Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH & xauth
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 27 Feb 2000 20:01:41 -0700

All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session.  This is
accomplished by running xauth upon logging in.

I'm really suprised this is still the default.  I've heard mention of
this at least 4 years ago, and have seen trojaned SSH servers around
_since then_ that do logging of client X11 keystrokes - probably the
best place to accomplish this.  The problem seems to be that the
authors have not figured out that this isn't a good default, perhaps
for convenience's sake.  This suprises me, since people DO know about
this.  I think the argument is really convenience vs. security (well,
thats always the argument isn't it?).

alias ssh="ssh -x"

Earlier, bugtraq was told that all ssh versions including openssh
automatically tunnel X.

This is not correct.  openssh has that turned off by default.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]