Default forwarding features; default cipher

Ed Phillips ed at UDel.Edu
Thu Oct 25 04:49:47 EST 2001

On Wed, 24 Oct 2001, Lutz Jaenicke wrote:

> Date: Wed, 24 Oct 2001 19:24:22 +0200
> From: Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>
> To: openssh-unix-dev at
> Subject: Re: disable features
> On Wed, Oct 24, 2001 at 09:35:22AM -0400, Ed Phillips wrote:
> > On Wed, 24 Oct 2001, Lutz Jaenicke wrote:
> >
> > > Consider a ssh[d] that has been compiled without X11 forwarding.
> >
> > Speaking of X11Forwarding... is there any particular reason that somewhere
> > between v2.9p2 and v2.9.9p2 there has been a change to the stock
> > sshd_config to disable X11Forwarding?
> >
> > Also, is there any particular reason that authentication forwarding has
> > been disabled in 2.X (I'm not sure when, execpt that every since we've
> > been trying out 2.X it has been disabled by default).
> >
> > In addition, if there is some reason not to use these features (bugs,
> > unreasonable security risks, etc.)... please let me know.
> Both X11 and agent forwarding introduce some risks. If you cannot trust
> the admin on the server (or have to consider the system being compromised),
> you may experience the following:
> * the malicious admin can steal your X-authentication credenticals and via
>   the forwarded X11 connection he can open up windows on your display.
>   He could therefore e.g. open a transparent window that captures your
>   keystrokes.
>   (This is however still better than a normal X11 connection, so the only
>   way around it is not allow X11 connections from this host at all. The point
>   is however, that once X11 forwarding is allowed you won't know which
>   connections are opened, for normal X11 connections you at least have to
>   type "xhost +host" or something like that before the access would be
>   granted.)
> * the malicious admin could access your forwarded agent connection and this
>   way authenticate with your identity to another host using your public
>   keys. He can however not steal your private key.
>   (This is still better than performing a slogin on this server and type
>   your password which can be captured by this admin. The only way around
>   it is to not open another connection from the questionable server at
>   all. Only start connections from your trusted system on your desk,
>   then create some aliases "alias trustedserver slogin -A trustedserver"
>   so that you can use the advantages of agent forwarding on trustedserver
>   and are protected elsewhere.

Okay... that makes sense.  I've been looking at this from the viewpoint of
using ssh between "trusted" machines (managed by our group)... in which
case, we probably want forwarding of X11 connections and authentication
to, at least, be available.  I guess the only gotcha is that you have to
enable X11 forwarding in sshd_config.  It appears that by default "ssh -X"
is silently ignored on the server side, and "ssh -A" works fine... and
normally you get no forwarding from the client without adding the "-A" or
"-X".  Is this correct?

By the way, I notice in the stock ssh_config, it would appear that
"blowfish" is the default cipher.  Is this used for speed or because it
provides the best security or both?


Ed Phillips <ed at> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at for PGP public key

More information about the openssh-unix-dev mailing list