X forwarding through SSH
Posted by isilanes on September 17, 2007
Already out of ideas for blog posts, I will shamelessly copy some material from my web site.
When connecting to a remote machine (called, e.g., Orpheus), we used to do the following to open a remote X client application:
localmachine> xhost +orpheus
localmachine> ssh orpheus
orpheus> setenv DISPLAY localmachine:0.0
Doing so is insecure, because 1) all the info sent from/to Orpheus through the xeyes process is transported unencripted (maybe not a big concern with xeyes, but what if the remote application is a dialog where we insert some password?) and 2) xhost only checks for the IP we atribute to Orpheus to accept X input. Any user connected to Orpheus, or even any cracker who knows how to fake a different IP address (that of Orpheus) can send us X input that our computer will accept (e.g., move our mouse, close windows, simulate keystrokes, and display unwanted images in our screen).
The solution would be to forward X traffic over SSH. What we do is basically connect to a machine through SSH, and then accept locally only the X input coming from the remote machine that originates from the SSH process we started.
To do so we must insert the following line into the ~/.ssh/config file in our “localmachine” computer (create the file if it doesn’t exist):
The next step is more complex, since only the administrator of the remote machine can acomplish it. As root, we have to open the /etc/ssh/sshd_config file (notice the “d”) in the remote machine (e.g. Orpheus), and search for the lines:
And set them to:
After that, we have to restart the SSH daemon. On Debian:
% /etc/init.d/ssh restart
% /etc/rc.d/rc.sshd restart
A couple of final notes:
The environment variable DISPLAY should NOT be set by ~/.login or some other login script, because this would override the above procedure, and make the X client run over regular TCP. To use the SSH tunneling:
localmachine> ssh -X orpheus
To take advantage of this system, and make our computer more secure, no machine should be allowed to send X input through xhost, that is, issueing the xhost command should output the following:
access control enabled, only authorized clients can connect
with no "INET:Orpheus.sq.ehu.es"-like lines.
This entry was posted on September 17, 2007 at 2:46 pm and is filed under Free software and related beasts. Tagged: en, floss/linux, internet, networks, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.