Untrusted X11 forwarding

I wrote a while ago about my security concerns regarding


xhost +
xterm -display mypc:0

Way back then, I suggested ssh tunnel. SSH is pretty easy to set up, by enabling the X11Forwarding option.

In OpenSSH 3.8 release note, 2004, there was a new default .

ssh(1) now uses untrusted cookies for X11-Forwarding

In the man ssh_config page, it’s still documented as being the default

ForwardX11Trusted The default is ‘no’

But it actually isn’t on most *ix derivates, e.g. RedHat /etc/ssh/ssh_config

# If this option is set to yes then
# remote X11 clients will have full access
# to the original X11 display. As virtually
# no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes

Who is we?

Okay, let’s go back.

If you use the unsafest method, xhost + and xterm -display pc:0, then you grant everybody the right to manipulate X.

If you use trusted ssh, which is the _undocumented_ default in Linux, then you grant this right only to anyone with access to your authority, most probably located in the file $HOME/.Xauthority. So root and yourself, at least.

If you trust neither yourself nor root, you could restrict access to your resource, preventing one hacker from switching your mouse buttons or doing a screenshot. But this is probably going to prevent most of your applications from working. Also, it probably won’t work at all if you use putty, reflection and (virtually any?) other client tools.

If you want to force Trusted mode, use -Y or -o ForwardX11Trusted=yes.

If you want to force Untrusted mode, use -X and -o ForwardX11Trusted=no.

If you use only -X, it may transparently defaults to the more convenient but less secure -Y. Sometimes. At least on Linux OpenSSH. But if you use different Unix / SSH flavours, the -X may ends with an error message like connection to “localhost:10.0” refused by server. In that case, simply use -Y. Actually, always use -Y if you want Trusted.

4 Replies to “Untrusted X11 forwarding”

  1. “If you use only -X, it may transparently defaults to the more convenient but less secure -Y”

    Could you please verify this?

  2. The ssh_config(5) man file states:

    DESCRIPTION
    ssh(1) obtains configuration data from the following sources in the
    following order:

    1. command-line options

    2. user’s configuration file (~/.ssh/config)

    3. system-wide configuration file (/etc/ssh/ssh_config)

    For each parameter, the first obtained value will be used.

    According to that, the command line parameter should override anything else. -X and -Y should work as documented.

  3. 
    $ ssh -o ForwardX11Trusted=no srv01 xterm
    Xlib: connection to "localhost:12.0" refused by server
    Xlib: PuTTY X11 proxy: Authorisation not recognised
    
    xterm Xt error: Can't open display: localhost:12.0
    $ ssh -X srv01 xterm
    $
    

    As you see, if you use -X, it does not force Untrusted on Linux

    On AIX, if you use -X, it really does the Trusted=no thing

Leave a Reply