Bug 1926

Summary: use Xephyr for "secure" X-forwarding
Product: Portable OpenSSH Reporter: Christoph Anton Mitterer <calestyo>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm, pcerny
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: All   

Description Christoph Anton Mitterer 2011-08-14 05:05:16 AEST 
Hi.

I'm not sure whether I really understood the details of Xephyr and how it interacts with the host X server correctly, but to me it seems that this runs as a separate X server, not having access to anything of the host X server.

X11Forwarding is considered insecure, cause a malicious remote host could tamper with the client's host X server, right?
Therefore I basically never use it.


Why not adding a new feature that does about the following (let's call it -SX for the moment).

If the user does something like ssh -SX remote.host, X-forwarind is (completely secured via SSH tunnels) enabled and DISPLAY is set, but not to the client's host X server, but to a freshly invoked Xephyr instance started by ssh.

As far as I understand - but experts should probably confirm this - one would then have a separate Window (from Xephyr) and only the contents/X server of THIS very window can be attacked by the remote host.
But this shouldn't be a great deal as it's anyway only the remote host's stuff that runs in there.
Perhaps one could even add some functionally to Xephyr that marks such a window with big fat red borders (or whatever) to hint the user that this is untrusted and that he shouldn't enter his password there ;).

Of course it must be secured, that the Xephys server and the tunnels are killed once the connection is closed (but I guess this would work more or less of out the box anyway).

Of course, for every connection, new Xephyr servers would have to be started, otherwise, different remote hosts could attack the contents of each other[1].


Features one could think of:
- an ssh_config option to specifiy the parameters to Xephyr. So one could e.g. per host, set how big the Xephyr windows should be.
- an option to minimise the Xephyr window in the beginning (would sound useful to me, especially if one does a plain ssh login, and not starting a command).
- an option that different ssh connections to the __same__ host/address-literal are allowed to use the same Xephyr server (in contrast to [1]).

Not sure whether it's technically possible to add functionality that the Xephyr server is started only on demand, e.g. when the first remote program tries to open a connection.
If so that would be very nice, but in this case it would REALLY be important to prevent focus/input stealing by suddenly started Xephyr windows (while e.g. the user just enters a password on the safe host X server). Not sure whether starting the Xephyr window minimised is enough protection here.


Cheers,
Chris.
Comment 1 Damien Miller 2011-12-02 11:39:04 AEDT 
That's a nice idea - the security extension stuff in X11 that we support has never worked well with applications that people actually use. 

Unfortunately, xephyr isn't widely deployed beyond Linux so we can't count on it being there. Perhaps we could ship some scripts in contrib/ that simplify the use of xephyr with ssh for now?
Comment 2 Christoph Anton Mitterer 2011-12-03 11:04:44 AEDT 
Yeah,.. I think it would be great... though, I don't yet know, whether Xephyr is "break-out-secure".


What do you mean with "beyond Linux".
It's part of xorg as far as I can see, so in principle every major UNIX/Linux should ship it (are there still people using Xfree86?!).

With respect to Windows/MAC/other systems:
These don't have any X [forwarding] support out-of-the box,... so they don't support the whole thing anyway.

So IMHO this wouldn't be a problem.


And I guess it would be much more useful, if this was integrated in ssh itself,.. and controllable via config options, e.g. that one can disable "normal" X11 forwarding completely while allowing the "secure" Xephyr forwarding.

Cheers,
Chris.
Comment 3 Christoph Anton Mitterer 2012-09-19 05:26:10 AEST 
I posted a message[0] on xorg-devel, asking for advise whether the idea is actually sane, in a sense whether Xephyr is expected to confine X-forwardning or whether breaking out is easily possible.


[0] http://lists.x.org/archives/xorg-devel/2012-September/033643.html
Comment 4 Christoph Anton Mitterer 2022-05-16 02:35:46 AEST 
From my side we can close this.

I'd guess that any way that can be used to compromise the normal X, would also be usable to compromise Xephyr.

Plus, X is anyway on it's way out.
Comment 5 Damien Miller 2023-03-17 13:38:08 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs