Firewall Wizards mailing list archives
Re: X11 forwarding
From: Kevin Steves <kevin () atomicgears com>
Date: Tue, 27 Aug 2002 11:09:11 -0700
On Tue, Aug 27, 2002 at 10:46:19AM +0200, Pierre Blanchet wrote:
On August 26 2002 at 9:51, Kevin Steves <kevin () atomicgears com> wrote:For OpenSSH, I was going to try to cover the issues somewhat by adding this text. Note also, that by default, the proxy display no longer listens on the wildcard address (see sshd X11UseLocalhost), which closes a possible remote attack vector.If i understood you correctly, X11 Forwarding is dangerous only from the client point of view (modulo unknown holes).
Correct, that is my current assessment. From a server implementation standpoint (OpenSSH), X11 forwarding is largely a special case of TCP forwarding. The authentication spoofing and authentication data verification and substitution happen on the client side.
i.e. I can safely enable X11 Forwarding on sshd, but should use ssh -X with caution (= i trust the remote admin).
Yes, and host security etc. You have extended the security perimeter for your X11 display to that host (or hosts--don't forget about chained ssh sessions). However, the administrator may have a stance in which they want to protect the clients, which can warrant a X11Forwarding=no configuration. -- Kevin Steves | kevin () atomicgears com Atomic Gears LLC | http://www.atomicgears.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
- Re: X11 forwarding David Lang (Aug 23)
- Re: X11 forwarding Brian Hatch (Aug 23)
- Re: X11 forwarding Kevin Steves (Aug 26)
- Re: X11 forwarding Pierre Blanchet (Aug 27)
- Re: X11 forwarding Kevin Steves (Aug 27)