Robert Watson writes:
> [...]
> If you search back a few years in the bugtraq archives, you'll see that
> one suggestion for dealing with this, and still allowing X11 forwarding
> from untrusted clients, is to use the Xnest server, limiting access by the
> ssh client to that DISPLAY. [...]
This is one possibility but you have to understand how X11 works and
probably also enable and configure the X11 security extension. You may
want to have a look at /usr/X11R6/lib/X11/xserver/SecurityPolicy (or
similar path).
Another possibility is to use an X11 connection proxy with filtering
capabilities like the one I wrote, see:
http://home.cern.ch/~cons/mxconns
With mxconns, you can detect a great number of "hostile" X11 requests
before they reach your X server. I use it daily to filter what comes
out of the SSH X11 proxies that I use...
________________________________________________________
Lionel Cons http://home.cern.ch/~cons
CERN http://www.cern.ch
Instruction Booklet Governing Principle:
Instruction booklets are lost by the Goods Delivery Service. If not,
they are listed in four languages: Japanese, Thai, Swahili and Moghol.
