| version 1.12, 2002/09/04 18:52:42 |
version 1.13, 2002/09/16 20:12:11 |
|
|
| The default is 10. |
The default is 10. |
| .It Cm X11Forwarding |
.It Cm X11Forwarding |
| Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
| |
The argument must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Note that disabling X11 forwarding does not improve security in any |
.Pp |
| way, as users can always install their own forwarders. |
When X11 forwarding is enabled, there may be additional exposure to |
| |
the server and to client displays if the |
| |
.Nm sshd |
| |
proxy display is configured to listen on the wildcard address (see |
| |
.Cm X11UseLocalhost |
| |
below), however this is not the default. |
| |
Additionally, the authentication spoofing and authentication data |
| |
verification and substitution occur on the client side. |
| |
The security risk of using X11 forwarding is that the client's X11 |
| |
display server may be exposed to attack when the ssh client requests |
| |
forwarding (see the warnings for |
| |
.Cm ForwardX11 |
| |
in |
| |
.Xr ssh_config 5 ). |
| |
A system administrator may have a stance in which they want to |
| |
protect clients that may expose themselves to attack by unwittingly |
| |
requesting X11 forwarding, which can warrant a |
| |
.Dq no |
| |
setting. |
| |
.Pp |
| |
Note that disabling X11 forwarding does not prevent users from |
| |
forwarding X11 traffic, as users can always install their own forwarders. |
| X11 forwarding is automatically disabled if |
X11 forwarding is automatically disabled if |
| .Cm UseLogin |
.Cm UseLogin |
| is enabled. |
is enabled. |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh