Re: New Proposal for Section 11.3.3 X11 Forwarding

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, May 15, 2003 at 11:18:22AM -0400, RJ Atkinson wrote:
> 
> On Thursday, May 15, 2003, at 10:31 America/Montreal, Nicolas Williams 
> wrote:
> > How about this?:
> >
> >    X11 display forwarding, by itself, is not sufficient to correct well
> 
> s/X11 display forwarding/X11 display forwarding with SSH/

I intended that the first sentence reference X11 display forwarding in
general - the point being that "X11 display forwarding," whatever
protocol is used for the purpose, by itself does not solve the X11
display security problems.  The next sentence references X11 display
forwarding with SSHv2 specifically.

Perhaps we should mention non-use of the "none" encryption and MAC algs...

> >    known problems with X11 security [Venema].  However, X11 display
> >    forwarding in SSHv2 (or other, secure protocols), combined with
> >    actual and pseudo-displays which accept connections only over local
> >    IPC mechanisms authorized by permissions or ACLs, does correct most
> >    X11 security problems.
> 
> Proposed edits:
> 
> s/most X11/many X11/

Yes, thank you.

> >    It is RECOMMENDED that X11 display implementations default to
> >    allowing display opens only over local IPC.  It is RECOMMENDED that
> >    SSHv2 server implementations that support X11 forwarding default to
> >    allowing display opens only over local IPC.  On single-user systems
> >    it is reasonable to default to allowing local display opens over
> >    TCP/IP.
> 
> s/it is reasonable/it might be reasonable/

Good one.

> Otherwise looks OK to me.

Thanks,

Nico
--