What risk is X11Forward to a server?

Dave Dykstra dwd at bell-labs.com
Fri Oct 26 05:23:57 EST 2001

On Wed, Oct 24, 2001 at 10:30:30PM +0200, Lutz Jaenicke wrote:
> Subject: Re: Default forwarding features; default cipher
> On Wed, Oct 24, 2001 at 02:49:47PM -0400, Ed Phillips wrote:
> > Okay... that makes sense.  I've been looking at this from the viewpoint of
> > using ssh between "trusted" machines (managed by our group)... in which
> > case, we probably want forwarding of X11 connections and authentication
> > to, at least, be available.  I guess the only gotcha is that you have to
> > enable X11 forwarding in sshd_config.  It appears that by default "ssh -X"
> > is silently ignored on the server side, and "ssh -A" works fine... and
> > normally you get no forwarding from the client without adding the "-A" or
> > "-X".  Is this correct?
> I don't think that X11 forwarding on the server side introduces a problem.
> For the client side it is up to you.

I agree that X11 forwarding on the server is not a problem; the problem is
that a secure client can be put at risk from an insecure server.  If you're
accessing a secure server from an insecure client you've got worse problems
and X11 forwarding won't add any risk to the server.

Why, then, doesn't OpenSSH set X11Forward=yes by default on the server?

- Dave Dykstra

More information about the openssh-unix-dev mailing list