Firewall Wizards mailing list archives
Re: X11 forwarding
From: Kevin Steves <kevin () atomicgears com>
Date: Mon, 26 Aug 2002 09:51:58 -0700
On Fri, Aug 23, 2002 at 10:07:21AM -0700, hermit921 wrote:
How much of a security problem is X11 forwarding? I see CERT recommends using a version that allows this to be turned off, but doesn't specifically recommend that X11 forwarding be disabled.
For OpenSSH, I was going to try to cover the issues somewhat by adding this text. Note also, that by default, the proxy display no longer listens on the wildcard address (see sshd X11UseLocalhost), which closes a possible remote attack vector. Index: ssh_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v retrieving revision 1.1 diff -u -r1.1 ssh_config.5 --- ssh_config.5 20 Jun 2002 19:56:07 -0000 1.1 +++ ssh_config.5 17 Aug 2002 20:42:50 -0000 @@ -252,6 +252,13 @@ .Dq no . The default is .Dq no . +.Pp +Agent forwarding should be enabled with caution. Users with the +ability to bypass file permissions on the remote host (for the agent's +Unix-domain socket) can access the local agent through the forwarded +connection. An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. .It Cm ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and @@ -263,6 +270,12 @@ .Dq no . The default is .Dq no . +.Pp +X11 forwarding should be enabled with caution. Users with the ability +to bypass file permissions on the remote host (for the user's X +authorization database) can access the local X11 display through the +forwarded connection. An attacker may then be able to perform +activities such as keystroke monitoring. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
- Re: X11 forwarding David Lang (Aug 23)
- Re: X11 forwarding Brian Hatch (Aug 23)
- Re: X11 forwarding Kevin Steves (Aug 26)
- Re: X11 forwarding Pierre Blanchet (Aug 27)
- Re: X11 forwarding Kevin Steves (Aug 27)