Firewall Wizards mailing list archives
Re: X11 forwarding
From: Pierre Blanchet <Pierre.Blanchet () solsoft fr>
Date: Tue, 27 Aug 2002 10:46:19 +0200
On August 26 2002 at 9:51, Kevin Steves <kevin () atomicgears com> wrote:
On Fri, Aug 23, 2002 at 10:07:21AM -0700, hermit921 wrote:How much of a security problem is X11 forwarding? I see CERT recommends using a version that allows this to be turned off, but doesn't specifically recommend that X11 forwarding be disabled.For OpenSSH, I was going to try to cover the issues somewhat by adding this text. Note also, that by default, the proxy display no longer listens on the wildcard address (see sshd X11UseLocalhost), which closes a possible remote attack vector.
If i understood you correctly, X11 Forwarding is dangerous only from the client point of view (modulo unknown holes). i.e. I can safely enable X11 Forwarding on sshd, but should use ssh -X with caution (= i trust the remote admin). Pierre. -- Pierre Blanchet Support Engineer GPG 0xED89D256 : 0952 C8A7 7B97 BAE5 0560 8614 E690 9368 ED89 D256 http://www.solsoft.com Pierre.Blanchet () solsoft fr Tel.: +33 147 15 55 00 Fax: +33 147 15 55 09
Attachment:
_bin
Description:
Current thread:
- New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
- Re: X11 forwarding David Lang (Aug 23)
- Re: X11 forwarding Brian Hatch (Aug 23)
- Re: X11 forwarding Kevin Steves (Aug 26)
- Re: X11 forwarding Pierre Blanchet (Aug 27)
- Re: X11 forwarding Kevin Steves (Aug 27)