[14038] in bugtraq
Re: SSH & xauth
daemon@ATHENA.MIT.EDU (Oliver Friedrichs)
Sun Feb 27 21:23:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <4036B8ED3AAED3118F9E00A0CC58F9F1873E@MAIL>
Date: Fri, 25 Feb 2000 14:17:26 -0800
Reply-To: Oliver Friedrichs <OFriedrichs@SECURITY-FOCUS.COM>
From: Oliver Friedrichs <OFriedrichs@SECURITY-FOCUS.COM>
X-To: Brian Caswell <cazz@RUFF.CS.JMU.EDU>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> All children of the SSH connection are able to tunnel X11 sessions
> through the X tunnel to the client X11 session. This is
> accomplished by running xauth upon logging in.
I'm really suprised this is still the default. I've heard mention of
this at least 4 years ago, and have seen trojaned SSH servers around
_since then_ that do logging of client X11 keystrokes - probably the
best place to accomplish this. The problem seems to be that the
authors have not figured out that this isn't a good default, perhaps
for convenience's sake. This suprises me, since people DO know about
this. I think the argument is really convenience vs. security (well,
thats always the argument isn't it?).
alias ssh="ssh -x"
- - Oliver
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOLb+Bcm4FXxxREdXEQJjLACgoGiRtmw83fuRGq45uCH2sEq0A4EAnRdx
10/rEK4mQWSWQOXdgu+iWp3D
=/XuK
-----END PGP SIGNATURE-----
