Re: X11 forwarding

[Kevin Steves <kevin () atomicgears com>]

On Tue, Aug 27, 2002 at 10:46:19AM +0200, Pierre Blanchet wrote:
> On August 26 2002 at 9:51, 
>       Kevin Steves <kevin () atomicgears com> wrote:
> > For OpenSSH, I was going to try to cover the issues somewhat by adding
> > this text.  Note also, that by default, the proxy display no longer
> > listens on the wildcard address (see sshd X11UseLocalhost), which
> > closes a possible remote attack vector.
>
>       If i understood you correctly, X11 Forwarding is dangerous 
> only from the client point of view (modulo unknown holes).

Correct, that is my current assessment.  From a server implementation
standpoint (OpenSSH), X11 forwarding is largely a special case of TCP
forwarding.  The authentication spoofing and authentication data
verification and substitution happen on the client side.

>       i.e. I can safely enable X11 Forwarding on sshd, but should use 
> ssh -X with caution (= i trust the remote admin).

Yes, and host security etc.  You have extended the security perimeter
for your X11 display to that host (or hosts--don't forget about
chained ssh sessions).

However, the administrator may have a stance in which they want to
protect the clients, which can warrant a X11Forwarding=no
configuration.

-- 
Kevin Steves     | kevin () atomicgears com
Atomic Gears LLC | http://www.atomicgears.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards