[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"


I found this is about the only positive answer to Mr. van Lengerichs
proposal, so I'm answering both.

On Mon, May 10, 2004 at 05:13:18PM +0200, Gebhardt Thomas wrote:
> Hi,
> > As no one commented my mail:
> >
> > Would anyone object to disable X11 forwarding in SSH client's default
> > configuration?
> no, this is a reasonable and secure default.

A "reasonable and secure default" does not automatically lead to a
"reasonably secure system". Note these cases that I have observed in
real life:

- User A used ssh to start OpenOffice from a remote machine via an
  encrypted X-Session. Changing the default for ssh X11-forwarding one
  day, now causes him to - not read the manpage and try -X, but - switch
  back to "telnet" with xauth authentication, because he knows this is
  working from his Unix beginners lecture. He just assumed ssh was broken
  because "it does not support graphical environments anymore."

- User B, who just uses graphical programs occasionally via SSH, isssues
  DISPLAY= on the remote host, and "xhost +" on his X Client, because
  that's the way he knows it best, and it's quicker than copying a

Fact: Users like "easy to use" environments. Adding too restrictive
security sometimes leads to very unfortunate attempts for "workarounds",
like script-kiddie-type exploits for gaining root access in multiuser
environments, in case of devices like CD-Roms or floppy disks not being
accessible by the local default user who WANTS to use them.

Too restrictive firewalls also often lead to security breeches because
users generate their own tunnels - via software or physical (by
attaching Modems to computers inside a secure LAN).

A reasonably secure system must allow users to work smoothly without too
much restrictions, yet disencourage the most obvious dangerous behaviour.

I have heared people who complained that other distributions "force them
to use xrsh for remote X access, because ssh does not work". Of course,
there are the manpages. But rarely ever anyone reads them when he wants
to do something quickly, and knows a workaround.

So, I do object in restricting X11-forwarding as default. For me, the
most common (and therefore should be default) case of using ssh
interactively, is working from one trusted system, logging into another
trusted system, including remote X access.

If you don't trust the remote system, you should not log in at all.  If
you are only afraid of the weakness of the X11 protocol (though there
are also ncurses-based attacks possible), you can still use -x to
DISABLE X11-forwarding, though I still recommend not logging into
systems you don't trust, except when in an emergency (where I would
expect a knowledgeable user to use -x amongst other flags to avoid

> Maybe one should add a hint in the Knoppix FAQ when changing
> the default ssh client config.

Problem: Before reading a FAQ, people will try their own workarounds or
simply complain that "ssh isn't working anymore".

> > In a paper, which will be released to the public shortly, I wrote the
> > following regarding X11 Forwarding:

If you are going to write a paper that says "working with X is
insecure", you are a) probably right in general and b) not telling
anything new.  But please avoid statements like "there is a security
bug" just because X11-forwarding is set to "allowed" by default.

I could also imagine a paper that analyzes how "increase of security
features decreases security". Maybe someone wants to write one for
a LinuxTag talk? ;-)

-Klaus Knopper
debian-knoppix mailing list

Reply to: