Re: [fw-wiz] X11 forwarding

From: Pierre Blanchet (Pierre.Blanchet@solsoft.fr)
Date: 08/27/02


To: Kevin Steves <kevin@atomicgears.com>
From: Pierre Blanchet <Pierre.Blanchet@solsoft.fr>
Date: Tue Aug 27 07:15:00 2002


On August 26 2002 at 9:51,
        Kevin Steves <kevin@atomicgears.com> wrote:
> On Fri, Aug 23, 2002 at 10:07:21AM -0700, hermit921 wrote:
> > How much of a security problem is X11 forwarding? I see CERT recommends
> > using a version that allows this to be turned off, but doesn't specifically
> > recommend that X11 forwarding be disabled.
>
> For OpenSSH, I was going to try to cover the issues somewhat by adding
> this text. Note also, that by default, the proxy display no longer
> listens on the wildcard address (see sshd X11UseLocalhost), which
> closes a possible remote attack vector.
>

        If i understood you correctly, X11 Forwarding is dangerous
only from the client point of view (modulo unknown holes).
        i.e. I can safely enable X11 Forwarding on sshd, but should use
ssh -X with caution (= i trust the remote admin).

        Pierre.

-- 
Pierre Blanchet					      Support Engineer
GPG 0xED89D256 :    0952 C8A7 7B97 BAE5 0560  8614 E690 9368 ED89 D256
http://www.solsoft.com			    Pierre.Blanchet@solsoft.fr
Tel.: +33 147 15 55 00                           Fax: +33 147 15 55 09