Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH & xauth
From: lionel.cons () CERN CH (Lionel Cons)
Date: Mon, 28 Feb 2000 09:33:07 +0100

Robert Watson writes:
If you search back a few years in the bugtraq archives, you'll see that
one suggestion for dealing with this, and still allowing X11 forwarding
from untrusted clients, is to use the Xnest server, limiting access by the
ssh client to that DISPLAY. [...]

This is one possibility but you have to understand how X11 works and
probably also enable and configure the X11 security extension. You may
want to have a look at /usr/X11R6/lib/X11/xserver/SecurityPolicy (or
similar path).

Another possibility is to use an X11 connection proxy with filtering
capabilities like the one I wrote, see:

With mxconns, you can detect a great number of "hostile" X11 requests
before they reach your X server. I use it daily to filter what comes
out of the SSH X11 proxies that I use...

Lionel Cons        http://home.cern.ch/~cons
CERN               http://www.cern.ch

Instruction Booklet Governing Principle:
        Instruction booklets are lost by the Goods Delivery Service. If not,
        they are listed in four languages: Japanese, Thai, Swahili and Moghol.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]