ssh X11Forward safety

To: debian-user@lists.debian.org
Subject: ssh X11Forward safety
From: "Douglas A. Tutty" <dtutty@porchlight.ca>
Date: Tue, 8 Jan 2008 10:47:16 -0500
Message-id: <[🔎] 20080108154716.GD6563@titan.hooton>
Mail-followup-to: debian-user@lists.debian.org

Since I have nothing better to do, I often ponder how to improve safety
and security in my home setup.  I have two conflicting needs: security
of my data and a need to use a browser with javascript and sometimes
flash; some sites only work with Iceweasel.

Let me set up my thinking on this, and then at the end I ask one
question.  Could anybody who know the ins-and-outs of ssh comment?

I note that Iceweasel gets lots of security updates (though, fewer in
the past month or two than I remember) which suggests that there are
lots more security issues that haven't been discovered yet.  I know that
javascript runs in a sandbox and shouldn't be able to get at anything in
my home directory or run anything under my UID.  However, if ever it
did, it could be disasterous.

So I look at ways to isolate the two needs.  Right now I run Etch amd64
which means that Iceweasel with flash runs under an i386 chroot.
However for me, ordinary user, to run in the chroot I use schroot which
bind mounts my home directory over which presents it on the proverbial
platter for Iceweasel.  Also, chroots are the greatest security
isolation.

I then consider putting them on separate boxes.  If they are truely
separate, with two displays/keyboards, then that is more secure.  I
could have my Athlon64 as my "entertainment" system (Iceweasel, VLC) an
another box for everything else.  I could use a KVM switch to alternate
between the two boxes.

However, if I look at ssh-ing between the two, there are two scenarios:

1.	Screen and keyboard on the "entertainment" box and I ssh through
to the secure box to do work.  That "entertainment" box could at any
time become compromised via an undiscovered security breach in Iceweasel
and then grab whatever I do via ssh.  If I edit a file with vi on the
"secure" box from a VT on the "entertainment" box, then anthing there is
open to view.

2.	Screen and keyboard on the "secure" box and ssh through to the
"entertainment" box to run Iceweasel.  For this I need in ssh_config
both ForwardX11 and ForwardX11Trusted.  Note that Konqueror doesn't
require ForwardX11Trusted.  However, then a compromised "entertainment"
box could, per the ssh_config man page, "perform activities such as
keystroke monitoring".

So is the moral of the story that there is no way to access a
compromised box from a "secure" box via ssh without risking the security
of the "secure" box?

Doug.

Reply to:

Follow-Ups:
- Re: ssh X11Forward safety
  - From: "Todd A. Jacobs" <nospam@codegnome.org>

Prev by Date: Re: Goodbye
Next by Date: Re: Goodbye
Previous by thread: Re: Goodbye
Next by thread: Re: ssh X11Forward safety
Index(es):
- Date
- Thread