an .Xauthority file (it is created by xdm or startx). I just copied an .Xauthority file from another machine
- when ssh -X the DISPLAY environment variable is not set. I thought that ssh managed to set DISPLAY, is the X server instead?

I guess that xauth simply adds the DISPLAY variable and corresponding cookie of the X session into .Xauthority, but doesn't generate these informations. Do I need an X server installed and running on the remote host (the jail)?

The question looks silly, but I'm not an X11 expert.

 

[gentleman]

Fixed!

Indeed the problem was that I had to explicitely tell sshd where the xauth program is located by setting the XAuthLocation in sshd_config. No need to have the X server installed, xauth is sufficient to do the job. Thanks to anomie and to the OpenSSH FAQ

http://www.openssh.org/faq.html

 

[anomie]

Not sure if it'll help, but a quick search on the 'net turned up this and this.

Their advice about sshd_config(5) directives is consistent:

X11UseLocalhost no

-------

Goodness, I was a few minutes slow. Glad it's fixed.