2nd Version was: New Proposal for Section 11.3.3 X11 Forwarding

To: ietf-ssh%netbsd.org@localhost
Subject: 2nd Version was: New Proposal for Section 11.3.3 X11 Forwarding
From: Chris Lonvick <clonvick%cisco.com@localhost>
Date: Thu, 15 May 2003 12:32:23 -0700 (PDT)

Hi,

Latest revision incorporating the suggestions.  I've removed the duplicate
reference to Venema's work and make the recommended substitutions.  Please
comment.

Thanks,
Chris

=======================================================================

11.3.3 X11 forwarding

   Another form of proxy forwarding provided by the ssh connection
   protocol is the forwarding of the X11 protocol.  If end-point security
   has been compromised, X11 forwarding may allow attacks against the X11
   server.  Users and administrators should, as a matter of course, use
   appropriate X11 security mechanisms to prevent unauthorized use of the
   X11 server.  Implementors, administrators and users who wish to
   further explore the security mechanisms of X11 are invited to read
   [SCHEIFLER] and analyze previously reported problems with the
   interactions between SSH forwarding and X11 in CERT vulnerabilities
   VU#363181 and VU#118892 [CERT].

   X11 display forwarding with SSH, by itself, is not sufficient to
   correct well known problems with X11 security [VENEMA].  However, X11
   display forwarding in SSHv2 (or other, secure protocols), combined
   with actual and pseudo-displays which accept connections only over
   local IPC mechanisms authorized by permissions or ACLs, does correct
   many X11 security problems as long as the "none" MAC is not used.  It
   is RECOMMENDED that X11 display implementations default to allowing
   display opens only over local IPC.  It is RECOMMENDED that SSHv2
   server implementations that support X11 forwarding default to allowing
   display opens only over local IPC.  On single-user systems it might be
   reasonable to default to allowing local display opens over TCP/IP.

   Implementors of the X11 forwarding protocol SHOULD implement the magic
   cookie access checking spoofing mechanism as described in [ssh-connect]
   as an additional mechanism to prevent unauthorized use of the proxy.


[SCHEIFLER]     Scheifler, R., "X Window System : The Complete
                Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd
                edition.", Digital Press ISBN 1555580882, Feburary
                1992.

[CERT]     The CERT Coordination Center
           Software Engineering Institute
           Carnegie Mellon University
           Pittsburgh, PA 15213-3890
           U.S.A.
           ( http://www.cert.org/nav/index_red.html )

[ssh-connect]     ssh-connect ID to be replaced with the RFC information
                  when available

[VENEMA]     Wietse Venema, "Murphy's Law and Computer Security",
             Proceedings of 6th USENIX Security Symposium, San Jose, CA,
             July 1996.
http://www.usenix.org/publications/library/proceedings/sec96/venema.html

Follow-Ups:
- Proposal for New Section 11.1 PRNG
  - From: Chris Lonvick

References:
- Re: New Proposal for Section 11.3.3 X11 Forwarding
  - From: RJ Atkinson

Prev by Date: Re: New Proposal for Section 11.1.4 Man-in-the-middle
Next by Date: Proposal for New Section 11.1 PRNG
Previous by Thread: Re: New Proposal for Section 11.3.3 X11 Forwarding
Next by Thread: Proposal for New Section 11.1 PRNG
Indexes:

Home | Main Index | Thread Index | Old Index