zlacker

[parent] [thread] 8 comments
1. tshtf+(OP)[view] [source] 2011-04-23 23:38:18
ssh with X11 forwarding (-X option) had this same problem. A privileged malicious user on the host you were ssh'ed into might be able to monitor the keystrokes of your whole X session.
replies(2): >>teduna+Y1 >>sciuru+rj
2. teduna+Y1[view] [source] 2011-04-24 00:53:58
>>tshtf+(OP)
Note that hasn't been true for years and years. -Y and -X are different.
replies(3): >>tshtf+f2 >>rst+g2 >>rst+d3
◧◩
3. tshtf+f2[view] [source] [discussion] 2011-04-24 01:03:03
>>teduna+Y1
That's why I mentioned the -X option... -Y handles the problem the correct way and doesn't have the same issues.

Edit: Ignore this, I was incorrect.

replies(1): >>teduna+p2
◧◩
4. rst+g2[view] [source] [discussion] 2011-04-24 01:03:23
>>teduna+Y1
[deleted former mummery after five-minute fact-check]

Unfortunately, the documentation on -X and -Y is awfully confusing. On a casual read, it looks like -Y is less safe, since practically the only thing the docs for -Y say is that forwarded connections are "not subjected to X11 SECURITY extension controls"...

replies(1): >>teduna+t2
◧◩◪
5. teduna+p2[view] [source] [discussion] 2011-04-24 01:08:30
>>tshtf+f2
You have that backwards.
◧◩◪
6. teduna+t2[view] [source] [discussion] 2011-04-24 01:10:27
>>rst+g2
You were apparently more right the first time. -X establishes an untrusted connection, subject to limitations. -Y says "trust me, no limits". -Y is the less safe option.
◧◩
7. rst+d3[view] [source] [discussion] 2011-04-24 01:44:01
>>teduna+Y1
So, trying again... here are the caveats on -X, from the man page on the current version[1]:

     -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             user's X authorization database) can access the local X11 display
             through the forwarded connection.  An attacker may then be able
             to perform activities such as keystroke monitoring.
So, it's not documented as being proof against hostile parties with root at the remote end; in fact, it's documented as being vulnerable...

[1] http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion...

replies(1): >>teduna+E5
◧◩◪
8. teduna+E5[view] [source] [discussion] 2011-04-24 03:53:22
>>rst+d3
That's why the next paragraph exists.

    For this reason, X11 forwarding is subjected to X11
    SECURITY extension restrictions by default.  Please
    refer to the ssh -Y option and the ForwardX11Trusted
    directive in ssh_config(5) for more information.
9. sciuru+rj[view] [source] 2011-04-24 16:18:10
>>tshtf+(OP)
'-X' is supposedly the safe alternative to '-Y'. However, as a Cygwin/X maintainer says "this is widely considered to be not useful, because the Security extension uses an arbitrary and limited access control policy, which results in a lot of applications not working correctly and what is really a false sense of security"

http://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html

[go to top]