Open SSH, sshd_config on FreeBSD vs. NetBSD re: X11

Kris Kennaway kris at obsecurity.org
Thu Oct 23 11:36:42 PDT 2003 

On Thu, Oct 23, 2003 at 01:15:40PM -0400, Joe Altman wrote:
> >From the FreeBSD man page:
> 
> X11Forwarding
>              Specifies whether X11 forwarding is permitted. The
>              argument must be ``yes'' or ``no''.  The default is
>              ``yes''.
> 
> >From the NetBSD page:
> 
> X11Forwarding
>              Specifies whether X11 forwarding is permitted. The
>              argument must be ``yes'' or ``no''.  The default is
>              ``no''.
> 
> I don't mean to compare apples and oranges, nor to start a "My OS can
> kick your OSes butt" thread; but I am wondering about the
> difference. It seems the NetBSD default is safer, but I am also no
> security wonk. It occurred to me that the man page for FreeBSD could
> be incorrect; but I doubt that...it actually strikes me as a choice
> made to reflect a balance between options.
> 
> Is the default set to no a more secure option? Or is it something that
> can be arguH^H^discussed at length?

By default it's enabled in the server but disabled in the client.

> I do note that the man page for both OSes states that UseLogin
> defaults to no, and that if used, X11 forwarding is turned off.
> However, in the default config file for sshd, the line for UseLogin is
> commented out. Given this latter state of affairs, can I continue to
> assume that X11 forwarding is in fact _not_ enabled by default in
> FreeBSD?

That's incorrect; X11 forwarding does not depend on UseLogin.

> Oh, and what is the difference between the entry in the ssh_config
> file and the sshd_config file?

Client vs server.

> Hmmm....now I'm thinking that this: serverargs="-nolisten tcp"
> 
> in /usr/X11R6/bin/startx/  may make this a bit of a moot point....is
> this correct?

No, ssh's X forwarding uses a local socket to communicate to the server.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031023/cf9f9053/attachment.bin

More information about the freebsd-questions mailing list