1318305 – Disable X11Forwarding in openssh

Bug 1318305 - Disable X11Forwarding in openssh

Summary: Disable X11Forwarding in openssh

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-16 13:25 UTC by Josh Bressers
Modified:	2016-03-21 16:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-21 16:12:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Josh Bressers 2016-03-16 13:25:15 UTC

Bug 1316829 describes an issue with X11Forwarding in sshd. We enable this by default. Upstream does not.

We should consider disabling this by default to reduce our attack surface.

Comment 2 Tomas Mraz 2016-03-16 14:04:22 UTC

That would get us a huge backslash - And we definitely cannot do this change on already installed systems.

And the X forwarding does not really increase the attack surface in normal use cases because it happens in the user process. It matters only in case the forced command feature is in effect.

Comment 6 Josh Bressers 2016-03-21 16:12:53 UTC

Given the conversations and feedback, we will not be considering changing this default.

Note You need to log in before you can comment on or make changes to this bug.