Bugtraq mailing list archives
Re: SSH & xauth
From: Cy.Schubert () UUMAIL GOV BC CA (Cy Schubert - ITSD Open Systems Group)
Date: Mon, 28 Feb 2000 10:35:55 -0800
In message <200002280301.UAA09309 () cvs openbsd org>, Theo de Raadt writes:
All children of the SSH connection are able to tunnel X11 sessions through the X tunnel to the client X11 session. This is accomplished by running xauth upon logging in.I'm really suprised this is still the default. I've heard mention of this at least 4 years ago, and have seen trojaned SSH servers around _since then_ that do logging of client X11 keystrokes - probably the best place to accomplish this. The problem seems to be that the authors have not figured out that this isn't a good default, perhaps for convenience's sake. This suprises me, since people DO know about this. I think the argument is really convenience vs. security (well, thats always the argument isn't it?). alias ssh="ssh -x"Earlier, bugtraq was told that all ssh versions including openssh automatically tunnel X. This is not correct. openssh has that turned off by default.
Theo, I held the same opinion as you until it was pointed out to me offline that it's not the server that needs the default specification, as it already has, and because an untrusted server could have its specification changed. Instead the ssh_config (client) needs to have its default changed to deny X tunnelling as well in case an untrusted server, e.g. a server one does not trust, has its specification X tunnelling changed to allow it. To disable X forwarding, ssh_config also needs, Host * ForwardX11 no Ultimately turning on X forwarding would require changing of sshd_config, to enable the server X forwarding, and the users ~/.ssh/config file to enable the client's accepting of forwarded X packets. The second half of this would put the onus on the user for their own security, as the user would have to specifically enable X forwarding, even though the server already has it enabled. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert () uumail gov bc ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS."
Current thread:
- Re: SSH & xauth, (continued)
- Re: SSH & xauth Lionel Cons (Feb 28)
- Re: SSH & xauth David Pybus (Feb 26)
- Re: SSH & xauth Robert Watson (Feb 28)
- xterm log file vulnerability Morten Welinder (Feb 29)
- false alarms by real secure Danton Nunes (Feb 29)
- New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
- Serv-U FTP-Server v2.4a showing real path Berk Ulsoy (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)
- Re: SSH & xauth Niels Provos (Feb 28)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Brian (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)