SUMMARY: X proxy server

From: Peter Polasek (pete@cobra.brass.com)
Date: Thu Jun 18 1998 - 09:05:05 CDT


Original Question:
------------------

> Is anybody aware of a proxy server package for Sun that supports X
> sessions in the following manner:
>
> routed routed
> network network
> Sun_A ------- Sun_B ------- Sun_C
> X terminal Proxy Host X application
>
> Would like to display X client program running on Sun_C to the Sun_A
> terminal through a proxy on Sun_B (Sun_A can not route to Sun_C, but
> Sun_B can route to both). Thanks in advance and I will summarize.

Summary:
--------
The overwhelming response was to use the Secure Shell proxy server
(available from ftp://ftp.cs.hut.fi). Other suggestions included
Sun SKIP and the TIS firewall toolkit. I had previously read about
the secure shell in the following two articles -- these provide a
fairly concise overview of ssh features and configuration options:

http://www.sun.com/sunworldonline/swol-02-1998/swol-02-security.html
http://www.sun.com/sunworldonline/swol-03-1998/swol-03-security.html?032098

The group seems to concur that ssh is the best option.

Thanks to the following for responding:
---------------------------------------
Jeff Wasilko <jeffw@smoe.org>
Chris Phillips <chris@scooter.Canada.Sun.COM>
Andreas Ehliar <tamyrlin@futurniture.se>
Kevin Korb <kmk@crc.com>
Dieter Gobbers <gobbers@faw.uni-ulm.de>
wolt@igd.fhg.de
Raymond Wong <negativl@netcom.com>
Jochen Bern <bern@TI.Uni-Trier.DE>
Mike Loseke <Mike.Loseke@Symbios.com>
jim@nga.com (Jim Roy)
Simon Leinen <simon@limmat.switch.ch>
blymn@baea.com.au (Brett Lymn)

===================================================
Detailed message excerpts are shown below (messages
with redundant information have been removed):
===================================================

From: Chris Phillips <chris@scooter.Canada.Sun.COM>
---------------------------------------------------
There is such a proxy in the Firewall Toolkit.
 (I haven't checked lately but it used to be somewhere at:
         ftp://ftp.tis.com )
I also have used an X-proxy from Der Mouse @ McGill Univ. but
I don't have a web/ftp site for it.

There is also an X-proxy in the ssh distribution: ftp://ftp.cs.hut.fi

From: Kevin Korb <kmk@crc.com>
-------------------------------

The Secure Shell (ssh) program can do this and can compress and/or
encrypt the entire data stream. You can read about it at
http://www.cs.hut.fi/ssh. I use it at work to run an xbiff from
my ISP.

From: Dieter Gobbers <gobbers@faw.uni-ulm.de>
---------------------------------------------
The most secure way to do this is using "ssh". ssh (secure
shell) can handle X requests and forward them to the X server.
To get this working, on both, Sun_B and Sun_C you must have
a sshd (secure shell daemon) running. The person who should be
able to run the application must have an account on all three
machines.

To start the application the person logs form Sun_A into Sun_B
using "slogin". On Sun_B the person logs into Sun_C and starts
the application. There is no need to set the DISPLAY variable
as slogin is doing that for the user!

From: wolt@igd.fhg.de
---------------------
I'd say what you're looking for is a VPN solution. While IPSec/IPv6
will bring some benefits, this will take a little time and I suppose
you need your solution *this* year.

The solution (which eliminates - sort of - the `proxy' in your
drawing) is a VPN based on Checkpoint Firewall-1 (configuration
depends on the size and needs of your site, I won't bother you with
the product names); FW-1 will secure your client/server net(s); you
can then proceed with allowing X connections to/from trusted sites
via the VPN. The VPN can be based on Sun SKIP (there is a free
implementation out there, but this is not for production systems).
SKIP is available for 95/NT and Solaris (obviously) and can secure
any weird combination of allow/deny lists for hosts. This works even
if you have some poor sod working with PCXware on a PPP link from
his notebook. Cheap it ain't (FW-1 in particular), but it does the
trick and has been around for some time, so it works for production
environments.

From: Raymond Wong <negativl@netcom.com>
----------------------------------------
Check out ssh, it has Xforwarding support over normal proxies
like SOCKS (4 and 5) as well as being able to do its own
listening and forwarding of itself. You're running sshd on
Sun C to make it work, but that does have the advantage of
encrypting the Xsession from C back as well as having the option
to compress it if the bandwidth is a little slow.

http://www.cs.hut.fi/ssh
http://www.ssh.fi

From: Jochen Bern <bern@TI.Uni-Trier.DE>
----------------------------------------
Probably not *exactly* what you're looking for, but you could (on
Sun_A) run a 'ssh -l Xproxy -R 6012:localhost:6000 Sun_B' (towards
a restricted Account Xproxy@Sun_B), which will tunnel all Connections
to Port 6012 on Sun_B (i.e., X11 Display Sun_B:12) to Port 6000 on
Sun_A (i.e., X11 Display Sun_A:0).

If you'ld be willing to allow Xproxy@Sun_B to ssh out, too, you can
do it even easier by 'ssh -l Xproxy Sun_B' first, then 'ssh -l User
Sun_C'; ssh will correctly tunnel X11 Requests all the Way back to
Sun_A.

From: blymn@baea.com.au (Brett Lymn)
------------------------------------
Check out a thing called ssh (Secure Shell) at
<http://www.cs.hut.fi/ssh> which will do what you want. I do a very
similar thing to get X displayed on my laptop from work machines via
my "big" machine. The setup I have is:

laptop ----> big machine ----> work machine

What I do is rlogin to big machine and run the command:

ssh -L 6009:laptop:6000 -C work

When ssh has made the connection I set DISPLAY to be "localhost:9" and
start running X sessions. The X clients talk to port 6009 (X display
9) which is relayed by ssh to port 6000 on the laptop (X display 0)
via the big machine.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:42 CDT