Firewall Wizards mailing list archives

Re: X11 forwarding

From: Pierre Blanchet <Pierre.Blanchet () solsoft fr>
Date: Tue, 27 Aug 2002 10:46:19 +0200

On August 26 2002 at 9:51, 
        Kevin Steves <kevin () atomicgears com> wrote:

On Fri, Aug 23, 2002 at 10:07:21AM -0700, hermit921 wrote:

How much of a security problem is X11 forwarding?  I see CERT recommends 
using a version that allows this to be turned off, but doesn't specifically 
recommend that X11 forwarding be disabled.


For OpenSSH, I was going to try to cover the issues somewhat by adding
this text.  Note also, that by default, the proxy display no longer
listens on the wildcard address (see sshd X11UseLocalhost), which
closes a possible remote attack vector.


        If i understood you correctly, X11 Forwarding is dangerous 
only from the client point of view (modulo unknown holes).
        i.e. I can safely enable X11 Forwarding on sshd, but should use 
ssh -X with caution (= i trust the remote admin).

        Pierre.
-- 
Pierre Blanchet                                       Support Engineer
GPG 0xED89D256 :    0952 C8A7 7B97 BAE5 0560  8614 E690 9368 ED89 D256
http://www.solsoft.com                      Pierre.Blanchet () solsoft fr
Tel.: +33 147 15 55 00                           Fax: +33 147 15 55 09

Attachment: _bin
Description:

Current thread:

New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
  - Re: X11 forwarding David Lang (Aug 23)
  - Re: X11 forwarding Brian Hatch (Aug 23)
  - Re: X11 forwarding Kevin Steves (Aug 26)
    - Re: X11 forwarding Pierre Blanchet (Aug 27)
    - Re: X11 forwarding Kevin Steves (Aug 27)