I've ssh gateway behind my NAT firewall. So all users must first login to my gateway host from the internet and then login to other machines on the LAN. This works great for cli based apps. However, few users would like to run x apps from internal LAN hosts and tunnel X display through intermediate ssh gateway and display back output on their local system. For example, from localsystem user makes connection as follows:
ssh -X email@example.com
ssh -X firstname.lastname@example.org
X forwarding fails with an error:
Error: Can't open display:
How do I fix this problem and allow users to use X apps with my intermediate Linux / BSD gateway?
You need to use ProxyCommand in your $HOME/.ssh/config for the external host connecting via the Internet. It specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell. In the command string, %h will be substituted by the host name to connect and %p by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to none disables this option entirely.
You need to use this directive in conjunction with nc and its proxy support. For example, the following directive would connect via an HTTP proxy at 18.104.22.168 at port 3128:
ProxyCommand /usr/bin/nc -X connect -x 22.214.171.124:3128 %h %p
$ vi $HOME/.ssh/config
Modify / add configuration as follows:
Host internal Hostname somelan.example.com HostKeyAlias proxy User vivek # ProxyCommand ssh gw.nixcraft.in nc %h %p 2> /dev/null ProxyCommand ssh gateway.example.com "/usr/bin/nc internal 22"
Save and close the file.
- Host internal - Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword.
- ProxyCommand - Used nc command to Proxy your SSH session to internal system through gateway.
- User - Specifies the user to log in as. In our example login as vivek.
- HostKeyAlias - Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This line can be commented out.
Now, user can login and run X apps:
$ ssh -X email@example.com
$ ssh -X firstname.lastname@example.org
$ xeyes &
See ssh_config man page for further details.
- 30 Cool Open Source Software I Discovered in 2013
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop