This discussion is archived
5 Replies Latest reply: Aug 23, 2012 7:07 AM by CyberNinja RSS

X forwarding vs Remote DISPLAY

CyberNinja Newbie
Currently Being Moderated
Hello,
I have a question about X forwarding. I was told that we can't X forwarding anymore, do to a security checklist.
Example:

cyberninja@server1# ssh -X server2


So we have to use the DISPLAY variable now. I thought this was less secure?
Example:

cyberninja@server1# xhost + server2
server1 being added to access control list
cyberninja@server1# echo $DISPLAY
:1.0
cyberninja@server1# ssh server2
cyberninja@server2# export DISPLAY=server1:1.0
cyberninja@server1# gedit #for example


What gives, is this more or less secure the X forwarding? Is there a better way?

Any info would be helpful
Edit/Delete Message
  • 1. Re: X forwarding vs Remote DISPLAY
    bobthesungeek76036 Pro
    Currently Being Moderated
    X forwarding via ssh is a form of ssh tunneling. My guess is your security team is against ssh tunneling and that's the reason for their decision? Also, instead of xhost you should be using xauth...
  • 2. Re: X forwarding vs Remote DISPLAY
    CyberNinja Newbie
    Currently Being Moderated
    Thank you for replying.
    I have not used xauth. Can you give more detail?
  • 3. Re: X forwarding vs Remote DISPLAY
    bobthesungeek76036 Pro
    Currently Being Moderated
    I'm still using X tunneling so I don't work with xauth much. But it goes something like this:

    on local system

    <pre>xauth list $DISPLAY</pre>

    ssh to remote system and run

    <pre>DISPLAY={whatever $DISPLAY is on local system}; export DISPLAY
    xauth add {the output of "xauth list $DISPLAY on local system}
    </pre>

    $DISPLAY needs to be something other than "localhost:X.X". It needs to point to a resolvable address to the remote system.
  • 4. Re: X forwarding vs Remote DISPLAY
    800381 Explorer
    Currently Being Moderated
    CyberNinja wrote:
    Hello,
    I have a question about X forwarding. I was told that we can't X forwarding anymore, do to a security checklist.
    Example:

    cyberninja@server1# ssh -X server2


    So we have to use the DISPLAY variable now. I thought this was less secure?
    Example:

    cyberninja@server1# xhost + server2
    server1 being added to access control list
    cyberninja@server1# echo $DISPLAY
    :1.0
    cyberninja@server1# ssh server2
    cyberninja@server2# export DISPLAY=server1:1.0
    cyberninja@server1# gedit #for example


    What gives, is this more or less secure the X forwarding? Is there a better way?

    Any info would be helpful
    Edit/Delete Message
    So, your security people won't allow you to use X forwarding via SSH but you can use remote X directly across the network?

    Wow.

    That's like a babysitter putting a 3-year-old out in the middle of a superhighway - it's gob-smackingly incompetent.

    Send this to your "security" people:

    http://www.biac.duke.edu/library/documentation/xwin32/Security.html

    All xauth does is set up a cookie that makes connecting to your X server somewhat harder. The data going across the network isn't encrypted, which means your keystrokes, mouse movements, and screen contents can be trivially intercepted. And if someone does crack your xauth cookie, they can pretty much set up a keylogger/screen dumper on you that you won't even know about.

    And without xauth, anyone can pretty much log all your keystrokes and dump what's on your screen just by attaching an appropriate application to your X server.

    It's amazing that your "security" people are members of the same species that put a man on the moon.
  • 5. Re: X forwarding vs Remote DISPLAY
    CyberNinja Newbie
    Currently Being Moderated
    user5287726,
    Thank you for replying to my question. I thought I saw stuff on the internet about remote display, being less secure. For me to get an exception for X forwarding I would need to justify it to the security person. Do you know of any cve or other such valuerbility listing that shows the DISPLAY security issue.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points