Re: [fw-wiz] X11 forwarding
From: Kevin Steves (email@example.com)
- Next message: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Previous message: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
- In reply to: Pierre Blanchet: "Re: [fw-wiz] X11 forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Kevin Steves <firstname.lastname@example.org> To: Pierre Blanchet <Pierre.Blanchet@solsoft.fr> Date: Tue Aug 27 15:22:01 2002
On Tue, Aug 27, 2002 at 10:46:19AM +0200, Pierre Blanchet wrote:
> On August 26 2002 at 9:51,
> Kevin Steves <email@example.com> wrote:
> > For OpenSSH, I was going to try to cover the issues somewhat by adding
> > this text. Note also, that by default, the proxy display no longer
> > listens on the wildcard address (see sshd X11UseLocalhost), which
> > closes a possible remote attack vector.
> If i understood you correctly, X11 Forwarding is dangerous
> only from the client point of view (modulo unknown holes).
Correct, that is my current assessment. From a server implementation
standpoint (OpenSSH), X11 forwarding is largely a special case of TCP
forwarding. The authentication spoofing and authentication data
verification and substitution happen on the client side.
> i.e. I can safely enable X11 Forwarding on sshd, but should use
> ssh -X with caution (= i trust the remote admin).
Yes, and host security etc. You have extended the security perimeter
for your X11 display to that host (or hosts--don't forget about
chained ssh sessions).
However, the administrator may have a stance in which they want to
protect the clients, which can warrant a X11Forwarding=no
-- Kevin Steves | firstname.lastname@example.org Atomic Gears LLC | http://www.atomicgears.com/