39.7 X, Authentication, and Forwarding Mechanisms
Beyond the previously described security-related improvements,
SSH also simplifies the use of remote X
applications. If you run ssh with the option
-X, the DISPLAY variable is automatically set on the
remote machine and all X output is exported to the remote machine over
the existing SSH connection. At the same time, X
applications started remotely and locally viewed with this method cannot be
intercepted by unauthorized individuals.
By adding the option -A, the
ssh-agent authentication mechanism is
carried over to the next machine. This way, you can work from different
machines without having to enter a password, but only if you have
distributed your public key to the destination hosts and properly saved it
there.
Both mechanisms are deactivated in the default settings, but can be
permanently activated at any time in the systemwide configuration file
/etc/ssh/sshd_config or the user's
~/.ssh/config.
ssh can also be used to redirect TCP/IP
connections. In the examples below, SSH is told
to redirect the SMTP and the POP3 port, respectively:
ssh -L 25:sun:25 earth
With this command, any connection directed to earth port
25 (SMTP) is redirected to the SMTP port on sun via
an encrypted channel. This is especially useful for those using SMTP servers
without SMTP-AUTH or POP-before-SMTP features. From any arbitrary location
connected to a network, e-mail can be transferred to the home
mail server for delivery. Similarly, all POP3 requests (port 110) on
earth can be forwarded to the POP3 port of sun with
this command:
ssh -L 110:sun:110 earth
Both commands must be executed as root, because the connection is made to
privileged local ports. E-mail is sent and retrieved by normal users in an
existing SSH connection. The SMTP and POP3
host must be set to localhost for this to work.
Additional information can be found in the manual pages for each of the
programs described above and also in the files under
/usr/share/doc/packages/openssh.