Date: Sat, 26 Jun 1999 07:12:37 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Mark Newton <newton@atdot.dotat.org> Cc: "Jung, Michael" <mjung@npc.net>, security@FreeBSD.ORG Subject: Re: X and SSH Message-ID: <Pine.BSF.3.96.990626070947.339A-100000@fledge.watson.org> In-Reply-To: <199906241520.AAA25556@atdot.dotat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Jun 1999, Mark Newton wrote: > Jung, Michael wrote: > > > I have been reading these threads and unless I missed something > > this has not seen this addressed. Suppose you use ssh, tterm etc to > > securely connect to a host. Once on the host you want to export your > > display back to a client so you can bring up a X application. How does > > one have the X session encrypted? > > ssh does this for you: It automatically sets up your $DISPLAY to > point to a tunnel passed back across the encrypted session. All > X11 traffic is encrypted as a result (unless you override the > $DISPLAY setting by manually setting it or passing a -display > parameter to an X client). > > You can get a similar effect by running: > > ssh -R 6009:localhost:6000 foo.bar.com > > ... and manually setting your $DISPLAY to localhost:9.0 when you > have successfully logged in to it. You never need to do this manually, > though, because ssh configures X11 forwarding by default. Actually, that isn't quite the same. SSH speaks a little bit of the X protocol (hence being unable to get X support without Xlib on machines you build it on), and allocates new random cookies in your .Xauthority files on the remote machines, meaning that only the correct user on the remote end (or a privileged user) has access to your display. This protects you in the event that you xhost :0, as many people do. Similarly, it makes X programs not require a copy of your local cookie, if you have one (running xdm), so you can effectively revoke display access after you sever the X connection. I personally like to run incoming tunneled X sessions from under-trusted hosts in Xnest, but maybe that's just me... :-) Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990626070947.339A-100000>