Bugtraq mailing list archives
Re: SSH & xauth
From: lionel.cons () CERN CH (Lionel Cons)
Date: Mon, 28 Feb 2000 09:33:07 +0100
Robert Watson writes:
[...] If you search back a few years in the bugtraq archives, you'll see that one suggestion for dealing with this, and still allowing X11 forwarding from untrusted clients, is to use the Xnest server, limiting access by the ssh client to that DISPLAY. [...]
This is one possibility but you have to understand how X11 works and
probably also enable and configure the X11 security extension. You may
want to have a look at /usr/X11R6/lib/X11/xserver/SecurityPolicy (or
similar path).
Another possibility is to use an X11 connection proxy with filtering
capabilities like the one I wrote, see:
http://home.cern.ch/~cons/mxconns
With mxconns, you can detect a great number of "hostile" X11 requests
before they reach your X server. I use it daily to filter what comes
out of the SSH X11 proxies that I use...
________________________________________________________
Lionel Cons http://home.cern.ch/~cons
CERN http://www.cern.ch
Instruction Booklet Governing Principle:
Instruction booklets are lost by the Goods Delivery Service. If not,
they are listed in four languages: Japanese, Thai, Swahili and Moghol.
Current thread:
- SSH & xauth Brian Caswell (Feb 24)
- Re: SSH & xauth Andrey (Feb 25)
- Re: SSH & xauth David Terrell (Feb 25)
- Re: SSH & xauth Robert Watson (Feb 25)
- Re: SSH & xauth Lionel Cons (Feb 28)
- Re: SSH & xauth David Pybus (Feb 26)
- Re: SSH & xauth Robert Watson (Feb 28)
- xterm log file vulnerability Morten Welinder (Feb 29)
- false alarms by real secure Danton Nunes (Feb 29)
- New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- <Possible follow-ups>
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
- Re: SSH & xauth Theo de Raadt (Feb 27)
(Thread continues...)