Re: Partial SNAFUs - X11Forwarding etc.

Responding to Per Hedeland...
In article <K8yNi.257480$xp6.234001@xxxxxxxxxxxxxxxxxxxxxxxxx> Mike
<Not@xxxxxxxxxxx> writes:

Just got that ForwardX11Trusted thing to work around now.

I may have got this wrong but, is the idea behind not allowing
ForwardX11Trusted to prevent security issues between those logging in
to the base server machine via SSH, or it it also supposed to protect
against problems coming in to the base server machine and getting
back "up the line" to the client machine(s)?

If its just to stop clients messing around with each other's stuff,
then thats not a problem here as its a home network. If its to
protect clients from problems the base server itself might incur,
then that would be another story.

If it is indeed to protect the clients from the server, then it
probably would be a good idea to work toward running things without
it enabled.

Well, terminology gets a bit confused with X11 since the server is local
and the client remote,

Yup. I'd noticed that. And the man page(s) seems to switch focus too.

....but reading your last line as "protect the ssh
client (host) from the ssh server (host)", the answer is "yes". I.e. if
the ssh server host is compromised or otherwise untrustworthy, programs
there can connect to your X11 server via the SSH forwarding and
potentially do very evil things, e.g. read the contents of your (other)
windows, eavesdrop on keypress events directed to other windows, or even
generate keypress (or mouse-button) events directed at other windows.
"Potentially" because IIRC, at least some of those things can be
prevented by the applications owning those other windows - but who knows
if they do that...

Good point, seeing as things like Firefox are not GNU, and therefore
not properly "reviewed" with regard to security and "appropriate"
behaviour (plus, the direct connection to AOL/Time/Warner cannot be
dismissed with ease). I'm thinking here that with ForwardX11Trusted
set to yes, the client running it over SSH is vunerable to Firefox
security holes and exploits, as if they had it running on the client
machine directly. Other apps may also have the potential to become a
channel into the client machine, and NOT using ForwardX11Trusted is a
way to significantly limit that potential route back to the client.


Currently getting this:


$ ssh -X username@P2 firefox
The program 'firefox-bin' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAtom (invalid Atom parameter)'.

If you get stuff like that, you only have two choices AFAIK - use -Y or
refrain from running the program via ssh X11 forwarding - there's no
"workaround". My experience is that without -Y, the set of X11 clients
that can run at all is pretty limited, and among those, their
functionality is quite restricted - e.g. you can't even *intentionally*
paste text from other windows into them, and I think I've come across
clients that keel over and die if you try.

The only option I'm seeing here is to work on each desired app to
find a workaround to the apps problems with being called via SSH. For
instance, both Opera and Dillo complain without the -Y flag, but do
function acceptably. Firefox just kicks out a stroppy error message
and refuses to play. If Firefox, for example, could be cajoled into
accepting a pseudo process on the server it live on, then the SSH
client could benefit from having "fooled it".


Q: How to get things to work without the -Y flag?

I think the best way to go is what I mentioned earlier, use it for
"trusted" hosts only, most conveniently via $HOME/.ssh/config - e.g. if
you are reasonably sure that there is no evil stuff on P2, you can put
this in $HOME/.ssh/config:

I'm as reasonably sure as one can be with amachine connected directly
to a broadband modem. IOW, a pretty restrictive firewall and a huge
/etc/hosts file with all kinds of addresses linked to 127.0.0.1

It would be nice to know that if something managed to sneak into P2,
then there would be at least some form of restriction on just how far
up the SSH connection it could reach, and that restriction seems to
be not to use ForwardX11Trusted.

My next project, therefore, is going to be trying to fool P2's
Firefox into thinking everything is happening on the P2 SSH server
machine.


(Thinks: Maybe I should start with Dillo? ;)

--
Yellow Submarine?
Nah. Its a TeaPot!
www.tinyurl.com/382gmp
.