Urgent - Potential security hole.

[Nalin Dahyabhai]

On Sat, Oct 30, 2004 at 11:06:13AM -0600, Michal Jaegermann wrote:
> On Sat, Oct 30, 2004 at 10:54:35AM -0500, Satish Balay wrote:
> > 
> > If you ssh into FC3 (from a different machine with older ssh) - you
> > can run firefox.  If you ssh from FC3 into any other machine - you
> > need 'ssh -y' for it to work.
> 
> Actually this is '-Y' and not '-y' and this makes a difference. :-)
> 
> There is another problem, though. 'man ssh' says:
> 
>    X11 and TCP forwarding
>      If the ForwardX11 variable is set to "yes" (or see the description of the
>      -X and -x options described later) and the user is using X11 (the DISPLAY
>      environment variable is set), the connection to the X11 display is auto-
>      matically forwarded to the remote side in such a way that any X11 pro-
>      grams started from the shell (or command) will go through the encrypted
>      channel, and the connection to the real X server will be made from the
>      local machine.
> 
> and not a peep about some '-Y'.  It is true that some other places
> you can find some mentions about "trusted" but what "trusted" may
> be is never really explained.

The short-and-probably-inadequate explanation is that untrusted clients
can only interact/mess with other untrusted clients, the idea being that
you have clients which might misbehave, and those that you trust to not.

There's a bit more on the specifics of the -X/ForwardX11 and
-Y/ForwardX11Trusted options in the ssh_config(5) man page, and a bit
more in xauth(1)'s documentation of the "generate" command.  There's
also the security extension spec itself [1].

HTH,

Nalin

[1] http://www.xfree86.org/snapshot/security.pdf