Bugtraq mailing list archives

Re: SSH & xauth

From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Fri, 25 Feb 2000 14:17:26 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session.  This is
accomplished by running xauth upon logging in.


I'm really suprised this is still the default.  I've heard mention of
this at least 4 years ago, and have seen trojaned SSH servers around
_since then_ that do logging of client X11 keystrokes - probably the
best place to accomplish this.  The problem seems to be that the
authors have not figured out that this isn't a good default, perhaps
for convenience's sake.  This suprises me, since people DO know about
this.  I think the argument is really convenience vs. security (well,
thats always the argument isn't it?).

alias ssh="ssh -x"

- - Oliver

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOLb+Bcm4FXxxREdXEQJjLACgoGiRtmw83fuRGq45uCH2sEq0A4EAnRdx
10/rEK4mQWSWQOXdgu+iWp3D
=/XuK
-----END PGP SIGNATURE-----

Current thread:

Re: SSH & xauth, (continued)
- Re: SSH & xauth David Terrell (Feb 25)
- Re: SSH & xauth Robert Watson (Feb 25)
  - Re: SSH & xauth Lionel Cons (Feb 28)
- Re: SSH & xauth David Pybus (Feb 26)
  - Re: SSH & xauth Robert Watson (Feb 28)
  - xterm log file vulnerability Morten Welinder (Feb 29)
  - false alarms by real secure Danton Nunes (Feb 29)
  - New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
  - Re: SSH & xauth Theo de Raadt (Feb 27)
    - Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
    - Serv-U FTP-Server v2.4a showing real path Berk Ulsoy (Feb 28)
    - Re: SSH & xauth Robert Watson (Feb 28)
    - Re: SSH & xauth Niels Provos (Feb 28)
- Re: SSH & xauth Brian (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)