[FSUG PD] forward di ssh in x con xauth

metis metis a inventati.org
Dom 8 Lug 2007 16:50:37 CEST 

alex ha scritto:
> questo pomeriggio mi si chiese una configurazione di ssh che gestisca il 
> forward di X in oggetto. Eccola:
>
> per ssh_config:
>
> Host *
>     ForwardAgent yes
>     ForwardX11 no
>     ForwardX11Trusted yes
> #   RhostsRSAAuthentication no
> #   RSAAuthentication yes
> #   PasswordAuthentication yes
> #   HostbasedAuthentication no
> #   BatchMode no
> #   CheckHostIP yes
> #   AddressFamily any
> #   ConnectTimeout 0
> StrictHostKeyChecking ask
> #   IdentityFile ~/.ssh/identity
> #   IdentityFile ~/.ssh/id_rsa
>     IdentityFile ~/.ssh/id_dsa
>     Port 22
>     Protocol 2
> #   Cipher 3des
> #   Ciphers 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> #   EscapeChar ~
> #   Tunnel no
> #   TunnelDevice any:any
> #   PermitLocalCommand no
>     SendEnv LANG LC_*
>     HashKnownHosts yes
> #HashKnownHosts no
> #GSSAPIAuthentication yes
> #GSSAPIDelegateCredentials no
>
> ************************************
> per sshd_conf:
>
> # What ports, IPs and protocols we listen for
> Port 22
>
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
> LoginGraceTime 600
> PermitRootLogin yes
> #StrictModes yes
>
> #RSAAuthentication yes
> PubkeyAuthentication yes
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for 
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
>
>
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
> #was commented
>
> # Change to yes to enable tunnelled clear text passwords
> PasswordAuthentication no
>
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
>
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
>
>
> X11Forwarding yes
> AllowTcpForwarding yes
>
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> KeepAlive yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> UsePAM yes
>
> ***********************
>
> un altro file dev'esser modificato:
>
> in /etc/X11/xinit/xserverrc
>
> dev'esser tolto:
>
>  -nolisten tcp
>
>
>
>
> A.
>
> p.s.: il tutto da per scontato diverse cose, in primis che vi aggrada la 
> configurazione di ssh che ho scelto, a parer mio abbastanza sicura, a 
> parer di altri forse paranoica, altri potrebbero giudicarla follemente 
> aperta :)
>
> p.p.s.: do anche per scontata una configurazione di base di ssh. Se 
> qualcuno volesse una mano faccia un fischio.
>
> p.p.p..s.: in realta' questa non e' la mia configurazione di default, pero' 
> mi sono preso la briga di testarla e funziona bene.
>
> _______________________________________________
> fsug-pd mailing list
> fsug-pd a lists.fsugpadova.org
> http://lists.fsugpadova.org/listinfo/fsug-pd
>
>   
Grazie Alex

Saluti

Maggiori informazioni sulla lista fsug-pd