[lug] ssh xforwarding

j davis davis_compz at hotmail.com
Tue Jul 16 21:15:04 MDT 2002


Thank you, i guess i really dont need to, just seems odd to allow
xforwarding to users. dont guess you can compile x with tcpwrapper
support...anyway thanks that cleared alot of stuff up for me.

Thanks,
jd


>From: Tkil <tkil at scrye.com>
>Reply-To: lug at lug.boulder.co.us
>To: "j davis" <davis_compz at hotmail.com>
>CC: lug at lug.boulder.co.us
>Subject: Re: [lug] ssh xforwarding
>Date: 16 Jul 2002 15:18:49 -0600
>
> >>>>> "jd" == j davis <j> writes:
>
>jd> I love xforward for up2dating remote redhat boxes, however i allow
>jd> a few people to ssh to one of the remote boxes that i have
>jd> xforwarding enabled in sshd, is there a way to allow xforward to
>jd> few and ssh to all?
>
>What are you actually trying to prevent?
>
>The traditional security concern with X is letting attacker clients
>connect to your X server, since they could then snoop keystrokes and
>do other nasty things.  Remember, however, that "X Server" really
>means the display hardware, or the machine sitting in front of you.
>
>From your message, I take it that there are three machines involved in
>this particular operation: your local box, your remote box, and your
>users's box.  You log into your local box and initiate an X session.
>Then you ssh from there to the remote box, setting up the X tunnel
>from your remote box (where X clients will run) back to your local box
>(which is running the X server).
>
>Now, your user logs in to your remote box from the user's box.  If X
>forwarding is enabled for all sshd users, then they can construct a
>forwarded X session running X clients on your remote box -- but that
>tunnel only goes back to *their* X server.  They can't get to your X
>server, so there's not a security concern.
>
>So, I don't see any reason to restrict X forwarding on a security
>basis.  Bandwidth or other resources, on the other hand, might be a
>legitimate reason to implement this restriction.
>
>To allow yourself in with X forwarding, but not anyone else, I'd run
>two sshd processes (with different config files) on two different
>ports.  The standard port can have X forwarding turned off; on a
>non-standard port, change that sshd's config file to allow forwarding,
>then use firewalling (ipfw / ipchains / iptables) to allow connections
>only from your trusted machines.
>
>A bit messy, but should work.  Make sure that you understand why
>you're going through the extra trouble, however.
>
>t.
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug


thanks,
jd

jd at taproot.bz
http://www.taproot.bz

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx




More information about the LUG mailing list