Re: Trusted and Untrusted X

From: Holger van Lengerich (list-secureshell_at_nospam.snakeoil.de)
Date: 06/08/05

  • Next message: Nathan Jackson: "Re: SSH.com client / OpenSSH server / RSA key auth" 
    Date: Wed, 8 Jun 2005 22:07:19 +0200
To: Don C Weber <dcweber@raytheond.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > My understanding so far is that normally X forwarding is defaulted to
    > untrusted. This limits the capabilities of the user so that they cannot
    > easily gather information from other windows handled by the X server (i.e.
    > keystroke monitoring, etc.). By using the "-Y" option the user is now able
    > to access things normally protected by the X server. This is notably
    > necessary to use Perl/TK over these connections. I guess this is because
    > Perl/TK is making calls that are normally protected by the X server.
    >
    > My question is this. Is my description accurate?

    Yes.

    > Also, why would they
    > let the clientside handle this and not provide an option on the serverside
    > to control the access privileges of the incoming users?

    As you are trying to protect the X-Server on the SSH-clientside, the
    SSH-serverside has to be regarded as untrusted.

    > Are there other regular instances where trusted X is necessary?

    As you pointed out already trusted X forwarding is necessary if you run X
    applications which won't work with untrusted X11 cookies.

    Some X11 applications may start normally with an untrusted X cookie, but will
    crash as soon as they try to access X resources not available to untrusted
    clients later.
    (E.g. an xterm with an untrusted cookie will crash if you try to cut'n'paste
    to and from it. - At least it did when I checked last year. ;-) )

    [BTW: For my GCIH practical I wrote a paper (http://snakeoil.de/gcih.pdf) about
    how trusted X11-Forwarding can easily be exploited to gain access to the
    SSH-clientside.]

    Regards,
    Holger
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFCp0/3YEHA5g01Z74RApOWAKCkmCI0O3YgwgvSbJb25ukn8XIUgACeJWf8
    370xfMaf++VPvSarAsOTzHw=
    =x9HP
    -----END PGP SIGNATURE-----

  • Next message: Nathan Jackson: "Re: SSH.com client / OpenSSH server / RSA key auth"

    Relevant Pages

    • Re: error code 0x80072EFD
      ... [CallerId = AutomaticUpdates] ... cookie, reporting URL = ... the server with hr = 80072efd. ...
      (microsoft.public.windowsupdate)
    • Re: Login for access to certain pages or parts?
      ... I know roughly what an .htaccess file is and I have access to more than this on my own server, but not more on commercial servers that host various sites I have made or maintain. ... The successful login routine sets the cookie by testing to see if the password the user has entered matches the one in your database for that user. ... For pages that can be accessed by multiple groups, your authorize function could be passed a comma-delimited list of allowable groups for that page. ... // Authorizes user based on group, redirects if necessary. ...
      (alt.php)
    • Chicken and egg issue with Cookie based login?
      ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
      (comp.security.misc)
    • RE: Proof of Concept Tool on Web Application Security
      ... You are misreading the script fragment that you quoted. ... What that is intended to do is fetch an image from a server under your own ... and reacting when it sees a new cookie. ... But this require interaction of victim, ...
      (Pen-Test)
    • Re: Getting 12209 error on isa when server tries to connect to cookie enabled site. Xp workstation w
      ... What leads you to a conclusion that this problem is an ISA server related? ... We try to access a certain site which sets cookies by sending cookie ... 2.The conclusion is that when Cookie header is sent from the server to ...
      (microsoft.public.isa)