Urgent - Potential security hole.
Michal Jaegermann
michal at harddata.com
Sat Oct 30 17:06:13 UTC 2004
On Sat, Oct 30, 2004 at 10:54:35AM -0500, Satish Balay wrote:
>
> If you ssh into FC3 (from a different machine with older ssh) - you
> can run firefox. If you ssh from FC3 into any other machine - you
> need 'ssh -y' for it to work.
Actually this is '-Y' and not '-y' and this makes a difference. :-)
There is another problem, though. 'man ssh' says:
X11 and TCP forwarding
If the ForwardX11 variable is set to "yes" (or see the description of the
-X and -x options described later) and the user is using X11 (the DISPLAY
environment variable is set), the connection to the X11 display is auto-
matically forwarded to the remote side in such a way that any X11 pro-
grams started from the shell (or command) will go through the encrypted
channel, and the connection to the real X server will be made from the
local machine.
and not a peep about some '-Y'. It is true that some other places
you can find some mentions about "trusted" but what "trusted" may
be is never really explained.
I guess that this is a bugzilla material. I will try to check if
it is already there.
Michal
More information about the fedora-test-list
mailing list