Ubuntu
openssh package

X11Forwarding defaults to off

Bug #8185 reported by Jeff Waugh
8
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Low
Colin Watson

Bug Description

I'd love to be able to tell people to ssh -X without any setup requirements
(which requires X11Forwarding on in sshd_config). Are there any security
concerns with this?

Revision history for this message
Matt Zimmerman (mdz) wrote :

I've wondered about this myself. There are good reasons for it to be disabled
on the client side by default, but I don't see why it should be disallowed by
the server if the client requests it

Revision history for this message
Colin Watson (cjwatson) wrote :

"When X11 forwarding is enabled, there may be additional exposure to the server
and to client displays if the sshd proxy display is configured to listen on the
wildcard address (see X11UseLocalhost below), however this is not the default."
(sshd_config(5))

I think I'm happy to enable X11 forwarding by default on the server side.

The change to openssh-server.postinst is simple, although it'll only affect new
installations because we aren't using ucf yet. OK to upload?

Revision history for this message
Jeff Waugh (jdub) wrote :

i'm happy with it, upload approved

Revision history for this message
Colin Watson (cjwatson) wrote :

openssh (1:3.8.1p1-10ubuntu2) warty; urgency=low

  * Set X11Forwarding to yes in the default sshd_config (new installs only).
    At least when X11UseLocalhost is turned on, which is the default, I
    believe that the security risks of using X11 forwarding are risks to the
    client, not to the server (closes: Warty #1429).

 -- Colin Watson <email address hidden> Mon, 20 Sep 2004 14:02:59 +0100

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.