openssh bugs - Aug 2011 - [Bug 1926] New: use Xephyr for "secure" X-forwarding

https://bugzilla.mindrot.org/show_bug.cgi?id=1926

             Bug #: 1926
           Summary: use Xephyr for "secure" X-forwarding
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: calestyo at scientia.net


Hi.

I'm not sure whether I really understood the details of Xephyr and how
it interacts with the host X server correctly, but to me it seems that
this runs as a separate X server, not having access to anything of the
host X server.

X11Forwarding is considered insecure, cause a malicious remote host
could tamper with the client's host X server, right?
Therefore I basically never use it.


Why not adding a new feature that does about the following (let's call
it -SX for the moment).

If the user does something like ssh -SX remote.host, X-forwarind is
(completely secured via SSH tunnels) enabled and DISPLAY is set, but
not to the client's host X server, but to a freshly invoked Xephyr
instance started by ssh.

As far as I understand - but experts should probably confirm this - one
would then have a separate Window (from Xephyr) and only the contents/X
server of THIS very window can be attacked by the remote host.
But this shouldn't be a great deal as it's anyway only the remote
host's stuff that runs in there.
Perhaps one could even add some functionally to Xephyr that marks such
a window with big fat red borders (or whatever) to hint the user that
this is untrusted and that he shouldn't enter his password there ;).

Of course it must be secured, that the Xephys server and the tunnels
are killed once the connection is closed (but I guess this would work
more or less of out the box anyway).

Of course, for every connection, new Xephyr servers would have to be
started, otherwise, different remote hosts could attack the contents of
each other[1].


Features one could think of:
- an ssh_config option to specifiy the parameters to Xephyr. So one
could e.g. per host, set how big the Xephyr windows should be.
- an option to minimise the Xephyr window in the beginning (would sound
useful to me, especially if one does a plain ssh login, and not
starting a command).
- an option that different ssh connections to the __same__
host/address-literal are allowed to use the same Xephyr server (in
contrast to [1]).

Not sure whether it's technically possible to add functionality that
the Xephyr server is started only on demand, e.g. when the first remote
program tries to open a connection.
If so that would be very nice, but in this case it would REALLY be
important to prevent focus/input stealing by suddenly started Xephyr
windows (while e.g. the user just enters a password on the safe host X
server). Not sure whether starting the Xephyr window minimised is
enough protection here.


Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1926

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-12-02 11:39:04
EST ---
That's a nice idea - the security extension stuff in X11 that we
support has never worked well with applications that people actually
use. 

Unfortunately, xephyr isn't widely deployed beyond Linux so we can't
count on it being there. Perhaps we could ship some scripts in contrib/
that simplify the use of xephyr with ssh for now?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1926

--- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net>
2011-12-03 11:04:44 EST ---
Yeah,.. I think it would be great... though, I don't yet know, whether
Xephyr is "break-out-secure".


What do you mean with "beyond Linux".
It's part of xorg as far as I can see, so in principle every major
UNIX/Linux should ship it (are there still people using Xfree86?!).

With respect to Windows/MAC/other systems:
These don't have any X [forwarding] support out-of-the box,... so they
don't support the whole thing anyway.

So IMHO this wouldn't be a problem.


And I guess it would be much more useful, if this was integrated in ssh
itself,.. and controllable via config options, e.g. that one can
disable "normal" X11 forwarding completely while allowing the
"secure"
Xephyr forwarding.

Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.