[14143] in bugtraq
Re: SSH & xauth
daemon@ATHENA.MIT.EDU (Cy Schubert - ITSD Open Systems Gr)
Thu Mar 2 14:59:30 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <200003021354.FAA03761@cwsys.cwsent.com>
Date: Thu, 2 Mar 2000 05:53:55 -0800
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@UUMAIL.GOV.BC.CA>
X-To: Brian <cazz@RUFF.CS.JMU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Mon, 28 Feb 2000 15:02:26 EST."
<20000228150226.A19949@ruff.cs.jmu.edu>
In message <20000228150226.A19949@ruff.cs.jmu.edu>, Brian writes:
> Ok, just to make sure everyone completely understands my previous post
> about SSH & xauth.
[edited out]
> For absolute security, a client should always give out trust in the
> smallest portions available. Trusting X tunneling by default is not a
> good idea, and should be turned off. As stated in previous postings,
> if you must use X, use Xnest.
Another alternative would be to use xforward or xroute. Both are
capable of notifying you of incoming X connections and you can allow or
deny each one specifically. The downside however, is that with either
you need to trust the host that your X server is running on, e.g. xhost
x_server_machine. If you're using a desktop system that isn't used by
anyone else, you should be O.K.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca
UNIX Group, ITSD, ISTA
Province of BC
"COBOL IS A WASTE OF CARDS."
