Bugtraq mailing list archives
Re: SSH & xauth
From: lionel.cons () CERN CH (Lionel Cons)
Date: Mon, 28 Feb 2000 09:33:07 +0100
Robert Watson writes:
[...] If you search back a few years in the bugtraq archives, you'll see that one suggestion for dealing with this, and still allowing X11 forwarding from untrusted clients, is to use the Xnest server, limiting access by the ssh client to that DISPLAY. [...]
This is one possibility but you have to understand how X11 works and probably also enable and configure the X11 security extension. You may want to have a look at /usr/X11R6/lib/X11/xserver/SecurityPolicy (or similar path). Another possibility is to use an X11 connection proxy with filtering capabilities like the one I wrote, see: http://home.cern.ch/~cons/mxconns With mxconns, you can detect a great number of "hostile" X11 requests before they reach your X server. I use it daily to filter what comes out of the SSH X11 proxies that I use... ________________________________________________________ Lionel Cons http://home.cern.ch/~cons CERN http://www.cern.ch Instruction Booklet Governing Principle: Instruction booklets are lost by the Goods Delivery Service. If not, they are listed in four languages: Japanese, Thai, Swahili and Moghol.
Current thread:
- SSH & xauth Brian Caswell (Feb 24)
- Re: SSH & xauth Andrey (Feb 25)
- Re: SSH & xauth David Terrell (Feb 25)
- Re: SSH & xauth Robert Watson (Feb 25)
- Re: SSH & xauth Lionel Cons (Feb 28)
- Re: SSH & xauth David Pybus (Feb 26)
- Re: SSH & xauth Robert Watson (Feb 28)
- xterm log file vulnerability Morten Welinder (Feb 29)
- false alarms by real secure Danton Nunes (Feb 29)
- New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- <Possible follow-ups>
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
- Re: SSH & xauth Theo de Raadt (Feb 27)
(Thread continues...)