X11 forwards and libwrap support

Osmo Paananen odie at rotta.media.sonera.net
Thu Nov 15 03:20:26 EST 2001 

> i think that sshd should not depend on libwrap, it's already
> the sshd listen port and this is more than enough.
> having libwrap for other things is a problem because
> it control system policy instead of user policy.

What is wrong with system policies? I realize that there are
many kinds of environments.  One of those is multiuser environment
(typically universities) and another would be an ISP where there
are only adminstrators whom have to comply policies (some are enforced
by firewall, some by access lists and some are not enforced at all).

I personally haven't used forwarded X11 connections from other hosts
over network at all. (I mean connecting to the forwarded port from
third host, where I'm not connected via ssh).
I suspect that this is true for most users.
 
> i think x11 fwd should either listen to the localhost
> or to all interfaces, but with x11/xauth this does not
> seem to work if DISPLAY points to localhost.
> i'd prefer to have this fixed.
 
How about if the x11 fwd would listen on the interface which is pointed
by the hostname (this would be an option, not default)?

> anther dependency on libwrap is a bad idea.

Why? Certainly as option it wouldn't hurt anybody?
 
> > How many applications would break if the tcp port
> > would be closed and only the unix-domain socket would be available?
> i don't know. this would be nice. perhaps the x11 proxy
> code from x11 can give hints.

This shouldn't be hard to test either. I just asked in case someone 
would know the answer. It would save some work.  If it works
for some (most) applications then it could be nice to see as configuration
option.

> > I think that the risk can be made (a bit) smaller if there were
> > more controls available to restrict access to the forwarded ports. 
> but x11 access on this port does not work, because you
> need the cookie.

Why then have libwrap on the port 22?   Every user has password!

> > Another question: is it requirement that the forwarded X11 port is
> > bound to * instead of specific interface? 
> xauth does not like DISPLAY=localhost:x.y

Ok, but how about machines with multiple interfaces?  I can think of
web server that has one dedicated interface for backup/adminstration and
another for running services (like www.company.com). There should not
be need to have X11 proxy listening on that interface, shoud there?


-- 
  Osmo Paananen

More information about the openssh-unix-dev mailing list