%!PS-Adobe-2.0 %%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software %%Title: ssh-x11.dvi %%Pages: 9 %%PageOrder: Ascend %%BoundingBox: 0 0 596 842 %%DocumentPaperSizes: A4 %%EndComments %DVIPSCommandLine: dvips ssh-x11.dvi %DVIPSParameters: dpi=600, comments removed %DVIPSSource: TeX output 1997.09.30:2201 %%BeginProcSet: tex.pro /TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N /X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72 mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1} ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if} forall round exch round exch]setmatrix}N /@landscape{/isls true N}B /@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{ /nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{ /sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0] N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{ 128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 sub]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]} if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{ cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin 0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict /eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hook known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for 65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V {}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false} ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail {dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M} B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{ 4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{ p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{/SS save N}B /eos{SS restore}B end %%EndProcSet %%BeginProcSet: special.pro TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N /vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B /@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{ /CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{ 10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B /@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale true def end /@MacSetUp{userdict /md known{userdict /md get type /dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{} N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath clippath mark{transform{itransform moveto}}{transform{itransform lineto} }{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{ itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{ closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39 0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N /txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1 scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr 0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add 2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp {pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72 div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray} N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict maxlength dict begin /magscale true def normalscale currentpoint TR /psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts /psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR /showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{ psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict begin /SpecialSave save N gsave normalscale currentpoint TR @SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial {CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR }{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath }N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{ end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin} N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{ /SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X /startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end %%EndProcSet TeXDict begin 39158280 55380996 1000 600 600 (ssh-x11.dvi) @start /Fa 62 122 df12 D40 DI44 DII48 DII IIIIIIII65 DIII IIIII75 DIIIII82 DIIIIIII97 DIIIIIIII107 DIIIII114 DIII119 DII E /Fb 18 122 df48 DII58 D65 D72 D79 D83 D97 D99 DII105 D108 D110 D112 D115 D121 D E /Fc 31 123 df33 D46 D49 DIIIII65 D67 D73 D77 D83 DI97 D99 DII104 DI107 DIIII114 D IIII122 D E /Fd 75 127 df35 DI39 DII44 DIIIIIIIIIIIIII61 DI64 DIIIIIII73 DIIIIIII82 DIIIIIII 92 D97 DIIIIIIIIIIIIIIIIIIIIIIIII124 D126 D E /Fe 29 122 df46 DI49 D58 D68 D79 D88 D97 D99 DIIIIII107 DIIIIIIII II119 DII E /Ff 62 125 df11 DII39 DII44 DII49 DI52 DIII57 D65 DIII70 DIII75 DI78 DII82 DII87 DI90 DI93 D97 DIIIIIIII107 DIIIIIIIIIII III124 D E /Fg 10 58 df48 DIIIIIIIII E /Fh 10 58 df48 DIIIIIIIII E /Fi 16 124 df46 D65 D67 D85 D97 D101 D104 DI107 DI110 D114 D116 DI120 D123 D E /Fj 25 119 df46 D49 DI54 D65 D67 D69 DI73 D78 D82 DIII97 D 100 DI104 DI109 DI114 DII118 D E /Fk 82 124 df11 DII I34 D38 DIII44 DIIIIIIIIIIIIIII61 D 65 DIIIIIIIIIIIIIIII IIIIIIIIIIII97 DIIIIIIIIIIIIIIIIIIIIIIIIII E /Fl 39 122 df14 D49 DIIII III65 D67 DI73 D77 D82 DII88 D 97 DIIIIIIII107 DIIII114 DIIIII121 D E /Fm 20 120 df46 D64 D70 D85 D97 DI IIIIIII108 D110 D114 DIII119 D E /Fn 30 122 df44 D48 DI51 D55 D57 D66 D70 D83 DII97 DII101 DIIII108 DIIII114 DIII119 D121 D E /Fo 18 120 df49 D72 DI83 DI 88 D97 DI III104 DI110 DI114 D116 D119 D E end %%EndProlog %%BeginSetup %%Feature: *Resolution 600dpi TeXDict begin %%PaperSize: A4 %%EndSetup %%Page: 1 1 1 0 bop 764 797 a Fo(The)44 b(In)l(teraction)h(b)t(et)l(w)l(een)f(SSH)h (and)e(X11)919 980 y Fn(Though)m(ts)34 b(on)f(the)g(Securit)m(y)g(of)f (the)h(Secure)h(Shell)1603 1220 y(Ulric)m(h)e(Flegel)1151 1337 y Fm(Ulrich.Flegel@braunschweig.nets)q(urf.)q(de)1138 1532 y Fn(Braunsc)m(h)m(w)m(eig,)j(Septem)m(b)s(er)e(30,)f(1997)0 1842 y Fl(Abstract)83 2035 y Fk(The)26 b(Secure)g(Shell)g(SSH)g(is)g(a) g(widely)g(adopted)f(mec)n(h-)0 2135 y(anism)i(for)g(starting)f(remote) g(shell)i(sessions)d(in)j(a)f(secure)0 2234 y(manner.)92 b(Unfortunately)46 b(the)h(in)n(teraction)e(b)r(et)n(w)n(een)0 2334 y(SSH)24 