[FSUG PD] forward di ssh in x con xauth
metis
metis a inventati.org
Dom 8 Lug 2007 16:50:37 CEST
alex ha scritto:
> questo pomeriggio mi si chiese una configurazione di ssh che gestisca il
> forward di X in oggetto. Eccola:
>
> per ssh_config:
>
> Host *
> ForwardAgent yes
> ForwardX11 no
> ForwardX11Trusted yes
> # RhostsRSAAuthentication no
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # HostbasedAuthentication no
> # BatchMode no
> # CheckHostIP yes
> # AddressFamily any
> # ConnectTimeout 0
> StrictHostKeyChecking ask
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_rsa
> IdentityFile ~/.ssh/id_dsa
> Port 22
> Protocol 2
> # Cipher 3des
> # Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> # EscapeChar ~
> # Tunnel no
> # TunnelDevice any:any
> # PermitLocalCommand no
> SendEnv LANG LC_*
> HashKnownHosts yes
> #HashKnownHosts no
> #GSSAPIAuthentication yes
> #GSSAPIDelegateCredentials no
>
> ************************************
> per sshd_conf:
>
> # What ports, IPs and protocols we listen for
> Port 22
>
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
> LoginGraceTime 600
> PermitRootLogin yes
> #StrictModes yes
>
> #RSAAuthentication yes
> PubkeyAuthentication yes
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
>
>
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
> #was commented
>
> # Change to yes to enable tunnelled clear text passwords
> PasswordAuthentication no
>
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
>
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
>
>
> X11Forwarding yes
> AllowTcpForwarding yes
>
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> KeepAlive yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> UsePAM yes
>
> ***********************
>
> un altro file dev'esser modificato:
>
> in /etc/X11/xinit/xserverrc
>
> dev'esser tolto:
>
> -nolisten tcp
>
>
>
>
> A.
>
> p.s.: il tutto da per scontato diverse cose, in primis che vi aggrada la
> configurazione di ssh che ho scelto, a parer mio abbastanza sicura, a
> parer di altri forse paranoica, altri potrebbero giudicarla follemente
> aperta :)
>
> p.p.s.: do anche per scontata una configurazione di base di ssh. Se
> qualcuno volesse una mano faccia un fischio.
>
> p.p.p..s.: in realta' questa non e' la mia configurazione di default, pero'
> mi sono preso la briga di testarla e funziona bene.
>
> _______________________________________________
> fsug-pd mailing list
> fsug-pd a lists.fsugpadova.org
> http://lists.fsugpadova.org/listinfo/fsug-pd
>
>
Grazie Alex
Saluti
Maggiori informazioni sulla lista
fsug-pd