Re: Trusted and Untrusted X

From: Holger van Lengerich (list-secureshell_at_nospam.snakeoil.de)
Date: 06/08/05

  • Next message: Nathan Jackson: "Re: SSH.com client / OpenSSH server / RSA key auth"
    Date: Wed, 8 Jun 2005 22:07:19 +0200
    To: Don C Weber <dcweber@raytheond.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > My understanding so far is that normally X forwarding is defaulted to
    > untrusted. This limits the capabilities of the user so that they cannot
    > easily gather information from other windows handled by the X server (i.e.
    > keystroke monitoring, etc.). By using the "-Y" option the user is now able
    > to access things normally protected by the X server. This is notably
    > necessary to use Perl/TK over these connections. I guess this is because
    > Perl/TK is making calls that are normally protected by the X server.
    >
    > My question is this. Is my description accurate?

    Yes.

    > Also, why would they
    > let the clientside handle this and not provide an option on the serverside
    > to control the access privileges of the incoming users?

    As you are trying to protect the X-Server on the SSH-clientside, the
    SSH-serverside has to be regarded as untrusted.

    > Are there other regular instances where trusted X is necessary?

    As you pointed out already trusted X forwarding is necessary if you run X
    applications which won't work with untrusted X11 cookies.

    Some X11 applications may start normally with an untrusted X cookie, but will
    crash as soon as they try to access X resources not available to untrusted
    clients later.
    (E.g. an xterm with an untrusted cookie will crash if you try to cut'n'paste
    to and from it. - At least it did when I checked last year. ;-) )

    [BTW: For my GCIH practical I wrote a paper (http://snakeoil.de/gcih.pdf) about
    how trusted X11-Forwarding can easily be exploited to gain access to the
    SSH-clientside.]

    Regards,
    Holger
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFCp0/3YEHA5g01Z74RApOWAKCkmCI0O3YgwgvSbJb25ukn8XIUgACeJWf8
    370xfMaf++VPvSarAsOTzHw=
    =x9HP
    -----END PGP SIGNATURE-----


  • Next message: Nathan Jackson: "Re: SSH.com client / OpenSSH server / RSA key auth"