Re: New Proposal for Section 11.3.3 X11 Forwarding

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: New Proposal for Section 11.3.3 X11 Forwarding
From: RJ Atkinson <rja%extremenetworks.com@localhost>
Date: Thu, 15 May 2003 11:18:22 -0400

On Thursday, May 15, 2003, at 10:31 America/Montreal, Nicolas Williamswrote:

How about this?:

   X11 display forwarding, by itself, is not sufficient to correct well


s/X11 display forwarding/X11 display forwarding with SSH/

   known problems with X11 security [Venema].  However, X11 display
   forwarding in SSHv2 (or other, secure protocols), combined with
   actual and pseudo-displays which accept connections only over local
   IPC mechanisms authorized by permissions or ACLs, does correct most
   X11 security problems.


Proposed edits:

s/most X11/many X11/

   It is RECOMMENDED that X11 display implementations default to
   allowing display opens only over local IPC.  It is RECOMMENDED that
   SSHv2 server implementations that support X11 forwarding default to
   allowing display opens only over local IPC.  On single-user systems
   it is reasonable to default to allowing local display opens over
   TCP/IP.


s/it is reasonable/it might be reasonable/

Otherwise looks OK to me.

Ran
rja%extremenetworks.com@localhost

Follow-Ups:
- Re: New Proposal for Section 11.3.3 X11 Forwarding
  - From: Nicolas Williams

References:
- Re: New Proposal for Section 11.3.3 X11 Forwarding
  - From: Nicolas Williams

Prev by Date: Re: New Proposal for Section 11.1.4 Man-in-the-middle
Next by Date: Re: New Proposal for Section 11.3.3 X11 Forwarding
Previous by Thread: Re: New Proposal for Section 11.3.3 X11 Forwarding
Next by Thread: Re: New Proposal for Section 11.3.3 X11 Forwarding
Indexes:

Home | Main Index | Thread Index | Old Index