Ok, just to make sure everyone completely understands my previous post about SSH & xauth. The whole issue is that by default the *SSH CLIENT* automagicly requests xforwarding from the server if the client was run during an x session. The *entire* reason for the above post was NOT to alert people of a new hole, just to make SSH users aware that by default the SSH Client is set up to allow a trojanized server control of their x session. This is more significant than trojanizing the SSH server. There is a large amount of control given when X forwarding is on, far beyond the control of just what goes on in that ssh terminal session. For absolute security, a client should always give out trust in the smallest portions available. Trusting X tunneling by default is not a good idea, and should be turned off. As stated in previous postings, if you must use X, use Xnest. If this was unclear in my previous post to bugtraq, then I am sorry. -- Brian Caswell <cazzat_private> I can levitate birds. Nobody cares. --- Steven Wright
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:09 PDT