Re: ssh and X11Forwarding

From: Jason Stone (freebsd-security_at_dfmm.org)
Date: 07/28/03

  • Next message: Ronan Lucio: "IPSec" 
    Date: Mon, 28 Jul 2003 00:47:28 -0700 (PDT)
To: Paul Chvostek <paul+fbsd@it.ca>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > What has to be installed on a host for it to do X11Forwarding in SSH?

    > Does X have to be installed *on the firewall* for me to forward X11
    > connections from the X clients back to my workstation at home?

    Depends on how you're ssh'ing. If you're ssh'ing from your box to the
    firewall, and from the firewall to the target, then you'll need x support
    on all the boxes, yes.

    However, if you're doing the right thing and ssh'ing _through_ the
    firewall to the target host (eg, with openssh's ProxyCommand option, or
    with multiple ssh's and port forwards), then you only need x support on
    your machine and the target machine.

    I think that "x support" consists of xauth and whatever libraries are
    needed by the binary you want to run.

    The topically interesting part of this question is the issue of how you
    handle multiple ssh hops - I think that most people don't know about
    ProxyCommand, and when they have to ssh through multiple machines, they
    just go from one to the next to the next, which is bad, security-wise, not
    to mention less powerful. Is this worth a faq entry?

     -Jason

     --------------------------------------------------------------------------
     Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
     that he was insufficiently fondled when he was an infant.
            -- Ashley Montagu
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (FreeBSD)
    Comment: See https://private.idealab.com/public/jason/jason.gpg

    iD8DBQE/JNUQswXMWWtptckRAqyaAKCNIxxhNOn0FFqNHV1x/VfXZQlu2wCfXmwm
    R0dDztX2i0wokIAB4VyYDvI=
    =R0GQ
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Ronan Lucio: "IPSec"

    Relevant Pages

    • Re: [fw-wiz] httport 3snf
      ... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
      (Firewall-Wizards)
    • Re: Messenger Audio/Video with ISA 2004
      ... Technically speaking, if this needs to be supported through the firewall, ... Therefore, the external client can ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: [fw-wiz] stopping bots from phoning home
      ... well it works fine on my dsl connection! ... the majority of support calls that we receive are from the very ... > with the newer IM clients that do IRC. ... that having a firewall on the box that can see which program is trying to ...
      (Firewall-Wizards)
    • conscious aesthetic plain ahead of Saad al Shoulis bunch
      ... suddenly alert the exemption. ... multiple, whereas because of you it's conveying grim. ... tides at times a network. ... unfortunate, describes in support of it, sailing punctually. ...
      (sci.crypt)
    • Re: Information on migration of DMS2200 to relational databases
      ... application infrastructure is available on the possible target ... DML for DMS 2200 access and currency are very important as the ... Make sure every function including paging support, line I/O, ... Staying on the existing platform is always an option, ...
      (comp.sys.unisys)