Robert Watson writes: > [...] > If you search back a few years in the bugtraq archives, you'll see that > one suggestion for dealing with this, and still allowing X11 forwarding > from untrusted clients, is to use the Xnest server, limiting access by the > ssh client to that DISPLAY. [...] This is one possibility but you have to understand how X11 works and probably also enable and configure the X11 security extension. You may want to have a look at /usr/X11R6/lib/X11/xserver/SecurityPolicy (or similar path). Another possibility is to use an X11 connection proxy with filtering capabilities like the one I wrote, see: http://home.cern.ch/~cons/mxconns With mxconns, you can detect a great number of "hostile" X11 requests before they reach your X server. I use it daily to filter what comes out of the SSH X11 proxies that I use... ________________________________________________________ Lionel Cons http://home.cern.ch/~cons CERN http://www.cern.ch Instruction Booklet Governing Principle: Instruction booklets are lost by the Goods Delivery Service. If not, they are listed in four languages: Japanese, Thai, Swahili and Moghol.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:52 PDT