Vulnerability in X11 forwarding over ssh - Xwindows

This is a discussion on Vulnerability in X11 forwarding over ssh - Xwindows ; I've been reading on web about X11 forwarding over ssh. Not entirely clear on the what's under the hood, since X security seems to be an entire science, and the man pages aren't exactly tutorial style. http://www.hackinglinuxexposed.com/a.../20040705.html seems to speak ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Vulnerability in X11 forwarding over ssh

  1. Vulnerability in X11 forwarding over ssh

    I've been reading on web about X11 forwarding over ssh. Not entirely
    clear on the what's under the hood, since X security seems to be an
    entire science, and the man pages aren't exactly tutorial style.
    http://www.hackinglinuxexposed.com/a.../20040705.html seems to
    speak well to the average joe. In general, however, I find much
    ambiguity the X11 forwarding info in whether server/client refers to
    application server/client or X server/client.

    Be that as it may, I get the bottom line, that an administrator on
    "the server" can monitor the details of your activities on your local
    desktop. Regarding that point in particular, my question is: Is the
    this any worse than in a small LAN in which applications on work horse
    machines connect to X-servers on other machines on users' desks,
    without any ssh? I'm comparing the case where a small team gets
    geographically split up, so ssh might be used to secure a channel over
    the internet. If the vulnerability from X11 forwarding is no
    different than before the team was split up (i.e. completely local
    LAN, no ssh, no X11 forwarding), then there's no point worrying about
    it -- assuming that the trust among team members is the same.

    If the vulnerability is greater after the split i.e. if the ability to
    monitor the user's local desktop did not exist before the split, it is
    not enough that the trust level is the same after the split. This is
    because any inability to perform the snooping before the split serves
    to protect the administrator from being implicated as much as it
    protects the user from being snooped. Even if everyone is trustworthy
    after the split, the administrator is no longer protected from being
    implicated.

    Thanks for comments on whether the vulnerability is the same before and
    after the split.

  2. Re: Vulnerability in X11 forwarding over ssh

    Dubious Dude wrote:
    > I've been reading on web about X11 forwarding over ssh. Not entirely
    > clear on the what's under the hood, since X security seems to be an
    > entire science, and the man pages aren't exactly tutorial style.
    > http://www.hackinglinuxexposed.com/a.../20040705.html seems to
    > speak well to the average joe. In general, however, I find much
    > ambiguity the X11 forwarding info in whether server/client refers to
    > application server/client or X server/client.
    >
    > Be that as it may, I get the bottom line, that an administrator on
    > "the server" can monitor the details of your activities on your local
    > desktop. Regarding that point in particular, my question is: Is the
    > this any worse than in a small LAN in which applications on work horse
    > machines connect to X-servers on other machines on users' desks,
    > without any ssh? I'm comparing the case where a small team gets
    > geographically split up, so ssh might be used to secure a channel over
    > the internet. If the vulnerability from X11 forwarding is no
    > different than before the team was split up (i.e. completely local
    > LAN, no ssh, no X11 forwarding), then there's no point worrying about
    > it -- assuming that the trust among team members is the same.
    >
    > If the vulnerability is greater after the split i.e. if the ability to
    > monitor the user's local desktop did not exist before the split, it is
    > not enough that the trust level is the same after the split. This is
    > because any inability to perform the snooping before the split serves
    > to protect the administrator from being implicated as much as it
    > protects the user from being snooped. Even if everyone is trustworthy
    > after the split, the administrator is no longer protected from being
    > implicated.
    >
    > Thanks for comments on whether the vulnerability is the same before and
    > after the split.



    A further question about the vulnerability: Is the snoopability
    restricted to activity on x-clients for the applications running on the
    machine being ssh'd to? Or can all activities on the local X-server be
    snooped? Or is it just the activities for the DISPLAY associated with
    the X11 forwarding?

    Thanks.

  3. Re: Vulnerability in X11 forwarding over ssh

    Dubious Dude writes:

    > I've been reading on web about X11 forwarding over ssh. Not entirely
    > clear on the what's under the hood, since X security seems to be an
    > entire science, and the man pages aren't exactly tutorial style.
    > http://www.hackinglinuxexposed.com/a.../20040705.html seems to
    > speak well to the average joe. In general, however, I find much
    > ambiguity the X11 forwarding info in whether server/client refers to
    > application server/client or X server/client.
    >
    > Be that as it may, I get the bottom line, that an administrator on
    > "the server" can monitor the details of your activities on your local
    > desktop. Regarding that point in particular, my question is: Is the
    > this any worse than in a small LAN in which applications on work horse
    > machines connect to X-servers on other machines on users' desks,
    > without any ssh?


    No, it's no worse. It's an X vulnerability essentially.

    > I'm comparing the case where a small team gets geographically split
    > up, so ssh might be used to secure a channel over the internet. If
    > the vulnerability from X11 forwarding is no different than before
    > the team was split up (i.e. completely local LAN, no ssh, no X11
    > forwarding), then there's no point worrying about it -- assuming
    > that the trust among team members is the same.


    True. Basically, the article says unless you trust the users and the
    administrator of the sshd machine you're connecting to, X11 forwarding
    may be giving them a blank check to keystroke logging and screen
    scraping.

    If there's more vulnerability it's simply in that there's more
    potential for someone to get into the machine from the internet
    because of the sshd listening to the big bad internet, and one common
    usrename has an easily guessed password, or someone gets a toehold in,
    escalates to root, now you have some random person scraping your
    screen for info rather than just someone who managed to get so deep
    inside the company network.

    > If the vulnerability is greater after the split i.e. if the ability
    > to monitor the user's local desktop did not exist before the split,
    > it is not enough that the trust level is the same after the split.
    > This is because any inability to perform the snooping before the
    > split serves to protect the administrator from being implicated as
    > much as it protects the user from being snooped. Even if everyone
    > is trustworthy after the split, the administrator is no longer
    > protected from being implicated.
    >
    > Thanks for comments on whether the vulnerability is the same before and
    > after the split.


    I think for the concern you have, the vulnerability is more or less
    the same.

    Personally, I'd be using VNC if at all possible. :-) For the
    reconnectability alone.

    Best Regads,
    --
    Todd H.
    http://www.toddh.net/

  4. Re: Vulnerability in X11 forwarding over ssh

    Todd H. wrote:
    > Dubious Dude writes:
    >
    >> I've been reading on web about X11 forwarding over ssh. Not entirely
    >> clear on the what's under the hood, since X security seems to be an
    >> entire science, and the man pages aren't exactly tutorial style.
    >> http://www.hackinglinuxexposed.com/a.../20040705.html seems to
    >> speak well to the average joe. In general, however, I find much
    >> ambiguity the X11 forwarding info in whether server/client refers to
    >> application server/client or X server/client.
    >>
    >> Be that as it may, I get the bottom line, that an administrator on
    >> "the server" can monitor the details of your activities on your local
    >> desktop. Regarding that point in particular, my question is: Is the
    >> this any worse than in a small LAN in which applications on work horse
    >> machines connect to X-servers on other machines on users' desks,
    >> without any ssh?

    >
    > No, it's no worse. It's an X vulnerability essentially.
    >
    >> I'm comparing the case where a small team gets geographically split
    >> up, so ssh might be used to secure a channel over the internet. If
    >> the vulnerability from X11 forwarding is no different than before
    >> the team was split up (i.e. completely local LAN, no ssh, no X11
    >> forwarding), then there's no point worrying about it -- assuming
    >> that the trust among team members is the same.

    >
    > True. Basically, the article says unless you trust the users and the
    > administrator of the sshd machine you're connecting to, X11 forwarding
    > may be giving them a blank check to keystroke logging and screen
    > scraping.
    >
    > If there's more vulnerability it's simply in that there's more
    > potential for someone to get into the machine from the internet
    > because of the sshd listening to the big bad internet, and one common
    > usrename has an easily guessed password, or someone gets a toehold in,
    > escalates to root, now you have some random person scraping your
    > screen for info rather than just someone who managed to get so deep
    > inside the company network.
    >
    >> If the vulnerability is greater after the split i.e. if the ability
    >> to monitor the user's local desktop did not exist before the split,
    >> it is not enough that the trust level is the same after the split.
    >> This is because any inability to perform the snooping before the
    >> split serves to protect the administrator from being implicated as
    >> much as it protects the user from being snooped. Even if everyone
    >> is trustworthy after the split, the administrator is no longer
    >> protected from being implicated.
    >>
    >> Thanks for comments on whether the vulnerability is the same before and
    >> after the split.

    >
    > I think for the concern you have, the vulnerability is more or less
    > the same.
    >
    > Personally, I'd be using VNC if at all possible. :-) For the
    > reconnectability alone.


    That is certainly a possibility. Thanks for sharing your knowledge of X.


  5. Re: Vulnerability in X11 forwarding over ssh

    Dubious Dude writes:

    >Todd H. wrote:
    >> Dubious Dude writes:
    >>
    >>> I've been reading on web about X11 forwarding over ssh. Not entirely
    >>> clear on the what's under the hood, since X security seems to be an
    >>> entire science, and the man pages aren't exactly tutorial style.
    >>> http://www.hackinglinuxexposed.com/a.../20040705.html seems to
    >>> speak well to the average joe. In general, however, I find much
    >>> ambiguity the X11 forwarding info in whether server/client refers to
    >>> application server/client or X server/client.
    >>>
    >>> Be that as it may, I get the bottom line, that an administrator on
    >>> "the server" can monitor the details of your activities on your local
    >>> desktop. Regarding that point in particular, my question is: Is the
    >>> this any worse than in a small LAN in which applications on work horse
    >>> machines connect to X-servers on other machines on users' desks,
    >>> without any ssh?


    The ONLY thing ssh protects against is information being read off in
    transit between the two machines. If you do not use ssh, then anyone who
    has access to the line connecting the two machines can read off and see the
    data in the X session. It does absolutely nothing to protect you against
    problems on the machines themselves. Whetehr it is a collegue looking over
    your shoulders at your screen, or a sysadmin intercepting the x calls and
    displaying them on his own screen on one or the other of the endpoint
    machines, ssh can do nothing to protect you.


    >>
    >> No, it's no worse. It's an X vulnerability essentially.
    >>
    >>> I'm comparing the case where a small team gets geographically split
    >>> up, so ssh might be used to secure a channel over the internet. If
    >>> the vulnerability from X11 forwarding is no different than before
    >>> the team was split up (i.e. completely local LAN, no ssh, no X11
    >>> forwarding), then there's no point worrying about it -- assuming
    >>> that the trust among team members is the same.


    Sure there is. Someone can "tap " the line between the machines. All of
    the data goes over that line. ssh protects you against such taps.


    >>
    >> True. Basically, the article says unless you trust the users and the
    >> administrator of the sshd machine you're connecting to, X11 forwarding
    >> may be giving them a blank check to keystroke logging and screen
    >> scraping.


    X11 forwarding does nothing to protect either endpoint. It protects the
    data in transit.
    >>
    >> If there's more vulnerability it's simply in that there's more
    >> potential for someone to get into the machine from the internet
    >> because of the sshd listening to the big bad internet, and one common
    >> usrename has an easily guessed password, or someone gets a toehold in,
    >> escalates to root, now you have some random person scraping your
    >> screen for info rather than just someone who managed to get so deep
    >> inside the company network.


    No, there is also the vulnerability that anyone with a packet capture or
    sniffer anywhere between the two machines can capture all of the data.


    >>
    >>> If the vulnerability is greater after the split i.e. if the ability
    >>> to monitor the user's local desktop did not exist before the split,
    >>> it is not enough that the trust level is the same after the split.
    >>> This is because any inability to perform the snooping before the
    >>> split serves to protect the administrator from being implicated as
    >>> much as it protects the user from being snooped. Even if everyone
    >>> is trustworthy after the split, the administrator is no longer
    >>> protected from being implicated.
    >>>
    >>> Thanks for comments on whether the vulnerability is the same before and
    >>> after the split.

    >>
    >> I think for the concern you have, the vulnerability is more or less
    >> the same.
    >>
    >> Personally, I'd be using VNC if at all possible. :-) For the
    >> reconnectability alone.


    And this protects you how?



    >That is certainly a possibility. Thanks for sharing your knowledge of X.



  6. Re: Vulnerability in X11 forwarding over ssh

    In article Unruh
    writes:
    >Dubious Dude writes:
    >
    >>Todd H. wrote:
    >>> Dubious Dude writes:


    [snip]

    >>> No, it's no worse. It's an X vulnerability essentially.
    >>>
    >>>> I'm comparing the case where a small team gets geographically split
    >>>> up, so ssh might be used to secure a channel over the internet. If
    >>>> the vulnerability from X11 forwarding is no different than before
    >>>> the team was split up (i.e. completely local LAN, no ssh, no X11
    >>>> forwarding), then there's no point worrying about it -- assuming
    >>>> that the trust among team members is the same.

    >
    >Sure there is. Someone can "tap " the line between the machines. All of
    >the data goes over that line. ssh protects you against such taps.


    I think you misunderstand - the OP's potential worry was that using ssh
    would *increase* the vulnerability, having read about "vulnerabilities"
    (other than wiretapping) with X11 only in the context of ssh forwarding.

    --Per Hedeland
    per@hedeland.org

  7. Re: Vulnerability in X11 forwarding over ssh

    comphelp@toddh.net (Todd H.) writes:

    >True. Basically, the article says unless you trust the users and the
    >administrator of the sshd machine you're connecting to, X11 forwarding
    >may be giving them a blank check to keystroke logging and screen
    >scraping.


    Xnest is a simple (depending on how you look at it) way to reduce the
    scope of the problem. I've only toyed with it but it could be useful.

    >Personally, I'd be using VNC if at all possible. :-) For the
    >reconnectability alone.


    I appreciate VNC too but for reconnectiability you could also use
    Reliable SSH Tunnel or Rocks. Heck, I almost always use VNC over SSH.

    --kyler

  8. Re: Vulnerability in X11 forwarding over ssh

    Per Hedeland wrote:
    > In article Unruh
    > writes:
    >> Dubious Dude writes:
    >>
    >>> Todd H. wrote:
    >>>> Dubious Dude writes:

    >
    > [snip]
    >
    >>>> No, it's no worse. It's an X vulnerability essentially.
    >>>>
    >>>>> I'm comparing the case where a small team gets geographically split
    >>>>> up, so ssh might be used to secure a channel over the internet. If
    >>>>> the vulnerability from X11 forwarding is no different than before
    >>>>> the team was split up (i.e. completely local LAN, no ssh, no X11
    >>>>> forwarding), then there's no point worrying about it -- assuming
    >>>>> that the trust among team members is the same.

    >> Sure there is. Someone can "tap " the line between the machines. All of
    >> the data goes over that line. ssh protects you against such taps.

    >
    > I think you misunderstand - the OP's potential worry was that using ssh
    > would *increase* the vulnerability, having read about "vulnerabilities"
    > (other than wiretapping) with X11 only in the context of ssh forwarding.


    Yes, you're right. When I say "there's no point worrying about it", I
    don't mean that ssh is pointless. I mean that the vulnerability from
    X11 forwarding isn't worth worrying about because it doesn't result from
    the use of ssh so much as it is an inherent characteristic of X11 even
    on the same LAN. So if you trust the use of X11 in a LAN, then you
    should trust the use of X11 forwarding in a virtual LAN enabled by ssh.

  9. Re: Vulnerability in X11 forwarding over ssh

    Kyler Laird wrote:
    > comphelp@toddh.net (Todd H.) writes:
    >
    >> True. Basically, the article says unless you trust the users and the
    >> administrator of the sshd machine you're connecting to, X11 forwarding
    >> may be giving them a blank check to keystroke logging and screen
    >> scraping.

    >
    > Xnest is a simple (depending on how you look at it) way to reduce the
    > scope of the problem. I've only toyed with it but it could be useful.
    >
    >> Personally, I'd be using VNC if at all possible. :-) For the
    >> reconnectability alone.

    >
    > I appreciate VNC too but for reconnectiability you could also use
    > Reliable SSH Tunnel or Rocks. Heck, I almost always use VNC over SSH.


    I looked up Xnest and Reliable SSH Tunnel. I'm not sure how they
    address the problem of user activities being monitored by an
    administrator on the machine that hosts the X-client. I suspect that I
    didn't adequately clarify the problem in my OP.

    Because "Rocks" is quite a general word, I wasn't able to locate
    information on it as an X-windows-related application.

+ Reply to Thread