Package: openssh-client Version: 1:6.7p1-5 Severity: important /etc/ssh/ssh_config lists default "ForwardX11 no" and "ForwardX11Trusted yes".
So, `ssh -X` is actually equivalent to `ssh -X -Y` without telling the user. The default should be "ForwardX11Trusted no" else the -Y option is essentially meaningless. This is very misleading because users will think that because the -Y option is a positive affirmation, that it is normally not set by default when using the -X option. This could lead to compromise of the client host when connecting to an untrusted server, such as an employer with malicious practices or whose server is compromised. The following checks demonstrate that the default settings allow a trusted connection, implicit -Y when using -X. `xwd` generates a 13M file with the default settings, but does not work when "ForwardX11Trusted no" is set in /etc/ssh/ssh_config. ====================================== hedges@peanut ~ 2015-10-28 10:40:11 -0700 Wed $ grep -E '(ForwardX11|^Host)' /etc/ssh/ssh_config Host * # ForwardX11 no # ForwardX11Trusted yes hedges@peanut ~ 2015-10-28 10:40:16 -0700 Wed $ ssh -X localhost xwd -root > /tmp/test.xwd hedges@peanut ~ 2015-10-28 10:40:28 -0700 Wed $ ls -lah /tmp/test.xwd -rw-r--r-- 1 hedges hedges 13M Oct 28 10:40 /tmp/test.xwd hedges@peanut ~ 2015-10-28 10:40:33 -0700 Wed $ sudo vi /etc/ssh/ssh_config hedges@peanut ~ 2015-10-28 10:40:46 -0700 Wed $ grep -E '(ForwardX11|^Host)' /etc/ssh/ssh_config Host * ForwardX11Trusted no # ForwardX11 no # ForwardX11Trusted yes hedges@peanut ~ 2015-10-28 10:40:50 -0700 Wed $ ssh -X localhost xwd -root > /tmp/test.xwd hedges@peanut ~ 2015-10-28 10:40:53 -0700 Wed $ ls -lah /tmp/test.xwd -rw-r--r-- 1 hedges hedges 0 Oct 28 10:40 /tmp/test.xwd ====================================== This should be considered a security risk since the documentation is misleading. Yes, changing the default will break client script where they use `ssh -X` and it happens to work only because -Y is implicit but they didn't know that. Those users will have to add -Y to their scripts. Thank you. Mark Hedges Default /etc/ssh/ssh_config: # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * # ForwardAgent no # ForwardX11 no # ForwardX11Trusted yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-client depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.25 ii libc6 2.19-18+deb8u1 ii libedit2 3.1-20140620-2 ii libgssapi-krb5-2 1.12.1+dfsg-19 ii libselinux1 2.3-2 ii libssl1.0.0 1.0.1k-3+deb8u1 ii passwd 1:4.2-3 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information
