Re: Partial SNAFUs - X11Forwarding etc.
- From: per@xxxxxxxxxxxx (Per Hedeland)
- Date: Sat, 6 Oct 2007 14:11:34 +0000 (UTC)
In article <x7MNi.257672$xp6.221608@xxxxxxxxxxxxxxxxxxxxxxxxx> Mike
<Not@xxxxxxxxxxx> writes:
I'm thinking here that with ForwardX11Trusted
set to yes, the client running it over SSH is vunerable to Firefox
security holes and exploits, as if they had it running on the client
machine directly.
I'm not sure I follow you here, but anyway the problem that the
ForwardX11Trusted disabling is addressing isn't with the clients you run
via the X11 forwarding, but rather with *other* clients that are
displaying on the same X11 server. I.e. the evil things would use the
X11 tunnel "itself" to spy on or manipulate those other clients -
doesn't matter if yo have *any* clients using the tunnel as long as it's
there. Of course the tunnel could also be used to attack clients that
*are* running via the tunnel, but if the assumption is that the remote
host is compromised, there are more direct ways to attack those clients
anyway.
The only option I'm seeing here is to work on each desired app to
find a workaround to the apps problems with being called via SSH. For
instance, both Opera and Dillo complain without the -Y flag, but do
function acceptably. Firefox just kicks out a stroppy error message
and refuses to play. If Firefox, for example, could be cajoled into
accepting a pseudo process on the server it live on, then the SSH
client could benefit from having "fooled it".
No, it's not Firefox that is unhappy specifically with being pointed to
a ssh X11 tunnel, it's ssh that is preventing certain X11 protocol
messages from getting through the tunnel. If you use some kind of X11
proxy on the remote host, Firefox won't care one way or the other, but
the proxy will still end up trying to forward those protocol messages
through the tunnel and fail. Well, in theory you could have something
that wasn't just a proxy, and fooled Firefox into believing that the X11
request suceeded, but that can get arbirtrarily complex, since that
first lie will likely require more and more follow-on lies...
....and then you basically end up implementing a virtual X11 server, but
others have already done that, and in fact that may *be* a workaround -
i.e. you simply don't forward the X11 protocol at all. You could e.g.
run Firefox under Xvnc, and then make a "forward" vnc connection via ssh
port forwarding to interact with it. (I've periodically made extensive
use of this technique, with other clients and for other reasons.)
And of course you could run Firefox locally and tell it to use the
builtin SOCKS server a.k.a. "dynamic forwarding" in the ssh client, if
your problem is that you can't get a direct Internet connection from the
client host.
--Per Hedeland
per@xxxxxxxxxxxx
.
- Follow-Ups:
- Re: Partial SNAFUs - X11Forwarding etc.
- From: Mike
- Re: Partial SNAFUs - X11Forwarding etc.
- References:
- Partial SNAFUs - X11Forwarding etc.
- From: Mike
- Re: Partial SNAFUs - X11Forwarding etc.
- From: Mike
- Re: Partial SNAFUs - X11Forwarding etc.
- From: Per Hedeland
- Re: Partial SNAFUs - X11Forwarding etc.
- From: Mike
- Partial SNAFUs - X11Forwarding etc.
- Prev by Date: Re: Partial SNAFUs - X11Forwarding etc.
- Next by Date: Re: Partial SNAFUs - X11Forwarding etc.
- Previous by thread: Re: Partial SNAFUs - X11Forwarding etc.
- Next by thread: Re: Partial SNAFUs - X11Forwarding etc.
- Index(es):
Relevant Pages
|
