[PATCH] tcp-wrappers support extended to x11 forwards

Ed Phillips ed at UDel.Edu
Fri Nov 30 02:04:09 EST 2001


On Thu, 29 Nov 2001, Osmo Paananen wrote:

> Date: Thu, 29 Nov 2001 13:08:53 +0200
> From: Osmo Paananen <odie at rotta.media.sonera.net>
> To: Kevin Steves <stevesk at pobox.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: [PATCH] tcp-wrappers support extended to x11 forwards
>
> > it's an authentication secret.  but i'm confused.  are you performing X to
> > the sshd fake X11 socket from remote hosts?
>
> No.
>
> > can you explain exactly what
> > security feature you are looking for and why you want it?
>
> The reason is simply because there is a possibility to get access
> to my display from remote computer if attacker guesses the cookie
> of the fake server (and if he/she gets through my firewalls).

I you login to SystemB with X forwarding enabled to SystemA, then an
attacker gets your fake cookie on SystemB, how do you propose to prevent
him from running X programs and displaying on SystemA - even with the
proposed X wrapper support?  It doesn't seem stoppable, since you've
enable forwarding for SystemB-to-SystemA, the attacker is logged into
SystemB, and has your fake cookie...

Sorry if I overly dense this morning... ;-)

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key




More information about the openssh-unix-dev mailing list