[Novalug] Speed Up Multiple SSH Connections to the Same Server

Megan Larko larkoc at iges.org
Mon Jan 5 14:58:06 EST 2009 

Beartooth wrote:

Hi Beartooth,

> On Mon, 5 Jan 2009, Megan Larko wrote:
>     [...]
>> XForwarding is the ability to display an X-Window remotely. Example: 
>> One connects to a remote machine via SSH protocol with XForwarding 
>> enabled.  In the shell window, one enters "firefox" and a firefox web 
>> browser window appears on the local monitor of the user.  Or one may 
>> issue the command "xpdf file.pdf" and a window appears on the local 
>> system showing the file.pdf in the xpdf window.
> 
>     To make a concrete example, let's suppose you give me ssh access to 
> your machine; call it MLc. Then, I think, you mean that if my prompt, in 
> my terminal connected to you, is "[btth at MLc ~]$" and I type "firefox" at 
> it, *I* will see that browser, with *your* tweaks and add-ons, on *my* 
> machine. Right? And you will probably not even notice, unless I call 
> your attention to myself?

Not quite.   You will be running the firefox program on my computer, MLc 
in example, with whatever settings your user account on computer MLc 
has.  These settings may be different from my firefox settings on 
machine MLc.  And Jo may not have an account on computer MLc at all.

So the XForwarding is enabling computer MLc to display its firefox 
program on your monitor which initiated the user session wherever that 
monitor may be (your home, for instance).
> 
>     If so, it will be useful for tweaking Jo's machine when *my* mind 
> has a good hold on what to do, even if she's revising a manuscript at 
> the time. Many thanks!

You will see the settings on Jo's machine for your user id.  You could 
"su - jo" and become Jo's user id on the remote machine if you have the 
correct password or use the root user in-between and then see Jo's 
settings for the program running on her computer as displayed on your 
monitor/terminal.  So it could help you in that way.
> 
>     Also two questions. One: suppose you are absolutely right to trust 
> me with that connection; does it nevertheless endanger you by the 
> connection itself being exposed to nogoodniks elsewhere? (My guess is 
> that it does, if only marginally; and that that is why I haven't 
> encountered it on the few remote machines I do have access to -- I might 
> expose some defense unwittingly.)

The secure shell (ssh) protocol is encrypted in transit.  The primary 
risks are 1) possible flaw in sshd such that a non-root-permitted user 
could escalate permission to root level and wreak havoc, or 2) much much 
more likely is that some people have guess-able passwords or passwords 
that have been sniffed allowing an unknown entity to ssh to the computer 
using your userid and password combination.  You may also use additional 
programs such as iptables to limit incoming ssh connections to only 
trusted sites (your local home LAN, for example).  Or you may deny 
connections to port 22 sshd via iptables or other similar mechanisms.

Example for an /etc/sysconfig/iptables SSH port 22 exclusion (1 line):
-A RH-Firewall-1-INPUT -s 192.239.86.49 -p tcp -m tcp --dport 22 -j 
REJECT --reject-with icmp-port-unreachable

Example for an /etc/sysconfig/iptables SSH port 22 inclusing (1 line):

-A RH-Firewall-1-INPUT -s 192.239.85.52 -p tcp -m tcp --dport 22 -j ACCEPT
> 
>     Two, probably a totally different topic: Suppose I want Jo and 
> myself both to see the same display at once, she on her machine 
> downstairs, and I on mine up. What is that called?
> 
Yes, there is a way to do that but I have not done it myself so I am not 
qualified to respond to this particular question.     Sorry.

Cheers!
megan

More information about the Novalug mailing list