tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- stevesk@cvs.openbsd.org 2002/09/16 20:12:11 

[sshd_config.5]
     more details on X11Forwarding security issues and threats; ok markus@
This commit is contained in:
Damien Miller 2002-09-19 11:51:21 +10:00
parent a6eb2b7f8e
commit 101c4a7bc9
2 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -13,6 +13,9 @@
- stevesk@cvs.openbsd.org 2002/09/16 19:55:33 - stevesk@cvs.openbsd.org 2002/09/16 19:55:33
[session.c] [session.c]
log when _PATH_NOLOGIN exists; ok markus@ log when _PATH_NOLOGIN exists; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 20:12:11
[sshd_config.5]
more details on X11Forwarding security issues and threats; ok markus@
20020912 20020912
- (djm) Made GNOME askpass programs return non-zero if cancel button is - (djm) Made GNOME askpass programs return non-zero if cancel button is
@ -663,4 +666,4 @@
save auth method before monitor_reset_key_state(); bugzilla bug #284; save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@ ok provos@
$Id: ChangeLog,v 1.2467 2002/09/19 01:50:48 djm Exp $ $Id: ChangeLog,v 1.2468 2002/09/19 01:51:21 djm Exp $

31
sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.12 2002/09/04 18:52:42 stevesk Exp $ .\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
@ -630,10 +630,35 @@ from interfering with real X11 servers.
The default is 10. The default is 10.
.It Cm X11Forwarding .It Cm X11Forwarding
Specifies whether X11 forwarding is permitted. Specifies whether X11 forwarding is permitted.
The argument must be
.Dq yes
or
.Dq no .
The default is The default is
.Dq no . .Dq no .
Note that disabling X11 forwarding does not improve security in any .Pp
way, as users can always install their own forwarders. When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
.Nm sshd
proxy display is configured to listen on the wildcard address (see
.Cm X11UseLocalhost
below), however this is not the default.
Additionally, the authentication spoofing and authentication data
verification and substitution occur on the client side.
The security risk of using X11 forwarding is that the client's X11
display server may be exposed to attack when the ssh client requests
forwarding (see the warnings for
.Cm ForwardX11
in
.Xr ssh_config 5 ).
A system administrator may have a stance in which they want to
protect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a
.Dq no
setting.
.Pp
Note that disabling X11 forwarding does not prevent users from
forwarding X11 traffic, as users can always install their own forwarders.
X11 forwarding is automatically disabled if X11 forwarding is automatically disabled if
.Cm UseLogin .Cm UseLogin
is enabled. is enabled.