COMMAND

    ssh

SYSTEMS AFFECTED

    OpenSSH (OpenBSD)

PROBLEM

    Brian Caswell found following.  The default SSH configuration  for
    SSH1 and SSH2 allow for  remote controlling of X sessions  through
    X forwarding.   All children  of the  SSH connection  are able  to
    tunnel  X11  sessions  through  the  X  tunnel  to  the client X11
    session.  This is accomplished by running xauth upon logging in.

    If xauth  is replaced  on the  server by  a malicious program that
    does both of the following:
    - runs  xauth, adding  in the  "correct" information  allowing the
      children of the session to  tunnel X11 programs through the  SSH
      session
    - runs xauth,  adding in the  "malicious" information, allowing  a
      malicious source to tunnel X11 programs through the SSH session.

    With the added data in  .Xauthority, a malicious source can  fully
    control the client  X session.   The malicious source  can then do
    most anything to the X  session, from logging keystrokes of  the X
    session, to taking screen captures, to typing in commands to  open
    terminals.

    The  only  thing  that  is  required  for  the client system to be
    compromised is for  the client to  remotely log via  ssh (with X11
    forwarding  enabled)  into  a  compromised  server.   Allowing   X
    forwarding seems  to be  turned on  by default  in SSH1, SSH2, and
    OpenSSH.

SOLUTION

    To fix  this "issue"  add the  following lines  to the  SSH client
    configuration.  ($HOME/.ssh/config or ssh_config)

        Host *
          ForwardX11 no

    Discussions of security  flaws within X11  have been going  on for
    years.  The  "issue" in SSH  X11 forwarding is  not new.   SSH has
    added to the security of X11, but by no means does the use of  SSH
    secure X11.