Date: Thu, 23 Oct 2003 19:42:06 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Joe Altman <fj@panix.com>, FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Open SSH, sshd_config on FreeBSD vs. NetBSD re: X11 Message-ID: <20031023184206.GA86861@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20031023171540.GA3965@panix.com> References: <20031023171540.GA3965@panix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Oct 23, 2003 at 01:15:40PM -0400, Joe Altman wrote:
> >From the FreeBSD man page:
>=20
> X11Forwarding
> Specifies whether X11 forwarding is permitted. The
> argument must be ``yes'' or ``no''. The default is
> ``yes''.
>=20
> >From the NetBSD page:
>=20
> X11Forwarding
> Specifies whether X11 forwarding is permitted. The
> argument must be ``yes'' or ``no''. The default is
> ``no''.
>=20
> I don't mean to compare apples and oranges, nor to start a "My OS can
> kick your OSes butt" thread; but I am wondering about the
> difference. It seems the NetBSD default is safer, but I am also no
> security wonk. It occurred to me that the man page for FreeBSD could
> be incorrect; but I doubt that...it actually strikes me as a choice
> made to reflect a balance between options.
>=20
> Is the default set to no a more secure option? Or is it something that
> can be arguH^H^discussed at length?
X11Forwarding is an interesting one. It doesn't expose the server
where that option is set to any more security implications than having
sshd(8) running anyway. On the other hand, you as a user ssh-ing into
an untrusted machine are potentially exposed to having nasty things
done to you. Same thing goes for servers with ForwardAgent=3Dyes, which
can lead to loss of your ssh keys. Moral of the story: never ssh into
an untrusted machine without turning off X- and Agent- forwarding on
the client side (that's 'ssh -a -x user@hostname ...') and remember
that such things as rsync(1) default to running over ssh nowadays.
netbsd seems to have specifically turned off the X11Forwarding option
due to a security problem several years ago:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-010.t=
xt.asc
As far as I can find, this didn't affect FreeBSD because the
vulnerable version of OpenSSH was never imported into the base system.
> I do note that the man page for both OSes states that UseLogin
> defaults to no, and that if used, X11 forwarding is turned off.
> However, in the default config file for sshd, the line for UseLogin is
> commented out. Given this latter state of affairs, can I continue to
> assume that X11 forwarding is in fact _not_ enabled by default in
> FreeBSD?
The convention in the OpenSSH config files is to show the default
value of the setting, but commented out. That way it is obvious that
any uncommented option in the config file is a local modification.
=20
> Oh, and what is the difference between the entry in the ssh_config
> file and the sshd_config file? Incoming vs. outbound traffic? That is,
> sshd_config accepts incoming X11 forwarding (that is, from a remote
> host, to the localhost), and ssh_config allows outbound (from the
> localhost to a remote host) X11 forwarding? It sure looks that way...
Essentially yes. ssh_config(5) provides the client side defaults for
a user ssh(1) session. However you can override the defaults either
=66rom the command line (ssh -X) or by having your own defaults settings
in ${HOME}/.ssh/config You can't modify the sshd(8) settings as a
mortal user.
> Hmmm....now I'm thinking that this: serverargs=3D"-nolisten tcp"
>=20
> in /usr/X11R6/bin/startx/ may make this a bit of a moot point....is
> this correct?
Turning off X's binding to tcp sockets is the default nowadays.
However, that won't stop you tunnelling remote X sessions over ssh(1)
-- just so long as the X11Forwarding flag is on for each end of the
connection. In fact, this setup is the best and most secure way of
running X applications over a network.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/mCD+dtESqEQa7a0RAtQ6AJ98DHpODIK3iYYGAB1CbZ78uh/xwQCghLbi
0KiHgiNgWhrBq4jwsBS7Yvs=
=Q56K
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031023184206.GA86861>