bugzilla-daemon at bugzilla.mindrot.org
2011-Aug-13 19:05 UTC
[Bug 1926] New: use Xephyr for "secure" X-forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=1926 Bug #: 1926 Summary: use Xephyr for "secure" X-forwarding Classification: Unclassified Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: calestyo at scientia.net Hi. I'm not sure whether I really understood the details of Xephyr and how it interacts with the host X server correctly, but to me it seems that this runs as a separate X server, not having access to anything of the host X server. X11Forwarding is considered insecure, cause a malicious remote host could tamper with the client's host X server, right? Therefore I basically never use it. Why not adding a new feature that does about the following (let's call it -SX for the moment). If the user does something like ssh -SX remote.host, X-forwarind is (completely secured via SSH tunnels) enabled and DISPLAY is set, but not to the client's host X server, but to a freshly invoked Xephyr instance started by ssh. As far as I understand - but experts should probably confirm this - one would then have a separate Window (from Xephyr) and only the contents/X server of THIS very window can be attacked by the remote host. But this shouldn't be a great deal as it's anyway only the remote host's stuff that runs in there. Perhaps one could even add some functionally to Xephyr that marks such a window with big fat red borders (or whatever) to hint the user that this is untrusted and that he shouldn't enter his password there ;). Of course it must be secured, that the Xephys server and the tunnels are killed once the connection is closed (but I guess this would work more or less of out the box anyway). Of course, for every connection, new Xephyr servers would have to be started, otherwise, different remote hosts could attack the contents of each other[1]. Features one could think of: - an ssh_config option to specifiy the parameters to Xephyr. So one could e.g. per host, set how big the Xephyr windows should be. - an option to minimise the Xephyr window in the beginning (would sound useful to me, especially if one does a plain ssh login, and not starting a command). - an option that different ssh connections to the __same__ host/address-literal are allowed to use the same Xephyr server (in contrast to [1]). Not sure whether it's technically possible to add functionality that the Xephyr server is started only on demand, e.g. when the first remote program tries to open a connection. If so that would be very nice, but in this case it would REALLY be important to prevent focus/input stealing by suddenly started Xephyr windows (while e.g. the user just enters a password on the safe host X server). Not sure whether starting the Xephyr window minimised is enough protection here. Cheers, Chris. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Dec-02 00:39 UTC
[Bug 1926] use Xephyr for "secure" X-forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=1926 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> 2011-12-02 11:39:04 EST --- That's a nice idea - the security extension stuff in X11 that we support has never worked well with applications that people actually use. Unfortunately, xephyr isn't widely deployed beyond Linux so we can't count on it being there. Perhaps we could ship some scripts in contrib/ that simplify the use of xephyr with ssh for now? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Dec-03 00:04 UTC
[Bug 1926] use Xephyr for "secure" X-forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=1926 --- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net> 2011-12-03 11:04:44 EST --- Yeah,.. I think it would be great... though, I don't yet know, whether Xephyr is "break-out-secure". What do you mean with "beyond Linux". It's part of xorg as far as I can see, so in principle every major UNIX/Linux should ship it (are there still people using Xfree86?!). With respect to Windows/MAC/other systems: These don't have any X [forwarding] support out-of-the box,... so they don't support the whole thing anyway. So IMHO this wouldn't be a problem. And I guess it would be much more useful, if this was integrated in ssh itself,.. and controllable via config options, e.g. that one can disable "normal" X11 forwarding completely while allowing the "secure" Xephyr forwarding. Cheers, Chris. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.