[PATCH] tcp-wrappers support extended to x11 forwards

Osmo Paananen odie at rotta.media.sonera.net
Thu Nov 29 22:08:53 EST 2001


> it's an authentication secret.  but i'm confused.  are you performing X to
> the sshd fake X11 socket from remote hosts?  

No.

> can you explain exactly what
> security feature you are looking for and why you want it?

The reason is simply because there is a possibility to get access
to my display from remote computer if attacker guesses the cookie
of the fake server (and if he/she gets through my firewalls). 

I don't like possibilities like that especially when it can be prevented
with a simple fix.

I don't consider this flaw to be a big risk, but an futile one.
Nothing will break if ACL is to be added. Nothing.

If you don't do anything to close down this small hole, that's ok
to me.  I can apply my own patch to every new and great version of
OpenSSH you make.  


-- 
  Osmo Paananen 





More information about the openssh-unix-dev mailing list