Aaron W. Hsu wrote:
I have read ssh(1) and xhost(1), as well as this page:
<http://piast.cbio.psu.edu/reference/NetworkingCD2.0/ssh/ch09_03.htm>
where it says:
X forwarding with authentication spoofing solves all but one of
the X authentication problems we raised earlier:
xhost
X forwarding doesn't use xhost. (By the way, make sure
to disable all xhost permissions when using X
forwarding, or you will undermine the X security
provided by SSH.)
in xhost(1) I read:
+ Access is granted to everyone, even if they aren't on
the list (i.e., access control is turned off).
and in ssh(1) I read:
-X Enables X11 forwarding. This can also be specified on a
per-host basis in a configuration file.
X11 forwarding should be enabled with caution. Users
with the ability to bypass file permissions on the
remote host (for the user's X authorization database)
can access the local X11 display through the forwarded
connection. An attacker may then be able to perform
activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11
SECURITY ex- tension restrictions by default. Please
refer to the ssh -Y op- tion and the ForwardX11Trusted
directive in ssh_config(5) for more information.
[...]
-Y Enables trusted X11 forwarding. Trusted X11 forwardings
are not subjected to the X11 SECURITY extension controls.
And this is where I become confused: I am connecting to my remote host
through ssh using the command `ssh -X u...@host` and it works alright
when I use `xhost +`, but does not work when I do `xhost +<host>`; ssh
-X u...@host` nor when I use `xhost -; ssh -X u...@host`.
When I read the web link, it tells me to disable xhost, but it does not
give me a way to do that. Reading the xhost man page makes me think
that `xhost +` actually disables xhost authentication rather than making
xhost pre-authenticate the entire address space. This appears to be
born out by the fact that ssh -X does not work when I just manually add
the right xhost in; if I were wrong here, I would expect X forwarding to
fail both when I used `xhost +` and when I used `xhost +<host>`.
However, reading outsie the parentheses in the xhost man page, it makes
me think that it really is authenticating all the address space, and
making it possible for every client in the world to authenticate to my X
server without having to use any kind of xauth authentication, which I
want to avoid. The parenthetical clause seems to say something
different though; it seems to say that xhost is disabled, and any client
wishing to connect will now have to authenticate with a different
mechanism.
I have tried using ssh -Y and that works, but I am concerned about using
that because of the warnings issued in ssh(1), since it appears that -Y
disables all the proper security measures that -X uses.
Can someone please confirm whether I am wrong or right and if wrong,
what the right way to do this is? I would like to make a semi-secure
connection to this remote machine somehow, and I am concerned that the
use of `xhost +` is quite insecure.
I'm far from an X expert, but all I need to do to make X over ssh work
is to enable X forwarding in sshd_config. If I'm not mistaken the ssh
tunnel will effectively make the connection to the server from localhost
(ie the server itself) so xhost would not be needed.
/Alexander
