Re: [SLE] export DISPLAY and xhost +
From: Anders Johansson (andjoh_at_rydsbo.net)
Date: 05/26/04
- Previous message: Sid Boyce: "Re: [SLE] export DISPLAY and xhost +"
- In reply to: Sid Boyce: "Re: [SLE] export DISPLAY and xhost +"
- Next in thread: John Andersen: "Re: [SLE] export DISPLAY and xhost +"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: suse-linux-e@suse.com Date: Wed, 26 May 2004 01:21:25 +0200
On Wednesday 26 May 2004 01.14, Sid Boyce wrote:
> Anders Johansson wrote:
> >Forgive me, but I fail to see the problem then. Are you perhaps under the
> >impression that remote X using DISPLAY travels over ssh just because you
> >logged in with ssh -X when you ran it?
> >
> >It doesn't
> >
> >ssh -X will keep working even with -nolisten tcp as an option to X
>
> "man ssh" gives that impression --------
> X11 and TCP forwarding
> If the ForwardX11 variable is set to “yes” (or see the description of the
> -X and -x options described later) and the user is using X11 (the DISPLAY
> environment variable is set), the connection to the X11 display is auto
> matically forwarded to the remote side in such a way that any X11 pro
> grams started from the shell (or command) will go through the encrypted
> =======================
> channel, and the connection to the real X server will be made from the
> =========
> local machine. The user should not manually set DISPLAY. Forwarding of
> X11 connections can be configured on the command line or in configuration
> files.
> ---------------------------------------------------------------------------
>---------------- Then it says
> ==========
> -X Enables X11 forwarding. This can also be specified on a per-host
> basis in a configuration file.
>
> X11 forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> user's X authorization database) can access the local X11 display
> through the forwarded connection. An attacker may then be able
> to perform activities such as keystroke monitoring.
>
> Now I'm a bit puzzled.
So am I. I don't understand your question.
When you log in with ssh -X, the ssh server will set up what you might call a
'peudo X' server, and set the DISPLAY variable to point to it. This is
normally localhost:10.0 or something. When an X application tries to contact
the X server through that address, ssh will take care of forwarding the X
calls to your locally running X server. If you manually change the DISPLAY
variable to point directly to the local machine you will be bypassing ssh and
its encryption completely.
The security note at the end simply means that any user with sufficient
permissions on the remote end will be able to access your local X server
through your ssh connection as though he were you, because ssh doesn't
protect you on the remote machine, it only protects the packets in transit
between the machines.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Sid Boyce: "Re: [SLE] export DISPLAY and xhost +"
- In reply to: Sid Boyce: "Re: [SLE] export DISPLAY and xhost +"
- Next in thread: John Andersen: "Re: [SLE] export DISPLAY and xhost +"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
