Re: [fw-wiz] X11 forwarding

From: Kevin Steves (kevin@atomicgears.com)
Date: 08/26/02


From: Kevin Steves <kevin@atomicgears.com>
To: hermit921 <hermit921@yahoo.com>
Date: Mon Aug 26 13:28:01 2002

On Fri, Aug 23, 2002 at 10:07:21AM -0700, hermit921 wrote:
> How much of a security problem is X11 forwarding? I see CERT recommends
> using a version that allows this to be turned off, but doesn't specifically
> recommend that X11 forwarding be disabled.

For OpenSSH, I was going to try to cover the issues somewhat by adding
this text. Note also, that by default, the proxy display no longer
listens on the wildcard address (see sshd X11UseLocalhost), which
closes a possible remote attack vector.

Index: ssh_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.1
diff -u -r1.1 ssh_config.5
--- ssh_config.5 20 Jun 2002 19:56:07 -0000 1.1
+++ ssh_config.5 17 Aug 2002 20:42:50 -0000
@@ -252,6 +252,13 @@
 .Dq no .
 The default is
 .Dq no .
+.Pp
+Agent forwarding should be enabled with caution. Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection. An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
@@ -263,6 +270,12 @@
 .Dq no .
 The default is
 .Dq no .
+.Pp
+X11 forwarding should be enabled with caution. Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection. An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.



Relevant Pages

  • Re: unable to run the GUI program from the remote Linux server
    ... that its permissions are set to mode 600. ... OpenSSH is no longer configured to request X11 forwarding ... The behavior of ssh clients that are invoked with the -X flag has ...
    (Fedora)
  • Re: exporting display
    ... OpenSSH is no longer configured to request X11 forwarding by ... applications run as untrusted clients by default. ...
    (Fedora)
  • RE: X thro ssh
    ... > Sorry in glob ForwardX11 yes was not enabled in the ssh_config. ... And hey it works without ... have to agree to allow the X11 forwarding. ...
    (Fedora)
  • Re: A question about ssh-agent
    ... Or use 'ssh -A' to try it first. ... Agent forwarding should be enabled with caution. ... Root on those machines may use your agent to log into ...
    (Debian-User)
  • Re: agent key forwarding -- security issues?
    ... >pressuring me to enable agent key forwarding. ... these are implications for the users who do agent forwarding. ... >was true about compromising the KDC. ...
    (comp.security.ssh)