From owner-freebsd-questions@FreeBSD.ORG Thu Oct 23 11:42:45 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0EB516A4B3 for ; Thu, 23 Oct 2003 11:42:45 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F6C843FA3 for ; Thu, 23 Oct 2003 11:42:44 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h9NIg7DK009655 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2003 19:42:37 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id h9NIg67v009650; Thu, 23 Oct 2003 19:42:06 +0100 (BST) (envelope-from matthew) Date: Thu, 23 Oct 2003 19:42:06 +0100 From: Matthew Seaman To: Joe Altman , FreeBSD Message-ID: <20031023184206.GA86861@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Joe Altman , FreeBSD References: <20031023171540.GA3965@panix.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <20031023171540.GA3965@panix.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk Subject: Re: Open SSH, sshd_config on FreeBSD vs. NetBSD re: X11 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 18:42:46 -0000 --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 23, 2003 at 01:15:40PM -0400, Joe Altman wrote: > >From the FreeBSD man page: >=20 > X11Forwarding > Specifies whether X11 forwarding is permitted. The > argument must be ``yes'' or ``no''. The default is > ``yes''. >=20 > >From the NetBSD page: >=20 > X11Forwarding > Specifies whether X11 forwarding is permitted. The > argument must be ``yes'' or ``no''. The default is > ``no''. >=20 > I don't mean to compare apples and oranges, nor to start a "My OS can > kick your OSes butt" thread; but I am wondering about the > difference. It seems the NetBSD default is safer, but I am also no > security wonk. It occurred to me that the man page for FreeBSD could > be incorrect; but I doubt that...it actually strikes me as a choice > made to reflect a balance between options. >=20 > Is the default set to no a more secure option? Or is it something that > can be arguH^H^discussed at length? X11Forwarding is an interesting one. It doesn't expose the server where that option is set to any more security implications than having sshd(8) running anyway. On the other hand, you as a user ssh-ing into an untrusted machine are potentially exposed to having nasty things done to you. Same thing goes for servers with ForwardAgent=3Dyes, which can lead to loss of your ssh keys. Moral of the story: never ssh into an untrusted machine without turning off X- and Agent- forwarding on the client side (that's 'ssh -a -x user@hostname ...') and remember that such things as rsync(1) default to running over ssh nowadays. netbsd seems to have specifically turned off the X11Forwarding option due to a security problem several years ago: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-010.t= xt.asc As far as I can find, this didn't affect FreeBSD because the vulnerable version of OpenSSH was never imported into the base system. > I do note that the man page for both OSes states that UseLogin > defaults to no, and that if used, X11 forwarding is turned off. > However, in the default config file for sshd, the line for UseLogin is > commented out. Given this latter state of affairs, can I continue to > assume that X11 forwarding is in fact _not_ enabled by default in > FreeBSD? The convention in the OpenSSH config files is to show the default value of the setting, but commented out. That way it is obvious that any uncommented option in the config file is a local modification. =20 > Oh, and what is the difference between the entry in the ssh_config > file and the sshd_config file? Incoming vs. outbound traffic? That is, > sshd_config accepts incoming X11 forwarding (that is, from a remote > host, to the localhost), and ssh_config allows outbound (from the > localhost to a remote host) X11 forwarding? It sure looks that way... Essentially yes. ssh_config(5) provides the client side defaults for a user ssh(1) session. However you can override the defaults either =66rom the command line (ssh -X) or by having your own defaults settings in ${HOME}/.ssh/config You can't modify the sshd(8) settings as a mortal user. > Hmmm....now I'm thinking that this: serverargs=3D"-nolisten tcp" >=20 > in /usr/X11R6/bin/startx/ may make this a bit of a moot point....is > this correct? Turning off X's binding to tcp sockets is the default nowadays. However, that won't stop you tunnelling remote X sessions over ssh(1) -- just so long as the X11Forwarding flag is on for each end of the connection. In fact, this setup is the best and most secure way of running X applications over a network. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/mCD+dtESqEQa7a0RAtQ6AJ98DHpODIK3iYYGAB1CbZ78uh/xwQCghLbi 0KiHgiNgWhrBq4jwsBS7Yvs= =Q56K -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--