On Fri, Mar 11, 2016 at 4:41 AM, Dag-Erling Smørgrav <des@xxxxxx> wrote: > Nico Kadel-Garcia <nkadel@xxxxxxxxx> writes: >> I'm just trying to figure out under what normal circumstances a >> connection with X11 forwarding enabled wouldn't be owned by a user who >> already has normal system privileges for ssh, sftp, and scp access. > > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have > X11Forwarding enabled by default. > > DES I'm not sure I see your point. The client connection is still associated with a specific client user and, in most situations, their normal SSH, scp, and sftp client privileges. I can see where for a ForceCommand limited connection, it provides a way to break out of the ForceCommand limitations I could see for such configuration, setting the sshd_config or authorized_keys options to set XauthLocation to /dev/null as well as disabling AllowTCPForwarding, AllowAgentForwarding, AcceptEnv, etc. Using ForceCommand securely can be tricky: this sounds like another reason to be very cautious, and especially not to rely on it for restricting connections for X based applications. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
