Re: Let me ask the most FAQ, too
Re: Let me ask the most FAQ, too
- Subject: Re: Let me ask the most FAQ, too
- From: Ronnie Misra <email@hidden>
- Date: Mon, 16 Feb 2004 10:10:20 -0800
On Feb 16, 2004, at 8:58 AM, Rich Cook wrote:
Wow, I didn't think that was the case. The man page for ssh pretty
stringly hints that connections are only allowed from the ssh-spawned
shell, which would be fine, but I just confirmed that other shells
(and presumably other users) could connect via the socket set up by
ssh. So another user on the remote host can just start guessing port
numbers starting at 6000 and presumably find your X server listening
(until you closed your ssh session).
Rich,
Apple X11 uses xauth by default, and will only allow clients to connect
if they know your server's "magic cookie". Every time you restart X11,
a new cookie is generated. When you ssh into another machine, your ssh
client tells sshd on the server to add that cookie. That is why other
shells on the remote machine can access your display. However, other
*users* should not be able to access your display, since they won't
know your cookie. It's not enough for them to just guess your port.
Ronnie
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/x11-users
X11 for Mac OS X FAQ: http://developer.apple.com/qa/qa2001/qa1232.html
Report issues, request features, feedback: http://developer.apple.com/bugreporter
Do not post admin requests to the list. They will be ignored.