From owner-freebsd-questions@FreeBSD.ORG Thu Oct 23 11:36:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D5BE16A4BF for ; Thu, 23 Oct 2003 11:36:42 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE1E143F93 for ; Thu, 23 Oct 2003 11:36:41 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 6F5C866DE8; Thu, 23 Oct 2003 11:36:41 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 48D02CBE; Thu, 23 Oct 2003 11:36:41 -0700 (PDT) Date: Thu, 23 Oct 2003 11:36:41 -0700 From: Kris Kennaway To: Joe Altman , FreeBSD Message-ID: <20031023183640.GA84095@rot13.obsecurity.org> References: <20031023171540.GA3965@panix.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: <20031023171540.GA3965@panix.com> User-Agent: Mutt/1.4.1i Subject: Re: Open SSH, sshd_config on FreeBSD vs. NetBSD re: X11 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 18:36:42 -0000 --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 23, 2003 at 01:15:40PM -0400, Joe Altman wrote: > >From the FreeBSD man page: >=20 > X11Forwarding > Specifies whether X11 forwarding is permitted. The > argument must be ``yes'' or ``no''. The default is > ``yes''. >=20 > >From the NetBSD page: >=20 > X11Forwarding > Specifies whether X11 forwarding is permitted. The > argument must be ``yes'' or ``no''. The default is > ``no''. >=20 > I don't mean to compare apples and oranges, nor to start a "My OS can > kick your OSes butt" thread; but I am wondering about the > difference. It seems the NetBSD default is safer, but I am also no > security wonk. It occurred to me that the man page for FreeBSD could > be incorrect; but I doubt that...it actually strikes me as a choice > made to reflect a balance between options. >=20 > Is the default set to no a more secure option? Or is it something that > can be arguH^H^discussed at length? By default it's enabled in the server but disabled in the client. > I do note that the man page for both OSes states that UseLogin > defaults to no, and that if used, X11 forwarding is turned off. > However, in the default config file for sshd, the line for UseLogin is > commented out. Given this latter state of affairs, can I continue to > assume that X11 forwarding is in fact _not_ enabled by default in > FreeBSD? That's incorrect; X11 forwarding does not depend on UseLogin. > Oh, and what is the difference between the entry in the ssh_config > file and the sshd_config file? Client vs server. > Hmmm....now I'm thinking that this: serverargs=3D"-nolisten tcp" >=20 > in /usr/X11R6/bin/startx/ may make this a bit of a moot point....is > this correct? No, ssh's X forwarding uses a local socket to communicate to the server. Kris --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/mB+4Wry0BWjoQKURAp8IAJ4v4TnALcQsV8sDxufD8u/mZqxGHACcCFJA L+SBewtsGgkp+hGTGZSxmzs= =VjJo -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--