Mailinglist Archive: opensuse (4547 mails)
| < Previous | Next > |
Re: [SLE] export DISPLAY and xhost +
- From: Anders Johansson <andjoh@xxxxxxxxxx>
- Date: Wed, 26 May 2004 01:21:25 +0200
- Message-id: <200405260121.25294.andjoh@xxxxxxxxxx>
On Wednesday 26 May 2004 01.14, Sid Boyce wrote:
> Anders Johansson wrote:
> >Forgive me, but I fail to see the problem then. Are you perhaps under the
> >impression that remote X using DISPLAY travels over ssh just because you
> >logged in with ssh -X when you ran it?
> >
> >It doesn't
> >
> >ssh -X will keep working even with -nolisten tcp as an option to X
>
> "man ssh" gives that impression --------
> X11 and TCP forwarding
> If the ForwardX11 variable is set to “yes” (or see the description of the
> -X and -x options described later) and the user is using X11 (the DISPLAY
> environment variable is set), the connection to the X11 display is auto
> matically forwarded to the remote side in such a way that any X11 pro
> grams started from the shell (or command) will go through the encrypted
> =======================
> channel, and the connection to the real X server will be made from the
> =========
> local machine. The user should not manually set DISPLAY. Forwarding of
> X11 connections can be configured on the command line or in configuration
> files.
> ---------------------------------------------------------------------------
>---------------- Then it says
> ==========
> -X Enables X11 forwarding. This can also be specified on a per-host
> basis in a configuration file.
>
> X11 forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> user's X authorization database) can access the local X11 display
> through the forwarded connection. An attacker may then be able
> to perform activities such as keystroke monitoring.
>
> Now I'm a bit puzzled.
So am I. I don't understand your question.
When you log in with ssh -X, the ssh server will set up what you might call a
'peudo X' server, and set the DISPLAY variable to point to it. This is
normally localhost:10.0 or something. When an X application tries to contact
the X server through that address, ssh will take care of forwarding the X
calls to your locally running X server. If you manually change the DISPLAY
variable to point directly to the local machine you will be bypassing ssh and
its encryption completely.
The security note at the end simply means that any user with sufficient
permissions on the remote end will be able to access your local X server
through your ssh connection as though he were you, because ssh doesn't
protect you on the remote machine, it only protects the packets in transit
between the machines.
> Anders Johansson wrote:
> >Forgive me, but I fail to see the problem then. Are you perhaps under the
> >impression that remote X using DISPLAY travels over ssh just because you
> >logged in with ssh -X when you ran it?
> >
> >It doesn't
> >
> >ssh -X will keep working even with -nolisten tcp as an option to X
>
> "man ssh" gives that impression --------
> X11 and TCP forwarding
> If the ForwardX11 variable is set to “yes” (or see the description of the
> -X and -x options described later) and the user is using X11 (the DISPLAY
> environment variable is set), the connection to the X11 display is auto
> matically forwarded to the remote side in such a way that any X11 pro
> grams started from the shell (or command) will go through the encrypted
> =======================
> channel, and the connection to the real X server will be made from the
> =========
> local machine. The user should not manually set DISPLAY. Forwarding of
> X11 connections can be configured on the command line or in configuration
> files.
> ---------------------------------------------------------------------------
>---------------- Then it says
> ==========
> -X Enables X11 forwarding. This can also be specified on a per-host
> basis in a configuration file.
>
> X11 forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> user's X authorization database) can access the local X11 display
> through the forwarded connection. An attacker may then be able
> to perform activities such as keystroke monitoring.
>
> Now I'm a bit puzzled.
So am I. I don't understand your question.
When you log in with ssh -X, the ssh server will set up what you might call a
'peudo X' server, and set the DISPLAY variable to point to it. This is
normally localhost:10.0 or something. When an X application tries to contact
the X server through that address, ssh will take care of forwarding the X
calls to your locally running X server. If you manually change the DISPLAY
variable to point directly to the local machine you will be bypassing ssh and
its encryption completely.
The security note at the end simply means that any user with sufficient
permissions on the remote end will be able to access your local X server
through your ssh connection as though he were you, because ssh doesn't
protect you on the remote machine, it only protects the packets in transit
between the machines.
| < Previous | Next > |