[14062] in bugtraq
Re: SSH & xauth
daemon@ATHENA.MIT.EDU (Lionel Cons)
Mon Feb 28 13:40:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20000228083307.1044115060@mercury.cern.ch>
Date: Mon, 28 Feb 2000 09:33:07 +0100
Reply-To: Lionel Cons <lionel.cons@CERN.CH>
From: Lionel Cons <lionel.cons@CERN.CH>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.NEB.3.96L.1000225211428.18984A-100000@fledge.watson.org>
Robert Watson writes:
> [...]
> If you search back a few years in the bugtraq archives, you'll see that
> one suggestion for dealing with this, and still allowing X11 forwarding
> from untrusted clients, is to use the Xnest server, limiting access by the
> ssh client to that DISPLAY. [...]
This is one possibility but you have to understand how X11 works and
probably also enable and configure the X11 security extension. You may
want to have a look at /usr/X11R6/lib/X11/xserver/SecurityPolicy (or
similar path).
Another possibility is to use an X11 connection proxy with filtering
capabilities like the one I wrote, see:
http://home.cern.ch/~cons/mxconns
With mxconns, you can detect a great number of "hostile" X11 requests
before they reach your X server. I use it daily to filter what comes
out of the SSH X11 proxies that I use...
________________________________________________________
Lionel Cons http://home.cern.ch/~cons
CERN http://www.cern.ch
Instruction Booklet Governing Principle:
Instruction booklets are lost by the Goods Delivery Service. If not,
they are listed in four languages: Japanese, Thai, Swahili and Moghol.
