5 Replies Latest reply: Aug 23, 2012 9:07 AM by CyberNinja RSS

    X forwarding vs Remote DISPLAY

    CyberNinja
      Hello,
      I have a question about X forwarding. I was told that we can't X forwarding anymore, do to a security checklist.
      Example:

      cyberninja@server1# ssh -X server2


      So we have to use the DISPLAY variable now. I thought this was less secure?
      Example:

      cyberninja@server1# xhost + server2
      server1 being added to access control list
      cyberninja@server1# echo $DISPLAY
      :1.0
      cyberninja@server1# ssh server2
      cyberninja@server2# export DISPLAY=server1:1.0
      cyberninja@server1# gedit #for example


      What gives, is this more or less secure the X forwarding? Is there a better way?

      Any info would be helpful
      Edit/Delete Message
        • 1. Re: X forwarding vs Remote DISPLAY
          bobthesungeek76036
          X forwarding via ssh is a form of ssh tunneling. My guess is your security team is against ssh tunneling and that's the reason for their decision? Also, instead of xhost you should be using xauth...
          • 2. Re: X forwarding vs Remote DISPLAY
            CyberNinja
            Thank you for replying.
            I have not used xauth. Can you give more detail?
            • 3. Re: X forwarding vs Remote DISPLAY
              bobthesungeek76036
              I'm still using X tunneling so I don't work with xauth much. But it goes something like this:

              on local system

              <pre>xauth list $DISPLAY</pre>

              ssh to remote system and run

              <pre>DISPLAY={whatever $DISPLAY is on local system}; export DISPLAY
              xauth add {the output of "xauth list $DISPLAY on local system}
              </pre>

              $DISPLAY needs to be something other than "localhost:X.X". It needs to point to a resolvable address to the remote system.
              • 4. Re: X forwarding vs Remote DISPLAY
                800381
                CyberNinja wrote:
                Hello,
                I have a question about X forwarding. I was told that we can't X forwarding anymore, do to a security checklist.
                Example:

                cyberninja@server1# ssh -X server2


                So we have to use the DISPLAY variable now. I thought this was less secure?
                Example:

                cyberninja@server1# xhost + server2
                server1 being added to access control list
                cyberninja@server1# echo $DISPLAY
                :1.0
                cyberninja@server1# ssh server2
                cyberninja@server2# export DISPLAY=server1:1.0
                cyberninja@server1# gedit #for example


                What gives, is this more or less secure the X forwarding? Is there a better way?

                Any info would be helpful
                Edit/Delete Message
                So, your security people won't allow you to use X forwarding via SSH but you can use remote X directly across the network?

                Wow.

                That's like a babysitter putting a 3-year-old out in the middle of a superhighway - it's gob-smackingly incompetent.

                Send this to your "security" people:

                http://www.biac.duke.edu/library/documentation/xwin32/Security.html

                All xauth does is set up a cookie that makes connecting to your X server somewhat harder. The data going across the network isn't encrypted, which means your keystrokes, mouse movements, and screen contents can be trivially intercepted. And if someone does crack your xauth cookie, they can pretty much set up a keylogger/screen dumper on you that you won't even know about.

                And without xauth, anyone can pretty much log all your keystrokes and dump what's on your screen just by attaching an appropriate application to your X server.

                It's amazing that your "security" people are members of the same species that put a man on the moon.
                • 5. Re: X forwarding vs Remote DISPLAY
                  CyberNinja
                  user5287726,
                  Thank you for replying to my question. I thought I saw stuff on the internet about remote display, being less secure. For me to get an exception for X forwarding I would need to justify it to the security person. Do you know of any cve or other such valuerbility listing that shows the DISPLAY security issue.