From: Maggie Smith (maggie_logann@yahoo.com)
Date: Sat Jul 20 2002 - 17:24:08 EDT
Hello All,
(This is not a summary.) Now I am connecting the Ultra 30 machine directly to the cable modem which works fine. I am planning to reconnect the Ultra30 to PC and reset up network again sometime in Aug.. After that, I will give a full summary.
However, I would like to share Bryan!/s idea here.
Thank Bryan for your very detail and valuable response and thanks others who replied.
The full summary is expected coming in Aug.
Thanks!
Maggie Smith
E-mail: Maggie_logann@yahoo.com
Qestions Asked :
On Mon, 2002-07-08 at 04:07, Maggie Smith wrote:
> Hello all,
> I got a display setting problem. The network of my
> machines can be diagramed as
> ---------------- ----------------
> | | | |
> | PC windows98 | | |
> | | | Ultra 30 |
> | network card 1 <---cable modem | solaris 8 |
> | | | |
> | network card 2 -----------------> |
> | | | IP: |
> | IP: | | 192.168.1.101 |
> | 24.81.80.88 | | |
> ---------------- ----------------
> Now I can telnet to outside other machines without any
> problems. I ran xhost + on ultra 30 before I set up
> display. After telneted to an outside machine, I ran a
> set-up display in the telneted window like (csh)
> % setenv DISPLAY 24.81.80.88:0
> .
> However, when I tried to open a graphic window on
> ultra 30, I got an error message like " Can't display
> on server".
> Does anyone give me an idea about how to setup display
> env in this case ?
ON 08 Jul 2002 05:07: Bryan replied:
Gateway/NAT
\ /---\/---\
Win PC ---- Internet ---- UNIX Sys (Ext)
|| \---/\---/
||
LAN =================
||
||
UNIX Sys
Just because you've established a telnet (port 23) connection with an
external host, doesn't mean you can establish a X (port 6000+)
connection with that same host. I.e., when the Windows 98 system does
NAT (network address translation) for your connection on port 23, it
only knows to forward back information on port 23 to the internal
system. When it sees an incoming X connection on port 6000+ from the
external host, it doesn't know what to do with it because your LAN's
UNIX Sys box did _not_ request anything of a remote system on port
6000+, so there is no NAT table associated with it.
While there are several ways to deal with this, the best (and most
secure) way is by using SSH (port 22). SSH (Secure Shell) is an
encrypted, multikey replacement RSH/RLOGIN (and has an accompaning SCP
to replace RCP, etc...). An SSH client natively tunnels X (port 6000+)
when you open a connection to an SSH server system with X. No
additional ports are needed because the X ports are "tunneled" over the
SSH connection (port 22). The "tunnel" looks like a normal port on the
external host, but it "forwards" the connection automatically back over
SSH to the original client.
By default, SSH uses display :10 (port 6010) for the first SSH X
connection, :11 (port 6011), so forth. You would then set your DISPLAY
on the external host to:
setenv DISPLAY localhost:10
When the system (external host) sends anything to port 6010 (X:10) on
locahost, the SSH program on the SSH server "tunnels" it back to the
SSH
client.
In ASCII art, this is how it works:
UNIX Sys UNIX Sys (ext.)
SSH Client -------- port 22 --------------- SSH Server
| | | |
6000 (X:0) | | localhost port 6010(X:10)
| Unencapsulate X | |
| from SSH packet | Encapsulate in SSH packet
\_________/ \_______/
>From the standpoint of your Windows 98 PC, it is only doing NAT and
fowarding/receiving packets on SSH (port 22). But you can forward all
kinds of stuff over SSH's tunneling (even NFS) since it can encapsulate
most UDP/IP or TCP/IP connections. You can think of SSH as a "poor
man's VPN (virtual private network)" which is actually very secure,
because it uses a multi-key authentication system, and only port
forwards _select_ ports (VPNs usually are "wide open" and forward all
ports).
Here's an example session (NOTE: -v on SSH turns debugging on so you
can see the messages listed as "debug1" below):
mysys% xhost +
mysys% ssh -v bjsmith@server.oninternet.com
...
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: channel request 0: shell
...
Those are the lines showing that X11 forwarding is being requested from
the SSH server. Again, SSH can port forward all kinds of things
normally with the "-L" option, but X is one of the things it will do
_inheritly_ without _any_ extra work.
server% setenv |grep DISPLAY
DISPLAY=server.oninternet.com:10.0
Again, it does X _inheritly_, right down to _automatically_ setting up
your DISPLAY variable. Note the system where :10.0 is located is
localhost (server.oninternet.com) so it is sending X display back to
itself on port 6010 (X:10). But that's where SSH comes in -- anything
going to that port is caught, encapsulated in a SSH packet, sent back
over port 22 to the client, then unencapsulated and displayed on the
client's :0 X-Server.
server% xterm &
debug1: client_input_channel_open: ctype x11 rchan 2 win 4096 max
2048
debug1: client_request_x11: request from xxx.xxx.xxx.xxx 2598
debug1: fd 7 setting O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
And my xterm I launched on remote system "server.oninternet.com" shows
up on my local X-Server display. Nothing else needed.
You need to make sure that the SSH server is setup to do X11
forwarding. E.g., if you run the OpenSSH version (I think this is now
included with Solaris 8+?), typically the SSH daemon (sshd)
configuration file is "/etc/ssh/sshd_config". These are the two lines
you need:
X11Forwarding yes
X11DisplayOffset 10
If you don't like :10 to be the default, change it to whatever you
like.
If you need to get OpenSSH for any system, goto their site:
They usually have binaries for most platforms if your version of
Solaris
doesn't include SSH. Compiling from source is easy assuming you have
GNU GCC installed and it should only require the OpenSSL encryption
library.
BTW, it's a good idea to keep OpenSSH _up-to-date_. Exploits for
OpenSSH usually can't do much, but since SSH is a popular, encrypted
method of access, it's targetted heavily (whereas telnet is easy to
exploit on its own -- because you just capture and read the clear text
password sent over the Internet ;-).
-- Bryan
Bryan J. Smith, E.I. SmithConcepts, Inc.
mailto:b.j.smith@ieee.org http://SmithConcepts.com
(407)489-7013 (Mobile) Engineers and IT Professionals
-----------------------------------------------------------------
BS Computer Engineering, NSPE Certified Engineering Intern (E.I.)
Sun Certified System Admin (SCSA) Solaris 8
CompTIA A+ (2001), Linux+, Network+ (2002) Certified
-----------------------------------------------------------------
Yahoo! Health - Feel better, live better
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:37 EDT