Les Mikesell lesmikesell@gmail.com wrote:
What's a 'trusted' forwarding mean as opposed to any other kind? <<
A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that "trusted forwarding" trusts the users to all be good guys.
(In fact, if you're on a trusted network, you shouldn't need to use SSH at all, since you trust the devices (and their users) attached to the network not to do nasty things like network sniffing, MitM attacks, etc.).
Best,
--- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
On Sat, Dec 08, 2007, Les Bell wrote:
Les Mikesell lesmikesell@gmail.com wrote:
What's a 'trusted' forwarding mean as opposed to any other kind? <<
A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that "trusted forwarding" trusts the users to all be good guys.
(In fact, if you're on a trusted network, you shouldn't need to use SSH at all, since you trust the devices (and their users) attached to the network not to do nasty things like network sniffing, MitM attacks, etc.).
True enough, but ssh makes the X11 DISPLAY things so easy! One doesn't have to much with xhosts and such.
Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
It is surprising how much new stuff users find that developers never do. You put a copy in front of a normal user and they find all these bugs that you would think developers would find. The real users and developers are completely different species as far as I am concerned. --Linux creator Linus Torvalds
Les Bell wrote:
Les Mikesell lesmikesell@gmail.com wrote:
What's a 'trusted' forwarding mean as opposed to any other kind? <<
A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that "trusted forwarding" trusts the users to all be good guys.
Is there a way to describe it in more than 2 words but less than 18 pages? The main point seems to be that almost nothing works if your forwarding isn't trusted. But shouldn't being able to log in via ssh mean that you are trusted?
On Sat, Dec 08, 2007, Les Mikesell wrote:
Les Bell wrote:
Les Mikesell lesmikesell@gmail.com wrote:
What's a 'trusted' forwarding mean as opposed to any other kind? <<
A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that "trusted forwarding" trusts the users to all be good guys.
Is there a way to describe it in more than 2 words but less than 18 pages? The main point seems to be that almost nothing works if your forwarding isn't trusted. But shouldn't being able to log in via ssh mean that you are trusted?
One would hope so, assuming authorized_keys and proper pass phrases (but then putty and others allow this from the Microsoft Virus, Windows and I don't trust anything coming from Windows).
On the few systems where we permit ssh authentication with user name and password, access is tightly controlled via tcp_wrappers to specific IP addresses.
Recently we have been using OpenVPN to allow secure access from remote users which makes restricting ssh access easier when people are roaming so can't be easily identified by IP address.
Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart
-
Bill Campbell -
Les Bell -
Les Mikesell