Re: [fw-wiz] X11 forwarding

From: Kevin Steves (kevin@atomicgears.com)
Date: 08/27/02


From: Kevin Steves <kevin@atomicgears.com>
To: Pierre Blanchet <Pierre.Blanchet@solsoft.fr>
Date: Tue Aug 27 15:22:01 2002

On Tue, Aug 27, 2002 at 10:46:19AM +0200, Pierre Blanchet wrote:
> On August 26 2002 at 9:51,
> Kevin Steves <kevin@atomicgears.com> wrote:
> > For OpenSSH, I was going to try to cover the issues somewhat by adding
> > this text. Note also, that by default, the proxy display no longer
> > listens on the wildcard address (see sshd X11UseLocalhost), which
> > closes a possible remote attack vector.
>
> If i understood you correctly, X11 Forwarding is dangerous
> only from the client point of view (modulo unknown holes).

Correct, that is my current assessment. From a server implementation
standpoint (OpenSSH), X11 forwarding is largely a special case of TCP
forwarding. The authentication spoofing and authentication data
verification and substitution happen on the client side.

> i.e. I can safely enable X11 Forwarding on sshd, but should use
> ssh -X with caution (= i trust the remote admin).

Yes, and host security etc. You have extended the security perimeter
for your X11 display to that host (or hosts--don't forget about
chained ssh sessions).

However, the administrator may have a stance in which they want to
protect the clients, which can warrant a X11Forwarding=no
configuration.

-- 
Kevin Steves     | kevin@atomicgears.com
Atomic Gears LLC | http://www.atomicgears.com/