From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 00:47:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC64337B401 for ; Mon, 28 Jul 2003 00:47:32 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D6CA43FB1 for ; Mon, 28 Jul 2003 00:47:32 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 67008 invoked by uid 1000); 28 Jul 2003 07:47:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Jul 2003 07:47:28 -0000 Date: Mon, 28 Jul 2003 00:47:28 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: Paul Chvostek In-Reply-To: <20030728064729.GA30191@mail.it.ca> Message-ID: <20030728003941.C77638@walter> References: <20030728064729.GA30191@mail.it.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ssh and X11Forwarding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 07:47:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What has to be installed on a host for it to do X11Forwarding in SSH? > Does X have to be installed *on the firewall* for me to forward X11 > connections from the X clients back to my workstation at home? Depends on how you're ssh'ing. If you're ssh'ing from your box to the firewall, and from the firewall to the target, then you'll need x support on all the boxes, yes. However, if you're doing the right thing and ssh'ing _through_ the firewall to the target host (eg, with openssh's ProxyCommand option, or with multiple ssh's and port forwards), then you only need x support on your machine and the target machine. I think that "x support" consists of xauth and whatever libraries are needed by the binary you want to run. The topically interesting part of this question is the issue of how you handle multiple ssh hops - I think that most people don't know about ProxyCommand, and when they have to ssh through multiple machines, they just go from one to the next to the next, which is bad, security-wise, not to mention less powerful. Is this worth a faq entry? -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/JNUQswXMWWtptckRAqyaAKCNIxxhNOn0FFqNHV1x/VfXZQlu2wCfXmwm R0dDztX2i0wokIAB4VyYDvI= =R0GQ -----END PGP SIGNATURE-----