Re: [fw-wiz] X11 forwarding

From: Kevin Steves (kevin@atomicgears.com)
Date: 08/27/02


From: Kevin Steves <kevin@atomicgears.com>
To: Pierre Blanchet <Pierre.Blanchet@solsoft.fr>
Date: Tue Aug 27 15:22:01 2002

On Tue, Aug 27, 2002 at 10:46:19AM +0200, Pierre Blanchet wrote:
> On August 26 2002 at 9:51,
> Kevin Steves <kevin@atomicgears.com> wrote:
> > For OpenSSH, I was going to try to cover the issues somewhat by adding
> > this text. Note also, that by default, the proxy display no longer
> > listens on the wildcard address (see sshd X11UseLocalhost), which
> > closes a possible remote attack vector.
>
> If i understood you correctly, X11 Forwarding is dangerous
> only from the client point of view (modulo unknown holes).

Correct, that is my current assessment. From a server implementation
standpoint (OpenSSH), X11 forwarding is largely a special case of TCP
forwarding. The authentication spoofing and authentication data
verification and substitution happen on the client side.

> i.e. I can safely enable X11 Forwarding on sshd, but should use
> ssh -X with caution (= i trust the remote admin).

Yes, and host security etc. You have extended the security perimeter
for your X11 display to that host (or hosts--don't forget about
chained ssh sessions).

However, the administrator may have a stance in which they want to
protect the clients, which can warrant a X11Forwarding=no
configuration.

-- 
Kevin Steves     | kevin@atomicgears.com
Atomic Gears LLC | http://www.atomicgears.com/


Relevant Pages

  • Announce: OpenSSH 4.3 released
    ... OpenSSH 4.3 has just been released. ... implementation and includes sftp client and server support. ...
    (SSH)
  • [djm@cvs.openbsd.org: OpenSSH 4.0 released]
    ... OpenSSH 4.0 has just been released. ... implementation and includes sftp client and server support. ... AllowGroups and DenyGroups (Bugzilla #909) ...
    (FreeBSD-Security)
  • Re: OpenSSH
    ... OpenSSH" rather, ... from the same client IP, same client program, same options on the ... rather long delay after answering the password prompt. ... and a password prompt all at once instantly. ...
    (comp.unix.sco.misc)
  • Re: setting ssh-add environment variables on Windows
    ... > I'm running the OpenSSH for Windows client without a full cygwin ... > Seems impossible to do without a full cygwin install and access to a bash ... I haven't tried the openssh/windows client. ... If you can't find a similar program in the openssh client, ...
    (comp.security.ssh)
  • OpenSSH 4.1 released
    ... OpenSSH 4.1 has just been released. ... implementation and includes sftp client and server support. ... to abort the connection (bugzilla #896) ...
    (SSH)