Re: [fw-wiz] X11 forwarding

From: Kevin Steves (
Date: 08/27/02

From: Kevin Steves <>
To: Pierre Blanchet <>
Date: Tue Aug 27 15:22:01 2002

On Tue, Aug 27, 2002 at 10:46:19AM +0200, Pierre Blanchet wrote:
> On August 26 2002 at 9:51,
> Kevin Steves <> wrote:
> > For OpenSSH, I was going to try to cover the issues somewhat by adding
> > this text. Note also, that by default, the proxy display no longer
> > listens on the wildcard address (see sshd X11UseLocalhost), which
> > closes a possible remote attack vector.
> If i understood you correctly, X11 Forwarding is dangerous
> only from the client point of view (modulo unknown holes).

Correct, that is my current assessment. From a server implementation
standpoint (OpenSSH), X11 forwarding is largely a special case of TCP
forwarding. The authentication spoofing and authentication data
verification and substitution happen on the client side.

> i.e. I can safely enable X11 Forwarding on sshd, but should use
> ssh -X with caution (= i trust the remote admin).

Yes, and host security etc. You have extended the security perimeter
for your X11 display to that host (or hosts--don't forget about
chained ssh sessions).

However, the administrator may have a stance in which they want to
protect the clients, which can warrant a X11Forwarding=no

Kevin Steves     |
Atomic Gears LLC |