Re: [fw-wiz] X11 forwarding

From: Brian Hatch (firewall-wizards@ifokr.org)
Date: 08/23/02

• Next message: Crispin Cowan: "Re: [fw-wiz] concerning ~el8 / project mayhem"
• Previous message: David Lang: "Re: [fw-wiz] X11 forwarding"
• In reply to: hermit921: "[fw-wiz] X11 forwarding"
• Next in thread: Kevin Steves: "Re: [fw-wiz] X11 forwarding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Brian Hatch <firewall-wizards@ifokr.org>
To: hermit921 <hermit921@yahoo.com>
Date: Fri Aug 23 20:23:17 2002

> How much of a security problem is X11 forwarding? I see CERT recommends
> using a version that allows this to be turned off, but doesn't specifically
> recommend that X11 forwarding be disabled.

Say you connect from your machine running X11 with:

        jdoe@home$ ssh -X remote_server
        remote_server password:
        jdoe@remote_server$

Then you can display X11 apps on your home machine that start on the
remote server:

        jdoe@remote_server$ echo $DISPLAY
        :10.0
        jdoe@remote_server$ xclock
        (display appears on your desktop)

By setting the correct enviroment variables, root can do this too:

        root@remote_server# export HOME=/home/jdoe
        root@remote_server# export DISPLAY=:10.0
                            (replace with correct display number)
        root@remote_server# xclock
        (display appears on your desktop)

The problem is that X11 gives much more access than just popping
windows on your screen, such as snagging every event (mouse click,
keypress, etc) on your X11 desotkop. If you don't trust root on
remote_server, then you shouldn't allow X11 forwarding to it.

        root@remote_server# xwd -root > jdoe.screenshot.xwd
        root@remote_server# xkey
        (whatever user types appears here...)

--
Brian Hatch                  I admire your bad
   Systems and                qualities and I
   Security Engineer          wouldn't have you
www.buildinglinuxvpns.net     part with a single one
Every message PGP signed

• application/pgp-signature attachment: stored

• Next message: Crispin Cowan: "Re: [fw-wiz] concerning ~el8 / project mayhem"
• Previous message: David Lang: "Re: [fw-wiz] X11 forwarding"
• In reply to: hermit921: "[fw-wiz] X11 forwarding"
• Next in thread: Kevin Steves: "Re: [fw-wiz] X11 forwarding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Tunneling X without X available ... completely devoid of xauth, but this is worth a try. ... Then, also from my workstation, I logged into the protected-server via ... the forwarded local port with '-X' option to enable x11 forwarding: ... (alt.os.linux.suse) Re: x11 apps traffic not encrypted ... > and remotely start x11 apps such as xclock. ... > start on port 6000 and i'm under impression that it's not encrypted. ... Normally when using X11 forwarding there ... (comp.security.ssh) X11 forwarding--with a wrinkle ... I have a slightly odd situation in using X11 forwarding, possibly unsolvable, but I ... Starting from my home machine, ... the X11 connection, and I can't access X apps on the innermost machines. ... (comp.security.ssh) Re: Breakage in X11 over ssh tunnel ... > unable to run X applications over an SSH tunnel. ... OpenSSH's X11 forwarding now defaults to providing untrusted client ... which prevents the X11 clients from performing some operations. ... (freebsd-current) Re: X11 tunnelling issue andlogin security question ... What does this message mean when using X11 forwarding and attempting to ... connect to an X11 session thru an ssh server on a host that does not have ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint