'Re: X and SSH'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-security
Subject:    Re: X and SSH
From:       Robert Watson <robert () cyrus ! watson ! org>
Date:       1999-06-26 11:12:37
[Download RAW message or body]

On Fri, 25 Jun 1999, Mark Newton wrote:

> Jung, Michael wrote:
> 
>  > I have been reading these threads and unless I missed something
>  > this has not seen this addressed.  Suppose you use ssh, tterm etc to
>  > securely connect to a host.  Once on the host you want to export your
>  > display back to a client so you can bring up a X application.  How does
>  > one have the X session encrypted?  
> 
> ssh does this for you:  It automatically sets up your $DISPLAY to
> point to a tunnel passed back across the encrypted session.  All
> X11 traffic is encrypted as a result (unless you override the 
> $DISPLAY setting by manually setting it or passing a -display
> parameter to an X client).
> 
> You can get a similar effect by running:
> 
>     ssh -R 6009:localhost:6000 foo.bar.com
> 
> ... and manually setting your $DISPLAY to localhost:9.0 when you 
> have successfully logged in to it.  You never need to do this manually,
> though, because ssh configures X11 forwarding by default.

Actually, that isn't quite the same.  SSH speaks a little bit of the X
protocol (hence being unable to get X support without Xlib on machines you
build it on), and allocates new random cookies in your .Xauthority files
on the remote machines, meaning that only the correct user on the remote
end (or a privileged user) has access to your display.  This protects you
in the event that you xhost :0, as many people do.  Similarly, it makes
X programs not require a copy of your local cookie, if you have one
(running xdm), so you can effectively revoke display access after you
sever the X connection.

I personally like to run incoming tunneled X sessions from under-trusted
hosts in Xnest, but maybe that's just me... :-)

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic