Dubious Dude wrote:
> I've been reading on web about X11 forwarding over ssh. Not entirely
> clear on the what's under the hood, since X security seems to be an
> entire science, and the man pages aren't exactly tutorial style.
> http://www.hackinglinuxexposed.com/a.../20040705.html seems to
> speak well to the average joe. In general, however, I find much
> ambiguity the X11 forwarding info in whether server/client refers to
> application server/client or X server/client.
>
> Be that as it may, I get the bottom line, that an administrator on
> "the server" can monitor the details of your activities on your local
> desktop. Regarding that point in particular, my question is: Is the
> this any worse than in a small LAN in which applications on work horse
> machines connect to X-servers on other machines on users' desks,
> without any ssh? I'm comparing the case where a small team gets
> geographically split up, so ssh might be used to secure a channel over
> the internet. If the vulnerability from X11 forwarding is no
> different than before the team was split up (i.e. completely local
> LAN, no ssh, no X11 forwarding), then there's no point worrying about
> it -- assuming that the trust among team members is the same.
>
> If the vulnerability is greater after the split i.e. if the ability to
> monitor the user's local desktop did not exist before the split, it is
> not enough that the trust level is the same after the split. This is
> because any inability to perform the snooping before the split serves
> to protect the administrator from being implicated as much as it
> protects the user from being snooped. Even if everyone is trustworthy
> after the split, the administrator is no longer protected from being
> implicated.
>
> Thanks for comments on whether the vulnerability is the same before and
> after the split.


A further question about the vulnerability: Is the snoopability
restricted to activity on x-clients for the applications running on the
machine being ssh'd to? Or can all activities on the local X-server be
snooped? Or is it just the activities for the DISPLAY associated with
the X11 forwarding?

Thanks.

Dubious Dude writes:

> I've been reading on web about X11 forwarding over ssh. Not entirely
> clear on the what's under the hood, since X security seems to be an
> entire science, and the man pages aren't exactly tutorial style.
> http://www.hackinglinuxexposed.com/a.../20040705.html seems to
> speak well to the average joe. In general, however, I find much
> ambiguity the X11 forwarding info in whether server/client refers to
> application server/client or X server/client.
>
> Be that as it may, I get the bottom line, that an administrator on
> "the server" can monitor the details of your activities on your local
> desktop. Regarding that point in particular, my question is: Is the
> this any worse than in a small LAN in which applications on work horse
> machines connect to X-servers on other machines on users' desks,
> without any ssh?

No, it's no worse. It's an X vulnerability essentially.

> I'm comparing the case where a small team gets geographically split
> up, so ssh might be used to secure a channel over the internet. If
> the vulnerability from X11 forwarding is no different than before
> the team was split up (i.e. completely local LAN, no ssh, no X11
> forwarding), then there's no point worrying about it -- assuming
> that the trust among team members is the same.

True. Basically, the article says unless you trust the users and the
administrator of the sshd machine you're connecting to, X11 forwarding
may be giving them a blank check to keystroke logging and screen
scraping.

If there's more vulnerability it's simply in that there's more
potential for someone to get into the machine from the internet
because of the sshd listening to the big bad internet, and one common
usrename has an easily guessed password, or someone gets a toehold in,
escalates to root, now you have some random person scraping your
screen for info rather than just someone who managed to get so deep
inside the company network.

> If the vulnerability is greater after the split i.e. if the ability
> to monitor the user's local desktop did not exist before the split,
> it is not enough that the trust level is the same after the split.
> This is because any inability to perform the snooping before the
> split serves to protect the administrator from being implicated as
> much as it protects the user from being snooped. Even if everyone
> is trustworthy after the split, the administrator is no longer
> protected from being implicated.
>
> Thanks for comments on whether the vulnerability is the same before and
> after the split.

I think for the concern you have, the vulnerability is more or less
the same.

Personally, I'd be using VNC if at all possible. :-) For the
reconnectability alone.

Best Regads,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:
> Dubious Dude writes:
>
>> I've been reading on web about X11 forwarding over ssh. Not entirely
>> clear on the what's under the hood, since X security seems to be an
>> entire science, and the man pages aren't exactly tutorial style.
>> http://www.hackinglinuxexposed.com/a.../20040705.html seems to
>> speak well to the average joe. In general, however, I find much
>> ambiguity the X11 forwarding info in whether server/client refers to
>> application server/client or X server/client.
>>
>> Be that as it may, I get the bottom line, that an administrator on
>> "the server" can monitor the details of your activities on your local
>> desktop. Regarding that point in particular, my question is: Is the
>> this any worse than in a small LAN in which applications on work horse
>> machines connect to X-servers on other machines on users' desks,
>> without any ssh?
>
> No, it's no worse. It's an X vulnerability essentially.
>
>> I'm comparing the case where a small team gets geographically split
>> up, so ssh might be used to secure a channel over the internet. If
>> the vulnerability from X11 forwarding is no different than before
>> the team was split up (i.e. completely local LAN, no ssh, no X11
>> forwarding), then there's no point worrying about it -- assuming
>> that the trust among team members is the same.
>
> True. Basically, the article says unless you trust the users and the
> administrator of the sshd machine you're connecting to, X11 forwarding
> may be giving them a blank check to keystroke logging and screen
> scraping.
>
> If there's more vulnerability it's simply in that there's more
> potential for someone to get into the machine from the internet
> because of the sshd listening to the big bad internet, and one common
> usrename has an easily guessed password, or someone gets a toehold in,
> escalates to root, now you have some random person scraping your
> screen for info rather than just someone who managed to get so deep
> inside the company network.
>
>> If the vulnerability is greater after the split i.e. if the ability
>> to monitor the user's local desktop did not exist before the split,
>> it is not enough that the trust level is the same after the split.
>> This is because any inability to perform the snooping before the
>> split serves to protect the administrator from being implicated as
>> much as it protects the user from being snooped. Even if everyone
>> is trustworthy after the split, the administrator is no longer
>> protected from being implicated.
>>
>> Thanks for comments on whether the vulnerability is the same before and
>> after the split.
>
> I think for the concern you have, the vulnerability is more or less
> the same.
>
> Personally, I'd be using VNC if at all possible. :-) For the
> reconnectability alone.

That is certainly a possibility. Thanks for sharing your knowledge of X.

Dubious Dude writes:

>Todd H. wrote:
>> Dubious Dude writes:
>>
>>> I've been reading on web about X11 forwarding over ssh. Not entirely
>>> clear on the what's under the hood, since X security seems to be an
>>> entire science, and the man pages aren't exactly tutorial style.
>>> http://www.hackinglinuxexposed.com/a.../20040705.html seems to
>>> speak well to the average joe. In general, however, I find much
>>> ambiguity the X11 forwarding info in whether server/client refers to
>>> application server/client or X server/client.
>>>
>>> Be that as it may, I get the bottom line, that an administrator on
>>> "the server" can monitor the details of your activities on your local
>>> desktop. Regarding that point in particular, my question is: Is the
>>> this any worse than in a small LAN in which applications on work horse
>>> machines connect to X-servers on other machines on users' desks,
>>> without any ssh?

The ONLY thing ssh protects against is information being read off in
transit between the two machines. If you do not use ssh, then anyone who
has access to the line connecting the two machines can read off and see the
data in the X session. It does absolutely nothing to protect you against
problems on the machines themselves. Whetehr it is a collegue looking over
your shoulders at your screen, or a sysadmin intercepting the x calls and
displaying them on his own screen on one or the other of the endpoint
machines, ssh can do nothing to protect you.


>>
>> No, it's no worse. It's an X vulnerability essentially.
>>
>>> I'm comparing the case where a small team gets geographically split
>>> up, so ssh might be used to secure a channel over the internet. If
>>> the vulnerability from X11 forwarding is no different than before
>>> the team was split up (i.e. completely local LAN, no ssh, no X11
>>> forwarding), then there's no point worrying about it -- assuming
>>> that the trust among team members is the same.

Sure there is. Someone can "tap " the line between the machines. All of
the data goes over that line. ssh protects you against such taps.


>>
>> True. Basically, the article says unless you trust the users and the
>> administrator of the sshd machine you're connecting to, X11 forwarding
>> may be giving them a blank check to keystroke logging and screen
>> scraping.

X11 forwarding does nothing to protect either endpoint. It protects the
data in transit.
>>
>> If there's more vulnerability it's simply in that there's more
>> potential for someone to get into the machine from the internet
>> because of the sshd listening to the big bad internet, and one common
>> usrename has an easily guessed password, or someone gets a toehold in,
>> escalates to root, now you have some random person scraping your
>> screen for info rather than just someone who managed to get so deep
>> inside the company network.

No, there is also the vulnerability that anyone with a packet capture or
sniffer anywhere between the two machines can capture all of the data.


>>
>>> If the vulnerability is greater after the split i.e. if the ability
>>> to monitor the user's local desktop did not exist before the split,
>>> it is not enough that the trust level is the same after the split.
>>> This is because any inability to perform the snooping before the
>>> split serves to protect the administrator from being implicated as
>>> much as it protects the user from being snooped. Even if everyone
>>> is trustworthy after the split, the administrator is no longer
>>> protected from being implicated.
>>>
>>> Thanks for comments on whether the vulnerability is the same before and
>>> after the split.
>>
>> I think for the concern you have, the vulnerability is more or less
>> the same.
>>
>> Personally, I'd be using VNC if at all possible. :-) For the
>> reconnectability alone.

And this protects you how?



>That is certainly a possibility. Thanks for sharing your knowledge of X.

In article Unruh
writes:
>Dubious Dude writes:
>
>>Todd H. wrote:
>>> Dubious Dude writes:

[snip]

>>> No, it's no worse. It's an X vulnerability essentially.
>>>
>>>> I'm comparing the case where a small team gets geographically split
>>>> up, so ssh might be used to secure a channel over the internet. If
>>>> the vulnerability from X11 forwarding is no different than before
>>>> the team was split up (i.e. completely local LAN, no ssh, no X11
>>>> forwarding), then there's no point worrying about it -- assuming
>>>> that the trust among team members is the same.
>
>Sure there is. Someone can "tap " the line between the machines. All of
>the data goes over that line. ssh protects you against such taps.

I think you misunderstand - the OP's potential worry was that using ssh
would *increase* the vulnerability, having read about "vulnerabilities"
(other than wiretapping) with X11 only in the context of ssh forwarding.

--Per Hedeland
per@hedeland.org

comphelp@toddh.net (Todd H.) writes:

>True. Basically, the article says unless you trust the users and the
>administrator of the sshd machine you're connecting to, X11 forwarding
>may be giving them a blank check to keystroke logging and screen
>scraping.

Xnest is a simple (depending on how you look at it) way to reduce the
scope of the problem. I've only toyed with it but it could be useful.

>Personally, I'd be using VNC if at all possible. :-) For the
>reconnectability alone.

I appreciate VNC too but for reconnectiability you could also use
Reliable SSH Tunnel or Rocks. Heck, I almost always use VNC over SSH.

--kyler

Per Hedeland wrote:
> In article Unruh
> writes:
>> Dubious Dude writes:
>>
>>> Todd H. wrote:
>>>> Dubious Dude writes:
>
> [snip]
>
>>>> No, it's no worse. It's an X vulnerability essentially.
>>>>
>>>>> I'm comparing the case where a small team gets geographically split
>>>>> up, so ssh might be used to secure a channel over the internet. If
>>>>> the vulnerability from X11 forwarding is no different than before
>>>>> the team was split up (i.e. completely local LAN, no ssh, no X11
>>>>> forwarding), then there's no point worrying about it -- assuming
>>>>> that the trust among team members is the same.
>> Sure there is. Someone can "tap " the line between the machines. All of
>> the data goes over that line. ssh protects you against such taps.
>
> I think you misunderstand - the OP's potential worry was that using ssh
> would *increase* the vulnerability, having read about "vulnerabilities"
> (other than wiretapping) with X11 only in the context of ssh forwarding.

Yes, you're right. When I say "there's no point worrying about it", I
don't mean that ssh is pointless. I mean that the vulnerability from
X11 forwarding isn't worth worrying about because it doesn't result from
the use of ssh so much as it is an inherent characteristic of X11 even
on the same LAN. So if you trust the use of X11 in a LAN, then you
should trust the use of X11 forwarding in a virtual LAN enabled by ssh.

Kyler Laird wrote:
> comphelp@toddh.net (Todd H.) writes:
>
>> True. Basically, the article says unless you trust the users and the
>> administrator of the sshd machine you're connecting to, X11 forwarding
>> may be giving them a blank check to keystroke logging and screen
>> scraping.
>
> Xnest is a simple (depending on how you look at it) way to reduce the
> scope of the problem. I've only toyed with it but it could be useful.
>
>> Personally, I'd be using VNC if at all possible. :-) For the
>> reconnectability alone.
>
> I appreciate VNC too but for reconnectiability you could also use
> Reliable SSH Tunnel or Rocks. Heck, I almost always use VNC over SSH.

I looked up Xnest and Reliable SSH Tunnel. I'm not sure how they
address the problem of user activities being monitored by an
administrator on the machine that hosts the X-client. I suspect that I
didn't adequately clarify the problem in my OP.

Because "Rocks" is quite a general word, I wasn't able to locate
information on it as an X-windows-related application.