X11 forwards and libwrap support
Markus Friedl
markus at openbsd.org
Thu Nov 15 02:51:14 EST 2001
On Wed, Nov 14, 2001 at 05:35:21PM +0200, Osmo Paananen wrote:
> Is there any reason why support for the libwrap code isn't included
> in the X11 forwarding code? I'd like to restrict access to that
> port.
i think that sshd should not depend on libwrap, it's already
the sshd listen port and this is more than enough.
having libwrap for other things is a problem because
it control system policy instead of user policy.
i think x11 fwd should either listen to the localhost
or to all interfaces, but with x11/xauth this does not
seem to work if DISPLAY points to localhost.
i'd prefer to have this fixed.
anther dependency on libwrap is a bad idea.
> How many applications would break if the tcp port
> would be closed and only the unix-domain socket would be available?
i don't know. this would be nice. perhaps the x11 proxy
code from x11 can give hints.
> It's true that x11 forwardings can be considered as a security
> risk and they are disabled because of that by default.
probably.
> I think that the risk can be made (a bit) smaller if there were
> more controls available to restrict access to the forwarded ports.
but x11 access on this port does not work, because you
need the cookie.
> Another question: is it requirement that the forwarded X11 port is
> bound to * instead of specific interface?
xauth does not like DISPLAY=localhost:x.y
More information about the openssh-unix-dev
mailing list