Ssh – downside to enabling X11 forwarding in ssh

opensshsshx11

For some remote work, I sometimes use X11 forwarding on ssh connections, but usually don't. But, instead remebering to use the -X flag on my ssh connection, I can also set ForwardX11 yes to enable it by default.

My question is, is there any (significant) downside to having X11 forwarding always enabled while not actively using it?

I am using OpenSSH for this, server runs version 5.9, client 6.6.

Edit: I mean enabling it on a per host basis, in $HOME/.ssh/config, not globally.

Best Answer

When writing about this topic, I recommend reading through this paper:

http://www.giac.org/paper/gcih/571/x11-forwarding-ssh-considered-harmful/104780

It describes the consequences of letting ForwardX11 option turned on by default in really nice and prosaic way.

But to sum this up, yes, you should turn this off by default and let it on only for trusted servers where you actually need it in your local ~/.ssh/config file.

Untrusted machine is basically each machine, where somebody else has a root access, because that root can access your whole local X11 session, which is basically a thing you don't want from server in remote data-center or for internet facing machine that could be compromised.

Related Solutions

Ssh – X client forwarded over SSH “cannot open display: localhost:11.0”

This is the very basic way of how it should work:

On the client / local machine (Xorg installed on client) try this:

$ xhost +
access control disabled, clients can connect from any host

Later try:

$ ssh -AY user@host xterm

$ ssh -AX user@host xterm

With non standard clients xhost may be needed.

check 9.3.5.6. Nonstandard X clients

Ssh – Understanding ssh X11 forwarding

I need X installed on the host too, right?

You need an X server installed on the host only, and it will need to be running. You will need some X client libraries in the container (installing xbmc will presumably pull these in as dependencies), but not an X server.

What exactly are "displays" (like :0 and :1) and do I need to set them?

Displays are distinct (hypothetical) screens managed by a particular server, and the DISPLAY environment variable tells X clients how to connect. ssh -X sets that up automatically; you don't need to do anything.

It is possible to do this without involving ssh at all, using X natively. In that case you will need to set up DISPLAY appropriately. There's no particular advantage in that for you in these circumstances, other than lowering the resource cost from encrypting the connection.

If you are not running the ssh command from inside the host's X server environment you will need to set DISPLAY=:0 (or similar) explicitly on that end so that ssh can see it.

Is what I'm trying to do possible?

Yes, it is almost the purpose of the X protocol.

You should check man ssh for details of the -X and -Y options, and man ssh_config for details of the ForwardX11Trusted option. In your case it's likely that the security concerns don't really apply, but do check and make sure.

In particular, ssh -Y has a higher success rate in some configurations, but gives the remote end unrestricted access to your X server, while ssh -X prevents many such accesses and forces the authentication to expire after a short time. The X protocol is not terribly secure and a client with unrestricted access can, for example, log every keypress made in every other client.

Best Answer

Related Solutions

Ssh – X client forwarded over SSH “cannot open display: localhost:11.0”

Ssh – Understanding ssh X11 forwarding

Related Question