> So, if I ssh into a system and have X-forwarding for the session, anything
> including my initial [bash or other] shell could be logging my local
> keystrokes, even in other windows? (assuming the shell binay was modified
> to log such events)
Remember that if you log into a remote system, your "local" keystrokes
aren't really local-- they typically go out to the remote system and
are echoed back inside of your login window. So if an attacker has
control of the remote system, they can see all of your interactions
with that machine.
Now when you add X forwarding on top of that, you've essentially
created one end of a conduit that a remote attacker on the system could
use to access the X server on your local box. It's unfortunate, but
X Windows authentication is relatively trivial (an attacker with root
on the remote system can easily steal your "MIT magic cookie" authenticator
to get access) and is basically an "all or nothing" privilege model.
Once the attacker has the right authentication credentials, they can
use a tool like xkey (grab keystrokes) or xwatch/xmon (grabs the video
display) to see what's happening on your local X desktop.
On a Unix machine, that's death because _everything_ is going through
the X server on your local machine (assuming you're operating under
the GUI and not the text console). On a Windows box, it's just the
stuff you do in whatever third-party X desktop you're using, not the
stuff that's happening in the normal Windows desktop environment.
This all sounds very scary, but it's important to point out that X
forwarding over SSH is vastly more secure than the normal remote X
protocol that happens on 6000/tcp. The normal X remote protocol has
all of the authentication problems described above PLUS it happens in
clear text on the network, which means you can watch the network from
some other system with something like Der Mouse's "X Connection
Monitor" and passively sniff everything that's going on between the
two machines.
> If this is true, I think we'll all be more wary of logging in to others'
> systems...
Of course you should be-- and it's not just because of the stuff we're
talking about here. When you set up an account on somebody else's
machine, do you use the same password you use at work or on your
personal machines? Do you create SSH identity certificates (or worse,
set up .rhosts-style trust relationships) on that system for logging
into other machines? Do you jump from the untrusted remote system to
other devices on the network (allowing the owner of the untrusted
system to monitor your remote login and steal passwords and other
information)? Do you trust their DNS configuration to give correct
info? Do you trust the OS binaries not to be trojan horses that are
doing other nefarious and malicious things?
You can't be too paranoid about this stuff, IMHO.
--
Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED]
Network Connectivity and Security, Systems Management, Training
_______________________________________________
EuG-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
