[NMLUG] ssh X forwarding

Aaron Birenboim nmlug@swcp.com
Wed, 07 Nov 2001 12:13:35 -0700


James Hamilton wrote:

> How is placing a redhat 5.0 box inside your network related to X forwarding...

Here's my scenario...

They set up a forward in their firewall so that I could ssh (with X
forwarding)
to their Tru64 machine.

They need to move the sshd to a new LINUX server.
So, they changed the forward over to that machine.

I just had them enable X forwarding on the new LINUX machine.

Remaining problem:  There is no ssh CLIENT on the LINUX machine (yet).
I tried sending X from the old Tru64 machine to linuxMachine:10, but
it failed.  My guess is that it has to do with ssh port-forwarding
working only on loobpack by default.

My guess is that the above arrangement is insecure because
keystrokes can be snooped from the X data stream from
linux-->tru64, and passwords can be taken.
I don't want that.
So...  I have requested an ssh client on the LINUX machine.
I'm hoping that ssh X-forwarding will daiisy chain.
The forwarded port (i hope) will go over loopback on the 
LINUX box.

That part I miss is...  whats insecure about tunneling X
over ssh?  Seems to me like a hacker would need to root
the machine handling the encrypted X connetion to get anything.
And frankly, we are already toast if he has done that.
I think its sufficient just to make sure that passwords
aren't flying over ethernet, snoopable.
Our data is not sensitive.  I don't even care if y'all
snoop every little thing I do... except for the passwords.

However, I would like to be aware of any OpenSSH-X-tunnel security
problems.  We need to protect those passwords!
-- 
Aaron Birenboim | Black holes are where G-d divided
Albuquerque, NM |      by zero.
aaron@boim.com  |
boim.com/~aaron |                      -Steven Wright
------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------