Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH & xauth
From: Cy.Schubert () UUMAIL GOV BC CA (Cy Schubert - ITSD Open Systems Group)
Date: Mon, 28 Feb 2000 10:35:55 -0800

In message <200002280301.UAA09309 () cvs openbsd org>, Theo de Raadt
All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session.  This is
accomplished by running xauth upon logging in.

I'm really suprised this is still the default.  I've heard mention of
this at least 4 years ago, and have seen trojaned SSH servers around
_since then_ that do logging of client X11 keystrokes - probably the
best place to accomplish this.  The problem seems to be that the
authors have not figured out that this isn't a good default, perhaps
for convenience's sake.  This suprises me, since people DO know about
this.  I think the argument is really convenience vs. security (well,
thats always the argument isn't it?).

alias ssh="ssh -x"

Earlier, bugtraq was told that all ssh versions including openssh
automatically tunnel X.

This is not correct.  openssh has that turned off by default.

Theo, I held the same opinion as you until it was pointed out to me
offline that it's not the server that needs the default specification,
as it already has, and because an untrusted server could have its
specification changed.  Instead the ssh_config (client) needs to have
its default changed to deny X tunnelling as well in case an untrusted
server, e.g. a server one does not trust, has its specification X
tunnelling changed to allow it.

To disable X forwarding, ssh_config also needs,

Host *
  ForwardX11 no

Ultimately turning on X forwarding would require changing of
sshd_config, to enable the server X forwarding, and the users
~/.ssh/config file to enable the client's accepting of forwarded X
packets.  The second half of this would put the onus on the user for
their own security, as the user would have to specifically enable X
forwarding, even though the server already has it enabled.

Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert () uumail gov bc ca
Province of BC
                    "COBOL IS A WASTE OF CARDS."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]