Re: Let me ask the most FAQ, too
Re: Let me ask the most FAQ, too
- Subject: Re: Let me ask the most FAQ, too
- From: Rich Cook <email@hidden>
- Date: Tue, 17 Feb 2004 09:44:31 -0800
I see the sense in disabling it now. You don't want an X connection to
some (non-trusted) machines.
On Feb 16, 2004, at 1:01 PM, Ronnie Misra wrote:
On Feb 16, 2004, at 11:48 AM, Nick Phillips wrote:
On 17/02/2004, at 8:06 AM, Ronnie Misra wrote:
Apple X11 uses xauth by default, and will only allow clients to
connect if they know your server's "magic cookie". Every time you
restart X11, a new cookie is generated. When you ssh into another
machine, your ssh client tells sshd on the server to add that
cookie. That is why other shells on the remote machine can access
your display. However, other *users* should not be able to access
your display, since they won't know your cookie. It's not enough
for them to just guess your port.
Quite. You should be safe from the average *user* on the remote
machine...
Actually, just for the sake of technical correctness, from
<http://www.openssh.org/features.html>:
X11 forwarding allows the encryption of remote X windows traffic,
so that nobody can snoop on your remote xterms or insert malicious
commands. The program automatically sets DISPLAY on the server
machine, and forwards any X11 connections over the secure channel.
Fake Xauthority information is automatically generated and
forwarded to the remote machine; the local client automatically
examines incoming X11 connections and replaces the fake
authorization data with the real data (never telling the remote
machine the real information).
...and you should be safe from anyone snooping on the network. You're
not
safe from anyone who has root on the remote machine, though. This
might mean
the admin, or it might mean someone who's cracked the box after the
admin
forgot to update quick enough.
This is why you don't want ssh's X forwarding turned on by default;
someday
you will forget and log in to an untrusted machine with it still
turned on.
Absolutely right. Similarly, you should pay attention when you see
ssh's messages about host keys changing, and you should verify key
fingerprints when you connect to a new machine. I wonder how many
people actually do this, though...
Ronnie
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/x11-users
X11 for Mac OS X FAQ: http://developer.apple.com/qa/qa2001/qa1232.html
Report issues, request features, feedback:
http://developer.apple.com/bugreporter
Do not post admin requests to the list. They will be ignored.
--
Richard Cook
Lawrence Livermore National Laboratory
Bldg-451 Rm-2043, Mail Stop L-561
7000 East Avenue, Livermore, CA, 94550, USA
phone (925) 423-9605 (work) fax (925) 423-8704
---
Information Management & Graphics Grp., Services & Development Div.,
Integrated Computing & Communications Dept.
(opinions expressed herein are mine and not those of LLNL)
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/x11-users
X11 for Mac OS X FAQ: http://developer.apple.com/qa/qa2001/qa1232.html
Report issues, request features, feedback: http://developer.apple.com/bugreporter
Do not post admin requests to the list. They will be ignored.