What risk is X11Forward to a server?
Dave Dykstra
dwd at bell-labs.com
Fri Oct 26 05:23:57 EST 2001
On Wed, Oct 24, 2001 at 10:30:30PM +0200, Lutz Jaenicke wrote:
> Subject: Re: Default forwarding features; default cipher
> On Wed, Oct 24, 2001 at 02:49:47PM -0400, Ed Phillips wrote:
> > Okay... that makes sense. I've been looking at this from the viewpoint of
> > using ssh between "trusted" machines (managed by our group)... in which
> > case, we probably want forwarding of X11 connections and authentication
> > to, at least, be available. I guess the only gotcha is that you have to
> > enable X11 forwarding in sshd_config. It appears that by default "ssh -X"
> > is silently ignored on the server side, and "ssh -A" works fine... and
> > normally you get no forwarding from the client without adding the "-A" or
> > "-X". Is this correct?
>
> I don't think that X11 forwarding on the server side introduces a problem.
> For the client side it is up to you.
I agree that X11 forwarding on the server is not a problem; the problem is
that a secure client can be put at risk from an insecure server. If you're
accessing a secure server from an insecure client you've got worse problems
and X11 forwarding won't add any risk to the server.
Why, then, doesn't OpenSSH set X11Forward=yes by default on the server?
- Dave Dykstra
More information about the openssh-unix-dev
mailing list