b(and)f(the)h(X11)f(windo)n(w)g(system)g(implies)h(the)g (p)r(ossi-)0 2434 y(bilit)n(y)f(for)f(illegitimate)h(remote)f(con)n (trol)f(of)i(the)g(X)g(serv)n(er)0 2533 y(of)c(the)h(mac)n(hine)f(on)f (whic)n(h)i(the)f(SSH)h(session)e(originated.)0 2633 y(This)i(pap)r(er)g(in)n(tro)r(duces)f(the)i(mec)n(hanisms)e(used)h(b)n (y)g(SSH)0 2733 y(to)27 b(in)n(teract)g(with)g(X11)g(and)g(sho)n(ws)f (wh)n(y)h(this)h(approac)n(h)0 2832 y(ma)n(y)i(lead)g(to)h(w)n(eak)f (securit)n(y)-7 b(.)45 b(F)-7 b(urthermore)30 b(measures)0 2932 y(are)d(suggested)f(to)i(o)n(v)n(ercome)d(the)j(situation.)0 3227 y Fl(1)135 b(In)l(tro)t(duction)0 3417 y Fk(No)n(w)n(ada)n(ys)42 b(the)k(\(in\)securit)n(y)e(of)h(net)n(w)n(ork)n(ed)e(systems)0 3516 y(is)49 b(quite)h(a)f(p)r(opular)g(topic.)103 b(The)49 b(IETF)g(\()p Fj(I)p Fk(n)n(ternet)0 3616 y Fj(E)p Fk(ngineering)22 b Fj(T)p Fk(ask)h Fj(F)p Fk(orce\))f(is)h(striving)f(to)n(w)n(ard)g (generic)0 3715 y(solutions)d(for)g(secure)g(in)n(ternet)n(w)n(orking)f (at)h(di\013eren)n(t)h(la)n(y-)0 3815 y(ers)25 b(of)i(the)f(net)n(w)n (orking)f(arc)n(hitecture's)g(proto)r(col)g(stac)n(k.)0 3915 y(One)31 b(of)g(the)g(prop)r(osed)f(standards)g(called)h(IPSEC)f (sup-)0 4014 y(plies)h(applications)f(with)h(securit)n(y)f(services)f (lo)r(cated)i(at)0 4114 y(the)e(IP)g(la)n(y)n(er)e([A)n(tk95a)n(,)j(RF) n(C)e(1825].)39 b(Man)n(y)28 b(of)h(the)g(ex-)0 4214 y(isting)24 b(securit)n(y)e(problems)h(can)h(b)r(e)g(solv)n(ed)e(b)n(y) i(the)g(in)n(tro-)0 4313 y(duction)31 b(of)f(IPSEC)g(and)g(the)h(asso)r (ciated)e(new)i(headers)0 4413 y(\(AH)j([A)n(tk95b)o(,)h(RF)n(C)f (1826])d(and)i(ESP)g([A)n(tk95c)o(,)i(RF)n(C)0 4512 y(1827]\).)83 4616 y(While)c(there)g(is)f(a)g(lot)h(of)g(w)n(ork)e(in)i(progress,)e (the)i(In-)0 4716 y(ternet)k(comm)n(unit)n(y)g(has)f(a)h(considerable)f (need)h(for)f(se-)0 4815 y(cure)f(comm)n(unications)f(to)r(da)n(y)-7 b(.)54 b(Sev)n(eral)32 b(securit)n(y)h(pro-)0 4915 y(to)r(cols)21 b(ha)n(v)n(e)g(b)r(een)i(prop)r(osed)e(for)h(di\013eren)n(t)g (applications)0 5015 y(and)35 b(some)f(of)g(them)i(are)d(already)h(in)g (use.)59 b(Some)34 b(v)n(ery)0 5114 y(critical)27 b(applications)f(suc) n(h)h(as)g(remote)g(administration)0 5214 y(and)21 b(main)n(tenance)f (of)i(mac)n(hine)e(p)r(o)r(ols)h(and)g(ev)n(en)f(remote)0 5313 y(w)n(ork)31 b(of)i(sta\013)g(are)f(often)h(implemen)n(ted)g(b)n (y)g(a)f(net)n(w)n(ork)0 5413 y(connection)h(to)h(a)g(remote)f(shell)h (in)n(terpreter.)55 b(In)34 b(most)1918 1842 y(cases,)26 b(a)h Fi(Unix)g Fk(shell)g(is)g(not)g(restricted)g(to)g(supp)r(ort)g (the)1918 1942 y(scop)r(e)33 b(of)g(tasks)f(to)h(b)r(e)h(accomplished)e (but)i(it)g(is)f(a)g(v)n(er-)1918 2041 y(satile)25 b(to)r(ol)g(for)f (using)h(most)g(of)g(the)h(system's)f(resources.)1918 2141 y(The)39 b(higher)f(privileged)g(users)h(with)g(a)g(shell)g(at)g (hand)1918 2240 y(ma)n(y)d(use)h(and)h(manipulate)f(a)g Fi(Unix)g Fk(system)g(at)g(their)1918 2340 y(will.)64 b(In)n(truders)36 b(ha)n(ving)g(p)r(enetrated)h(a)f(system)g(often)1918 2440 y(ha)n(v)n(e)c(metho)r(ds)i(to)f(gain)g(the)h(highest)f (privileges)f(when)1918 2539 y(they)h(can)f(access)g(a)g(shell.)53 b(Therefore)31 b(it)i(is)g(imp)r(ortan)n(t)1918 2639 y(to)27 b(protect)g(shells)h(against)e(unauthorized)h(usage.)2001 2784 y(The)44 b(established)f(proto)r(cols)g(for)g(remote)g(shell)h (us-)1918 2884 y(age)d(are)g(in)n(trinsically)g(insecure)g(\(telnet,)47 b(rlogin,)d(rsh,)1918 2983 y(etc.\))88 b([Cur92)n(,)45 b(FV93)o(,)g(CB94)o(,)f(CZ95)o(,)g(SH95,)g(GS96,)1918 3083 y(Jon95)n(,)38 b(Kla95)n(,)f(dari96)o(].)66 b(Sev)n(eral)36 b(proto)r(col)g(enhance-)1918 3183 y(men)n(ts)26 b(ha)n(v)n(e)e(b)r (een)j(prop)r(osed)e(and)g(standardized)g(in)h(the)1918 3282 y(past)j(but)h(most)f(of)h(them)g(ha)n(v)n(e)e(nev)n(er)g(b)r(een) i(widely)g(ac-)1918 3382 y(cepted)2153 3352 y Fh(1)2228 3382 y Fk([Bor93a)m(,)40 b(RF)n(C)e(1411],)g([Ala93)o(,)i(RF)n(C)d (1412],)1918 3482 y([Bor93b)n(,)k(RF)n(C)d(1416],)g([HM96,)j(RF)n(C)d (1938],)g([Lin96,)1918 3581 y(RF)n(C)f(1964],)h(etc.)65 b(This)37 b(do)r(es)g(not)g(apply)g(to)g(one)f(ap-)1918 3681 y(proac)n(h)e(to)i(secure)f(remote)g(shells,)j(whic)n(h)e(to)r(da) n(y)f(is)g(in)1918 3780 y(use)30 b(at)g(man)n(y)g(sites)g(of)g(small)g (and)g(large)f(organizations)1918 3880 y(\(univ)n(ersities,)22 b(researc)n(h)e(lab)r(oratories,)h(banks,)i(corp)r(ora-)1918 3980 y(tions,)k(companies,)g(etc.)h([Ylo97)o(]\).)2001 4125 y(Sections)h(2)h(and)g(3)f(pro)n(vide)g(a)h(brief)g(o)n(v)n (erview)d(of)j(the)1918 4224 y(Secure)41 b(Shell)h(and)f(the)h(X11)f (authen)n(tication)h(mec)n(ha-)1918 4324 y(nisms.)67 b(Skip)38 b(these)g(sections)f(if)i(y)n(ou)e(are)g(already)f(fa-)1918 4424 y(miliar)23 b(with)h(SSH)h(and)e(X11.)35 b(The)24 b(in)n(teraction)f(b)r(et)n(w)n(een)1918 4523 y(the)34 b(Secure)e(Shell)i(and)f(X11)g(is)g(in)n(tro)r(duced)g(in)h(section) 1918 4623 y(4.)56 b(Section)35 b(5)e(describ)r(es)h(ho)n(w)g(an)g (actual)3297 4593 y Fh(2)3368 4623 y Fk(attac)n(k)f(can)1918 4723 y(b)r(e)d(carried)e(out)i(on)f(that)h(basis,)g(while)g(section)f (6)g(o\013ers)1918 4822 y(recommended)g(coun)n(termeasures)e(against)i (the)h(threat.)1918 4922 y(The)c(pap)r(er)f(concludes)h(with)g(a)g (brief)g(discussion)f(in)h(sec-)1918 5021 y(tion)h(7.)p 1918 5257 734 4 v 2010 5310 a Fg(1)2045 5334 y Ff(The)d(reasons)g(are)f (b)r(ey)n(ond)i(the)g(scop)r(e)g(of)e(this)g(pap)r(er.)2010 5390 y Fg(2)2045 5413 y Ff(The)h(names)f(ha)n(v)n(e)i(b)r(een)f(c)n (hanged)i(to)e(protect)h(the)g(inno)r(cen)n(t.)1856 5662 y Fk(1)p eop %%Page: 2 2 2 1 bop 0 531 a Fl(2)135 b(The)44 b(Secure)h(Shell)0 713 y Fk(The)25 b(SSH)322 683 y Fh(3)384 713 y Fk(\()p Fj(S)p Fk(ecure)f Fj(Sh)p Fk(ell\))h(b)n(y)g(T)-7 b(atu)24 b(Ylonen)h(promises)0 813 y(to)53 b(implemen)n(t)g(remote)f(shell)h (usage,)k(remote)c(com-)0 912 y(mand)39 b(execution)g(and)g(remote)g (\014le)g(cop)n(ying)f(in)i(a)e(se-)0 1012 y(cure)j(manner)g(o)n(v)n (er)e(a)i(secure)g(comm)n(unication)g(c)n(han-)0 1112 y(nel.)56 b(The)34 b(TCP)g(based)f(SSH)h(proto)r(col)f(has)h(b)r(een)g (pro-)0 1211 y(p)r(osed)43 b(for)g(standardization)f(as)h(an)g(RF)n(C) 1421 1181 y Fh(4)1502 1211 y Fk(\()p Fj(R)p Fk(equest)0 1311 y Fj(F)p Fk(or)20 b Fj(C)p Fk(ommen)n(ts\).)35 b(The)20 b(SSH)i(supplies)f(sev)n(eral)e(securit)n(y)0 1411 y(services)34 b(\(authen)n(tication,)k(con\014den)n(tialit)n(y)-7 b(,)37 b(in)n(tegrit)n(y\))0 1510 y(to)22 b(coun)n(ter)f(common)h(securit)n(y) f(threats)h(\(see)g([Ylo97)o(])g(for)0 1610 y(details\).)35 b(When)21 b(prop)r(erly)f(con\014gured)g(SSH)i(carries)d(out)0 1709 y(its)k(tasks)f(completely)h(transparen)n(t)e(to)i(the)h(user,)f (whic)n(h,)0 1809 y(as)c(w)n(e)g(will)g(see)g(later,)h(con)n(tributes)f (to)g(the)h(problems)f(pre-)0 1909 y(sen)n(ted)27 b(in)h(this)g(pap)r (er.)83 2008 y(As)34 b(already)f(stated)h(ab)r(o)n(v)n(e,)g(the)g(SSH)h (is)f(widely)g(ac-)0 2108 y(cepted)25 b(no)n(w)g(as)g(an)f(appropriate) g(mec)n(hanism)h(to)g(secure)0 2208 y(remote)31 b(shell)g(sessions.)46 b(Securit)n(y)31 b(conscious)f(sites)h(for-)0 2307 y(bid)40 b(the)g(tra)n(v)n(ersal)c(of)k(insecure)f(remote)g(shell)g(session)0 2407 y(proto)r(cols)33 b(suc)n(h)h(as)f(telnet,)k(rlogin)c(and)h(X11) 1490 2377 y Fh(5)1527 2407 y Fk(.)56 b(Often,)0 2506 y(though,)27 b(SSH)h(tra\016c)f(is)h(allo)n(w)n(ed)e(to)h(pass)g (organization)0 2606 y(b)r(orders.)36 b(As)27 b(SSH)h(is)f(able)g(to)g (tunnel)h(TCP)f(based)g(pro-)0 2706 y(to)r(cols,)34 b(sp)r (eci\014cally)f(X11,)h(through)e(a)h(secure)g(comm)n(u-)0 2805 y(nication)22 b(c)n(hannel)f(the)i(administration)e(has)h(to)g (consider)0 2905 y(the)28 b(implications)f(when)h(allo)n(wing)e(SSH)i (tra\016c.)83 3005 y(The)d(Secure)f(Shell)h(is)g(not)f(merely)h(an)f (excellen)n(t)g(secu-)0 3104 y(rit)n(y)19 b(mec)n(hanism)h(but)h(also)e (a)g(go)r(o)r(d)h(example)f(ho)n(w)h(secure)0 3204 y(tec)n(hniques)31 b(in)h(com)n(bination)f(with)h(insecure)f(proto)r(cols)0 3303 y(ma)n(y)g(tremendously)g(w)n(eak)n(en)f(the)i(securit)n(y)f(of)g (systems)0 3403 y(and)h(ma)n(y)g(help)h(b)n(ypassing)e(an)h (organizations)e(securit)n(y)0 3503 y(p)r(olicy)-7 b(.)0 3774 y Fl(3)135 b(The)44 b(X11)h(windo)l(w)h(system)0 3956 y Fk(In)41 b(order)f(to)h(understand)f(the)i(securit)n(y)e (problem)g(ex-)0 4056 y(plained)20 b(in)h(section)e(5,)j(kno)n(wledge)d (of)h(the)g(access)f(con)n(trol)0 4156 y(concepts)27 b(of)h(the)g(X11)f(windo)n(w)g(system)g(is)h(required.)83 4255 y(The)38 b(X11)f(windo)n(w)g(system)h([Sc)n(h87)o(,)i(RF)n(C)e (1013])e(is)0 4355 y(able)g(to)f(connect)h(I/O)f(devices)h(suc)n(h)f (as)h(displa)n(y)-7 b(,)37 b(k)n(ey-)0 4454 y(b)r(oard)g(and)g(mouse)g (via)g(a)g(net)n(w)n(ork)f(with)j(application)0 4554 y(programs)d(using)i(them.)71 b(The)38 b(I/O)g(devices)g(are)g(con-)0 4654 y(trolled)30 b(b)n(y)g(the)g(so-called)f(X)i(serv)n(er)d(of)i(the) h(user's)f(con-)0 4753 y(sole.)81 b(The)43 b(user's)e(application)h (programs,)i(called)f(X)0 4853 y(clien)n(ts)29 b(ma)n(y)g(con)n(tact)g (the)h(X)g(serv)n(er)e(in)i(order)e(to)h(pro\014t)0 4953 y(from)36 b(its)h(I/O)e(capabilities.)63 b(The)36 b(X)h(serv)n(er)d (supp)r(orts)p 0 5020 734 4 v 92 5073 a Fg(3)127 5097 y Fe(http://www.cs.hut.fi/ss)q(h)92 5153 y Fg(4)127 5176 y Ff(There)23 b(exist)g(sev)n(eral)f(classes)h(of)f(RF)n(Cs,)g(of)g (whic)n(h)h(one)g(repre-)0 5255 y(sen)n(ts)h(the)h(standards)f(used)g (in)g(the)g(In)n(ternet.)92 5311 y Fg(5)127 5334 y Ff(The)f(X11)f (windo)n(w)h(system)e(can)i(b)r(e)g(used)g(to)f(op)r(erate)i(remote)0 5413 y(shell)c(sessions)g(with)h(help)f(of)g(terminal)g(em)n(ulators)f (suc)n(h)i(as)g Fe(xterm)p Ff(.)1918 531 y Fk(no)j(concept)g(of)g (di\013eren)n(tiated)g(privileges)f(for)h(X)h(clien)n(ts.)1918 631 y(Therefore)31 b(an)h(X)h(clien)n(t)g(whic)n(h)f(has)g(b)r(een)h (gran)n(ted)f(ac-)1918 731 y(cess)19 b(to)h(the)g(X)g(serv)n(er)e(ma)n (y)h(exert)g(a)g(high)h(lev)n(el)f(of)h(con)n(trol)1918 830 y(o)n(v)n(er)31 b(the)j(user's)f(console)f(and)h(th)n(us)g(o)n(v)n (er)f(the)i(system)3716 800 y Fh(6)1918 930 y Fk([CB94)o(,)27 b(CZ95)o(].)2001 1034 y(T)-7 b(o)24 b(prev)n(en)n(t)f(unauthorized)g (use)h(of)g(the)h(X)f(serv)n(er)e(X11)1918 1133 y(o\013ers)29 b(sev)n(eral)e(di\013eren)n(t)j(authen)n(tication)f(mec)n(hanisms.)1918 1233 y(In)21 b(the)g(\014rst)g(place)g(X11)f(supp)r(orts)g(an)h(access) f(con)n(trol)f(list)1918 1333 y(with)g(IP)g(n)n(um)n(b)r(ers)f(of)h (authorized)f(hosts.)33 b(The)19 b(gran)n(ular-)1918 1432 y(it)n(y)27 b(is)h(host)f(related;)h(at)f(this)h(lev)n(el)f(there) h(are)f(no)g(means)1918 1532 y(to)21 b(di\013eren)n(tiate)f(b)r(et)n(w) n(een)h(sev)n(eral)e(users)h(of)h(a)f(host.)35 b(The)1918 1632 y(access)c(con)n(trol)g(list)i(is)g(manageable)e(b)n(y)h(the)h (user)f(with)1918 1731 y(the)c(help)g(of)f(the)h Fd(xhost)e Fk(command.)2001 1835 y(T)-7 b(o)35 b(cop)r(e)h(with)g(this)g(problem)g (the)g(X)g(serv)n(er)e(gran)n(ts)1918 1935 y(access)28 b(to)h(hosts)g(whic)n(h)g(are)f(not)h(in)g(the)h(access)e(con)n(trol) 1918 2034 y(list)37 b(only)f(if)h(they)g(authen)n(ticate.)65 b(X11)36 b(supp)r(orts)g(four)1918 2134 y(pro)r(cedures)27 b(to)i(accomplish)f(this)h(task.)40 b(Unfortunately)1918 2234 y(the)22 b(more)g(secure)f(alternativ)n(es)g(\(Secure)h(RPC)g(and) g(Ker-)1918 2333 y(b)r(eros\))28 b(are)h(often)g(not)g(a)n(v)-5 b(ailable)28 b([CB94)o(,)h(CZ95)o(].)42 b(Both)1918 2433 y(of)49 b(the)g(other)f(alternativ)n(es)g(are)g(based)g(on)h(a)f (plain-)1918 2533 y(text)36 b(exc)n(hange)e(of)h(secrets,)i(whic)n(h,)g (needless)e(to)h(men-)1918 2632 y(tion,)j(is)d(insecure.)63 b(Those)36 b(secrets)g(are)g(stored)f(in)i(the)1918 2732 y Fd(.Xauthority)c Fk(\014le)38 b(in)f(the)h(home)g(directory)e(of)h (the)h(X)1918 2831 y(clien)n(t's)27 b(user.)37 b(Unauthorized)27 b(third)h(parties)f(ma)n(y)g(seize)1918 2931 y(a)22 b(secret)f(from)h (the)h(corresp)r(onding)d(\014le)i(system)g(or)f(while)1918 3031 y(it)j(is)g(transmitted)g(o)n(v)n(er)f(the)h(net)n(w)n(ork.)34 b(Ev)n(eryb)r(o)r(dy)23 b(who)1918 3130 y(gains)j(suc)n(h)g(a)g(secret) g(will)h(b)r(e)h(gran)n(ted)d(access)h(b)n(y)g(the)h(X)1918 3230 y(serv)n(er.)2001 3334 y(F)-7 b(urthermore)36 b(it)i(is)g(w)n (orth)f(p)r(oin)n(ting)g(out,)j(that)e(the)1918 3433 y(access)g(con)n(trol)f(list)i(men)n(tioned)g(ab)r(o)n(v)n(e)f(o)n(v)n (errides)e(the)1918 3533 y(authen)n(tication)27 b(of)h(\014ner)f(gran)n (ularit)n(y)-7 b(.)2001 3637 y(Based)26 b(on)i(these)f(facts)g(securit) n(y)g(conscious)f(adminis-)1918 3737 y(trators)e(decide)i(not)f(to)h (allo)n(w)e(X11)h(sessions)g(to)g(in)n(ternal)1918 3836 y(X)j(serv)n(ers)e(when)j(originated)d(from)i(external)f(X)i(clien)n (ts.)1918 3936 y(The)37 b(denial)g(is)g(often)h(implemen)n(ted)g(via)e (pac)n(k)n(et)h(\014lter)1918 4036 y(rules)27 b(on)g(b)r(order)g (routers.)1918 4333 y Fl(4)135 b(Mediation)44 b(of)f(X11)g(tra\016c)h (via)2120 4482 y(secure)h(c)l(hannels)1918 4672 y Fk(F)-7 b(or)23 b(increased)h(con)n(v)n(enience)f(the)h(c)n(haracter)e(based)i (SSH)1918 4772 y(service)i(can)g(b)r(e)i(supplemen)n(ted)f(with)g(the)h (X11)e(windo)n(w)1918 4872 y(system.)36 b(Graphical)27 b(in)n(terfaces)f(are)g(often)i(preferred)e(to)1918 4971 y(pure)k(c)n(haracter)e(based)i(represen)n(tation.)43 b(This)31 b(ma)n(y)e(b)r(e)1918 5071 y(the)f(reason)e(wh)n(y)i(SSH)h(b) n(y)e(default)i(o\013ers)e(a)g(user)h(trans-)1918 5170 y(paren)n(t)f(mec)n(hanism)g(for)g(tunneling)h(X11)f(tra\016c.)p 1918 5257 V 2010 5311 a Fg(6)2045 5334 y Ff(The)21 b(lev)n(el)h(of)f (con)n(trol)g(o)n(v)n(er)h(the)g(system)f(dep)r(ends)h(on)g(the)g(pri-) 1918 5413 y(vileges)i(of)f(the)i(console's)e(user.)1856 5662 y Fk(2)p eop %%Page: 3 3 3 2 bop 83 531 a Fk(This)28 b(section)g(deliv)n(ers)f(a)g(ra)n(w)g (description)h(ho)n(w)f(SSH)0 631 y(transparen)n(tly)f(mediates)h(X11)g (applications.)0 868 y Fc(4.1)112 b(The)38 b(situation)0 1023 y Fk(When)31 b(a)f(user)f(connects)h(to)g(a)g(remote)g(shell)g (host)g(from)0 1123 y(his)36 b(console)e(b)n(y)h(means)g(of)h(SSH)g (the)g(SSH)g(daemon)f(of)0 1223 y(the)c(remote)f(host)g(will)h(serv)n (e)e(this)i(request.)44 b(While)31 b(the)0 1322 y(SSH)h(clien)n(t)f (program)e Fd(ssh)g Fk(resides)h(on)h(the)g(user's)g(con-)0 1422 y(sole)40 b(the)h(serv)n(er)e(pro)r(cess)h Fd(sshd)f Fk(runs)h(on)g(the)h(remote)0 1521 y(shell)e(host.)73 b(Supp)r(ose)39 b(the)h(user)f(is)g(equipp)r(ed)h(with)g(a)0 1621 y(console)19 b(capable)g(of)h(X11,)h(he)f(ma)n(y)g(wish)g(to)g (run)g(X)g(appli-)0 1721 y(cation)32 b(programs)f(on)i(the)g(already)f (connected)g(remote)0 1820 y(host.)61 b(The)36 b(clien)n(t/serv)n(er)e (terminology)g(for)i(this)g(kind)0 1920 y(of)j(X11)f(application)g(ma)n (y)g(b)r(e)i(confusing)e(at)h(the)g(\014rst)0 2020 y(glance.)66 b(While)39 b(the)f(X)g(clien)n(t)g(programs)d(run)j(on)f(the)0 2119 y(remote)27 b(host,)h(they)g(utilize)h(the)f(X)g(serv)n(er)e(of)i (the)h(user's)0 2219 y(console.)58 b(Th)n(us)35 b(SSH)h(clien)n(t)f (and)g(X)g(serv)n(er)f(share)f(the)0 2318 y(console)26 b(and)i(SSH)g(serv)n(er)d(and)i(X)h(clien)n(ts)g(share)e(the)i(re-)0 2418 y(mote)g(host.)0 