Re: [Ltsp-discuss] X server vulnerability on ltsp clients

Wed, 10 Sep 2014 12:49:52 -0700 

By default,  all of the X traffic is tunneled through the ssh connection.

ssh will connect to the X server on a standard 600x range port, but it
should be doing it on the loopback interface (127.0.0.1).

But,  the Xserver is probably still listening on the public interface
(usually something like 192.168.0.x).

The X traffic should still be secure,  that is, nobody can sniff the wire
and see anything useful.
But,  I suppose it's still a vulnerability that the Xserver is listening
and probably accepting connections on the public interface.

It should be possible to tell the X server that is running on the thin
client to ONLY listen on the loopback interface, but I've been out of the
game too long to remember how to do that, and whether it would break
anything else.

Jim McQuillan
j...@ltsp.org



On Wed, Sep 10, 2014 at 3:39 PM, Denis Croombs <de...@croombs.org> wrote:

> Hi, we have some lisp servers and pc's pxe booting as thin long-running
> all apps on the ltsp server, but when we do a vulnerability scan it tells
> us that it is finding an x server on each pxe booted device iPhone using
> port 6007/tcp.
> I believed this connection between the pc and the server was over ssh and
> therefore secure
> Anyone got any clue what we have done wrong ?
>
> Regards
> Denis
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _____________________________________________________________________
> Ltsp-discuss mailing list.   To un-subscribe, or change prefs, goto:
>       https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
> For additional LTSP help,   try #ltsp channel on irc.freenode.net
>

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_____________________________________________________________________
Ltsp-discuss mailing list.   To un-subscribe, or change prefs, goto:
      https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help,   try #ltsp channel on irc.freenode.net

Reply via email to