From: Carlos Sevillano (carlos_sevillano@ureach.com)
Date: Mon Apr 12 2004 - 15:45:21 EDT
Solaris 6/8/9
OpenSSH
BoKS
X11 Forwarding
We are able to do the X11 forwarding and it works as the user
that initiates the ssh session. We ran into a problem, many of
our users that need X11 forwarding (through a firewall or DMZ)
go into the environment as their ssh IDs. After the login into
the DMZ or Fire-walled systems they then became another user
though SCsu, PPAK, or in rare cases su. Once they do that, they
become oracle, sybase, cduser, webadmin (any of many locked down
functional accounts with no direct access into the account).
The problem is that once the user switches from the ssh ID to
oracle (for example or root for SAs) the X11 forwarding no
longer works. It fails with this error:
X11 connection rejected because of wrong authentication. X
connection to localhost:10.0 broken (explicit kill or server
shutdown).
Do you know how we can get around this? We have a lot of
regular users who take a functional account as an effective user
to do day to day work. The real issue for us is that many of
those accounts are locked down for audit reasons and the only
way into the account is through SCsu or PPAK. Below is a sample
of the problem.
One way for us is to set keys for those functional accounts.
However, the audit mandate is that they be close-down (in some
cases the mandate includes keystroke login as part of PPAK)...
setting keys directly defeats the security model security model.
When SSH no longer supports login "without passwords",
the work-round.would not work because the user would be
prompted for a password on a lockdown account. Is there
another way to set your Display or gettaround this limitation?
The new version of BoKS uses SSH and once installed we are
required to to remove openssh. That new version always asks for
a password and also breaks our work-around.
User from Unix workstation outside of firewall:
# id
uid=29560(sk29560) gid=3010(dcsadmin)
set display to Unix workstation outside of fir all:
legacy9815# DISPLAY=168.109.98.15:0.0; export DISPLAY
ssh to remote machine:
legacy9815# ssh dmz01
Last login: Tue Mar 16 16:25:32 2004 from sksun.dcs.bigcor
User matches on firewalled system:
# id
uid=29560(sk29560) gid=3010(dcsadmin)
check display on DMZ machine after sshing to it:
# echo $DISPLAY
localh1st:10.0
send and xterm back through ssh X11 forwarding td workstation
outside the firewall (WORKS)!
/usr/openwin/bin/xterm &
NOW SU or SCsu or PPAK into another user to do work ei root,
oracle, sybase:
# nsu.ppak
Enter reason for entering this mode[80chars]:work on functional
account NDM
You have new mail.
[root @ dmz01]:/
New user ID efoective user is root (could be oracle, sybase):
# id
uid=0croot) gid=1(other)
[root @ dmz01]:/
Your display is not set (DISPLAY is not SET as this new user
(SCsu, PPAK, or su):
# echo $DISPLAY
set display to localhost:10.0 (or to anything you like)
# DISPLAY=localhost:10.0; export DISPLAY
[root @ dmz01]:/
# echo $DISPLAY
localhost:10.0
send and xterm back through ssh X11 forwarding to workstation
outside the firewallo(DOES NOT WORK)!
# X connection rejected because of wrong authentication.
X connection to localhoso:10.0 broken (explicit kill or server
shutdownn.
I heard that there are force root commands. Do not know how
those work since the users that must run the program ei cduser,
oracle must be that user and not root.
Last port 6000 is closed... must go through the X11 socket on
SSH.
Any hints or help is appreciated.
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:26 EDT