Firewall Wizards mailing list archives

Re: X11 forwarding

From: Kevin Steves <kevin () atomicgears com>
Date: Mon, 26 Aug 2002 09:51:58 -0700

On Fri, Aug 23, 2002 at 10:07:21AM -0700, hermit921 wrote:

How much of a security problem is X11 forwarding?  I see CERT recommends 
using a version that allows this to be turned off, but doesn't specifically 
recommend that X11 forwarding be disabled.


For OpenSSH, I was going to try to cover the issues somewhat by adding
this text.  Note also, that by default, the proxy display no longer
listens on the wildcard address (see sshd X11UseLocalhost), which
closes a possible remote attack vector.

Index: ssh_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.1
diff -u -r1.1 ssh_config.5
--- ssh_config.5        20 Jun 2002 19:56:07 -0000      1.1
+++ ssh_config.5        17 Aug 2002 20:42:50 -0000
@@ -252,6 +252,13 @@
 .Dq no .
 The default is
 .Dq no .
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
@@ -263,6 +270,12 @@
 .Dq no .
 The default is
 .Dq no .
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
  - Re: X11 forwarding David Lang (Aug 23)
  - Re: X11 forwarding Brian Hatch (Aug 23)
  - Re: X11 forwarding Kevin Steves (Aug 26)
    - Re: X11 forwarding Pierre Blanchet (Aug 27)
    - Re: X11 forwarding Kevin Steves (Aug 27)