|
Hi, The connection draft states (in section 6.3.1 Requesting
X11 Forwarding): “It is recommended that the authentication cookie
that is sent be a fake, random cookie, and that the cookie is checked and
replaced by the real cookie when a connection request is received.” Clearly the intent of this is that the fake cookie be
translated to the real cookie. However, my reading of this is that the action when there
is an invalid cookie (ie not the fake cookie generated when the tunnel was set
up) or when there is no cookie is not specified. Is this correct? Obviously,
from a security point of view, we might want to close the channel in this case,
or have some downstream checking going on. But as far as the ssh protocol is
concerned, it sounds like (from this draft) that we are not required to
terminate the connection. Glen Matthews |