[Bug 803] Security Bug: X11 Forwarding is more powerful than it needs to be.
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Feb 28 14:38:13 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=803
------- Additional Comments From holger at van-lengerich.de 2004-02-28 14:38 -------
Ups. There is more I might tell:
The newly generated cookie is only used by the ssh client. So it will be very
soon invalidated if no other processes use this cookie. Perhaps if implemented a
new cookie should be obtained for every new X request or a timeout, which is
large enough may be associated with the cookie.
The first line "xauth extract ... | xauth -f .Xssh xauthority" is not necessary.
'xauth' is able to create a new Xauthority file right away. Originally I though
xauth needs a valid cookie to get a new one, but this wasn't the case.
Securing X before ssh with X11 forwarding is done in 2 commands:
xauth -f $HOME/.sshXauthority generate $DISPLAY . untrusted timeout 3600
export XAUTHORITY=$HOME/.sshXauthority
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list