Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
X11 Forwarding with ssh and dual monitors
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
paradigm-X
Apprentice
Apprentice


Joined: 19 Sep 2013
Posts: 168

PostPosted: Thu Feb 20, 2014 6:21 am    Post subject: X11 Forwarding with ssh and dual monitors Reply with quote

I would like to test something for security purposes, but I am not sure how or whether the test is actually necessary in the way I am thinking about it. The documentation, as I understand it, says that X11 forwarding from an untrusted host to a local machine may entail security risks because someone on the remote machine, the one from which the X client runs, with sufficient file-system privileges could clandestinely observe what is happening on your local machine, the one where the X server runs. From such observations, this person might be able to log keystrokes or see the contents of your display, etc. Furthermore, apparently, because the X server is running as root, this malicious person could do a goodly amount of harm to your computer.

First, I do not understand the claim that a local X server must be running as root since I started it up with a regular user account, by simply issuing startx, for example. Secondly, If the remote person can observe my display, which display is meant when there are dual monitors. Also, if the local system is a virtual machine, from which the ssh session was launched AND there is a dual monitor setup such that one monitor contains the window where the virtual machine desktop is displayed, while the second monitor displays the host, for example, is then the host display observable too; or for that matter, is anything outside the window, in which the virtual machine is contained, observable at all?

It seems to me that I could limit such exposure, and its concomitant vulnerability, to a VM, depending on the type of dual monitor display arrangement in use. I mean, if one arrangement makes both monitors appear as one single desktop, versus two distinct desktops, then I could avoid exposure of the host display, could I not? I would like to find out how to go about testing what can be seen from a remote machine by using ssh on some local machines under my control, but I am not sure how to set up the test. If anyone can point me in the right direction, I would appreciate it.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2882
Location: Illinois, USA

PostPosted: Wed Feb 26, 2014 3:49 am    Post subject: Reply with quote

Quote:
the one from which the X client runs, with sufficient file-system privileges


IOW the remote has root privilege. I do this all the time on my local network for administration and checking out GUI applications on the remote.

I see little danger as long as the X forwarding is limited to the local network which is physically secure. There is a configuration item that limits the ip addresses that can access the machine. I think it defaults to everyone, so set it to what you want, a range of addresses or only one address.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum