Hi List =) Thanks for all your answers; this is enlightening ;-) Well I wasnt sure about X11 forwarding because I set this line in sshd config X11Forwarding no But apparently, as Lutz pointed out, this can be overridden. I assume that cant be disabled, resp. users cant be prevented to override? Well..anyways, no root compromise, so.... *g Thanks again & Cheers Chr. Burri .-. /v\ L I N U X // \\ >I know Kung Fu!< /( )\ ^^-^^
X11Forwarding no
But apparently, as Lutz pointed out, this can be overridden.
This should not be possible. If it is, it should be considered a bug. Are you sure you did restart or SIGHUP the main sshd? (Be careful with "killall -HUP sshd" if you are logged in remotely!)
I assume that cant be disabled, resp. users cant be prevented to override?
Always. If you do not want to have it enabled and the daemon refuses to refuse x11-forwarding, you can still make the xauth program inaccessible on the server side.
Well..anyways, no root compromise, so.... *g
Well, it should do what it says in the config.
Please send me a PM with the version number of the package you're using
(openssh or ssh: rpm -q (open)ssh).
Roman.
--
- -
| Roman Drahtmüller
On Mon, Aug 20, 2001 at 05:07:14PM +0200, Roman Drahtmueller wrote:
This should not be possible. If it is, it should be considered a bug.
Of course, that's true. I was thinking in terms of the 'ssh client' not of the 'sshd server'... My comment about using "xhost +client" or even "xhost +" still applies however... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
On Mon, Aug 20, 2001 at 05:09:37PM +0200, christian.burri@synecta.ch wrote:
Hi List =)
Thanks for all your answers; this is enlightening ;-) Well I wasnt sure about X11 forwarding because I set this line in sshd config
X11Forwarding no
But apparently, as Lutz pointed out, this can be overridden. I assume that cant be disabled, resp. users cant be prevented to override?
No. Not really. You don't need root permissions to open a connection on port 6010ff (> 1024), so even if you would patch OpenSSH to remove this feature, users could still compile their own packages. (And, in fact, X tunneling is far superiour to having users perform "xhost +" :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
No. Not really. You don't need root permissions to open a connection on port 6010ff (> 1024), so even if you would patch OpenSSH to remove this feature, users could still compile their own packages.
This is true, but there is no point in telling the daemon to not do it, and it does so anyway.
(And, in fact, X tunneling is far superiour to having users perform "xhost +" :-)
That's true. :-/
Best regards, Lutz
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (3)
-
christian.burri@synecta.ch
-
Lutz Jaenicke
-
Roman Drahtmueller