Re: Ulrich Flegel's SSH/X11 "vulnerability"
Cy Schubert - ITSD Open Systems Group (cschuber@uumail.gov.bc.ca)
Sat, 04 Oct 1997 08:52:30 -0700
> On Fri, 3 Oct 1997, Tatu Ylonen wrote:
>
> > Ulrich Flegel writes:
> > > SSH/X11 Vulnerability September 1997
> >...
> >
> > Yes, there are environments that want to disable X11 forwarding by
> > default. But for a vast majority of users, SSH X11 forwarding
> > provides a major security improvement by not sending the authorization
> > cookie or the X11 packets in the clear.
>
> For increased security, the XFree86 Xnest server can be used to protect
> your display. For example:
>
> Xnest :2 ; xterm -display :2 -e slogin -l username remotehost
>
> Now the forwarded programs do not have access to the entire local display,
> just the nested display. When I do this, I actually use Xnest :2 -auth
> ~/.Xauthority ; etc.. So that local users on my machine have no recourse.
> Needless to say, care with port-forwarding features is still required, but
> this can allay some fears about using X forwarding to a less-trusted host.
>
> I have not looked closely at the Xnest code, but simple tests (such as
> running Xwatchwin from the remote host have proven quite successful
> (i.e., you only get information about the nested window.)
I've used Xforward and Xroute, both of which do similar forwarding. I
found Xroute on a CDROM that came with O'Reilly's X Tools book and I found
Xforward somewhere on the Net (a good search engine might find it).
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
Cy.Schubert@gems8.gov.bc.ca
"Quit spooling around, JES do it."