What risk is X11Forward to a server?

Sat Oct 27 00:58:08 EST 2001

On Fri, 26 Oct 2001, Ed Phillips wrote:

> Date: Fri, 26 Oct 2001 09:14:04 -0400 (EDT)
> From: Ed Phillips <ed at UDel.Edu>
> To: Bob Proulx <bob at proulx.com>
> Cc: Jim Knoble <jmknoble at pobox.com>, openssh-unix-dev at mindrot.org,
>      Dave Dykstra <dwd at bell-labs.com>
> Subject: Re: What risk is X11Forward to a server?
>
> On Thu, 25 Oct 2001, Bob Proulx wrote:
>
> > Date: Thu, 25 Oct 2001 16:49:25 -0600
> > From: Bob Proulx <bob at proulx.com>
> > To: Ed Phillips <ed at UDel.Edu>
> > Cc: Jim Knoble <jmknoble at pobox.com>, openssh-unix-dev at mindrot.org,
> >      Dave Dykstra <dwd at bell-labs.com>
> > Subject: Re: What risk is X11Forward to a server?
> >
> > > That brings up a quick question I forgot...
> > >
> > > How do you change the compiled-in PATH that sshd uses by default?
> >
> > I don't think it is currently possible.  That is one thing that I have
> > really needed/wanted with ssh.  The ability to set the PATH in the
> > site sshd_config file.
> >
> > Traditionally the rsh command (as implemented on SysV systems such as
> > hpux which is where my experience comes from) implements
> > /usr/local/bin:/usr/bin:/bin, etc., the operative directory being
> > /usr/local/bin.  But openssh does not.  Which means I always need to
> > recompile with a that path addition in order to make it compatible
> > with rsh on our systems.  And that really makes sense.  I don't want
> > to have to include the full path to a command in scripts.  But does
> > not completely solve the problem because even that does not handle
> > nonstandard path locations.
>
> Yeah... and on Solaris there is the /etc/default/login PATH setting...
> which login and other apps honor, but not sshd.  Maybe someone could make
> sshd honor that in Solaris?  I'm not sure what that would entail but it
> sounds easy in concept...
>
> > I would really like to see /usr/local/bin/ added to the default build.
> > But I realize that it is a system dependent value.  I don't think it
> > is possible to implement a one size fits all value.  The best answer
> > would probably be a way to configure this in the sshd_config file.  It
> > is high on my wishlist.
>
> Yes... the sshd_config file would be a good place for setting the default
> PATH IMO.  It's something that you can distribute with stock values and
> then customize it on particular systems.

Also, on Solaris, I'd like the default path to be taken from
/etc/default/login if it's not set in sshd_config (with this new feature).

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key