Re: Ulrich Flegel's SSH/X11 "vulnerability"

Robert Watson (robert@cyrus.watson.org)
Fri, 03 Oct 1997 09:54:07 -0400

On Fri, 3 Oct 1997, Tatu Ylonen wrote:

> Ulrich Flegel writes:
> > SSH/X11 Vulnerability September 1997
>...
>
> Yes, there are environments that want to disable X11 forwarding by
> default. But for a vast majority of users, SSH X11 forwarding
> provides a major security improvement by not sending the authorization
> cookie or the X11 packets in the clear.

For increased security, the XFree86 Xnest server can be used to protect
your display. For example:

Xnest :2 ; xterm -display :2 -e slogin -l username remotehost

Now the forwarded programs do not have access to the entire local display,
just the nested display. When I do this, I actually use Xnest :2 -auth
~/.Xauthority ; etc.. So that local users on my machine have no recourse.
Needless to say, care with port-forwarding features is still required, but
this can allay some fears about using X forwarding to a less-trusted host.

I have not looked closely at the Xnest code, but simple tests (such as
running Xwatchwin from the remote host have proven quite successful
(i.e., you only get information about the nested window.)

Robert N Watson

Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/
Network Administrator, SafePort Network Services http://www.safeport.com/
robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/