Re: X11 forwarding

[Brian Hatch <firewall-wizards () ifokr org>]

> How much of a security problem is X11 forwarding?  I see CERT recommends 
> using a version that allows this to be turned off, but doesn't specifically 
> recommend that X11 forwarding be disabled.

Say you connect from your machine running X11 with:

        jdoe@home$ ssh -X remote_server
        remote_server password:
        jdoe@remote_server$


Then you can display X11 apps on your home machine that start on the
remote server: 

        jdoe@remote_server$ echo $DISPLAY
        :10.0
        jdoe@remote_server$ xclock
        (display appears on your desktop)

By setting the correct enviroment variables, root can do this too:

        root@remote_server# export HOME=/home/jdoe
        root@remote_server# export DISPLAY=:10.0
                            (replace with correct display number)
        root@remote_server# xclock
        (display appears on your desktop)

The problem is that X11 gives much more access than just popping
windows on your screen, such as snagging every event (mouse click,
keypress, etc) on your X11 desotkop.  If you don't trust root on
remote_server, then you shouldn't allow X11 forwarding to it.

        root@remote_server# xwd -root > jdoe.screenshot.xwd
        root@remote_server# xkey
        (whatever user types appears here...)




--
Brian Hatch                  I admire your bad
   Systems and                qualities and I
   Security Engineer          wouldn't have you
www.buildinglinuxvpns.net     part with a single one

Every message PGP signed

Attachment: _bin
Description: