Re: Let me ask the most FAQ, too
Re: Let me ask the most FAQ, too
- Subject: Re: Let me ask the most FAQ, too
- From: Nick Phillips <email@hidden>
- Date: Tue, 17 Feb 2004 08:48:35 +1300
On 17/02/2004, at 8:06 AM, Ronnie Misra wrote:
Apple X11 uses xauth by default, and will only allow clients to
connect if they know your server's "magic cookie". Every time you
restart X11, a new cookie is generated. When you ssh into another
machine, your ssh client tells sshd on the server to add that cookie.
That is why other shells on the remote machine can access your
display. However, other *users* should not be able to access your
display, since they won't know your cookie. It's not enough for them
to just guess your port.
Quite. You should be safe from the average *user* on the remote
machine...
Actually, just for the sake of technical correctness, from
<http://www.openssh.org/features.html>:
X11 forwarding allows the encryption of remote X windows traffic, so
that nobody can snoop on your remote xterms or insert malicious
commands. The program automatically sets DISPLAY on the server
machine, and forwards any X11 connections over the secure channel.
Fake Xauthority information is automatically generated and forwarded
to the remote machine; the local client automatically examines
incoming X11 connections and replaces the fake authorization data
with the real data (never telling the remote machine the real
information).
...and you should be safe from anyone snooping on the network. You're
not
safe from anyone who has root on the remote machine, though. This might
mean
the admin, or it might mean someone who's cracked the box after the
admin
forgot to update quick enough.
This is why you don't want ssh's X forwarding turned on by default;
someday
you will forget and log in to an untrusted machine with it still turned
on.
Cheers,
Nick
--
Nick Phillips / +64 3 479 4195 / email@hidden
# these statements are my own, not those of the University of Otago
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/x11-users
X11 for Mac OS X FAQ: http://developer.apple.com/qa/qa2001/qa1232.html
Report issues, request features, feedback: http://developer.apple.com/bugreporter
Do not post admin requests to the list. They will be ignored.