2655 y Fc(4.2)112 b(Initialization)0 2810 y Fk(As)24 b(p)r(oin)n(ted)g(out)h(in)f(section)g(3,)g(the)g(t)n (w)n(o)g(predominan)n(tly)0 2910 y(applied)47 b(access)f(con)n(trol)f (mec)n(hanisms)i(are)f(prone)g(to)0 3010 y(ea)n(v)n(esdropping.)31 b(The)19 b(extraction)f(of)h(secrets)f(exc)n(hanged)0 3109 y(in)j(plain)n(text)g(can)f(lead)g(to)h(illegitimate)g(access)e (to)i(the)g(in-)0 3209 y(v)n(olv)n(ed)30 b(X)j(serv)n(er.)47 b(The)32 b(SSH)g(addresses)e(this)i(problem)0 3309 y(b)n(y)g(tunneling) g(X11)f(tra\016c)h(through)f(a)g(secure)g(c)n(hannel)0 3408 y(and)42 b(therefore)g(prev)n(en)n(ts)f(ea)n(v)n(esdropping)f(of)j (or)e(tam-)0 3508 y(p)r(ering)30 b(with)h(access)e(con)n(trol)g (secrets)g(while)i(in)f(transit.)0 3607 y(Note,)c(that)g(this)g (approac)n(h)e(do)r(es)i(not)g(strengthen)f(o)n(v)n(er-)0 3707 y(all)i(X11)g(securit)n(y)-7 b(.)83 3808 y(When)39 b(a)g(SSH)g(clien)n(t)g(connects)g(a)f(SSH)h(serv)n(er)e(the)0 3907 y(clien)n(t)45 b(will)g(determine)h(whether)f(an)f(X11)h(displa)n (y)f(is)0 4007 y(a)n(v)-5 b(ailable)35 b(on)h(the)g(user's)f(console.) 61 b(In)37 b(that)f(case,)h(the)0 4107 y(SSH)d(clien)n(t)f(will)h (extract)f(the)h(corresp)r(onding)d(authen-)0 4206 y(tication)i (material)e(from)i(the)g(lo)r(cal)f Fd(.Xauthority)d Fk(\014le.)0 4306 y(This)22 b(gen)n(uine)g(material)g(will)g(later)g(b) r(e)h(used)f(for)g(authen-)0 4405 y(tication)36 b(with)i(the)f(lo)r (cal)f(X)h(serv)n(er.)62 b(The)37 b(SSH)g(clien)n(t)0 4505 y(then)28 b(generates)d(a)i(random)f(pro)n(xy)g(v)-5 b(alue)27 b(whic)n(h)g(gran)n(ts)0 4605 y(access)38 b(to)h(the)h(lo)r (cal)f(SSH)h(X)f(mediator.)72 b(This)39 b(v)-5 b(alue)0 4704 y(is)33 b(subsequen)n(tly)f(distributed)h(via)f(the)h(secure)f(c)n (hannel)0 4804 y(that)d(connects)g(the)g(SSH)h(clien)n(t)f(to)g(the)g (remote)g(serv)n(er.)0 4904 y(The)i(SSH)g(serv)n(er)e(asso)r(ciates)g (the)i(receiv)n(ed)f(v)-5 b(alue)30 b(with)0 5003 y(an)c(X)g(displa)n (y)g(n)n(um)n(b)r(er)758 4973 y Fh(7)795 5003 y Fk(.)36 b(This)26 b(is)g(done)g(b)n(y)g(placing)f(the)0 5103 y(pro)n(xy)h(authen)n(ticator)g(in)h(the)h(\014le)f Fd(.Xauthority)22 b Fk(of)27 b(the)p 0 5178 734 4 v 92 5232 a Fg(7)127 5255 y Ff(The)40 b(n)n(um)n(b)r(er)e(is)g(determined)i(in)e(ascending)j (order)e(start-)0 5334 y(ing)29 b(with)g(the)h(v)l(alue)f(of)g Fe(X11DisplayOffset)k Ff(de\014ned)d(in)f(the)h(\014le)0 5413 y Fe(/etc/sshd)p 319 5413 22 4 v 28 w(config)p Ff(.)1918 531 y Fk(remote)35 b(accoun)n(t)f(accessed)h(through)f(the)i(SSH)g (serv)n(er.)1918 631 y(The)30 b(en)n(vironmen)n(t)g(v)-5 b(ariable)29 b Fd(DISPLAY)f Fk(is)i(set)h(to)f(direct)1918 731 y(X)36 b(clien)n(t)h(accesses)d(to)i(the)h(displa)n(y)e(newly)h (de\014ned)h(on)1918 830 y(the)28 b(serv)n(er's)d(side.)1918 1062 y Fc(4.3)112 b(Mediation)1918 1215 y Fk(X)24 b(clien)n(t)f (programs)f(when)h(started)g(will)h(fetc)n(h)g(the)g(v)-5 b(alue)1918 1315 y(of)32 b Fd(DISPLAY)e Fk(and)i(connect)g(to)h(the)f (corresp)r(onding)f(dis-)1918 1414 y(pla)n(y)-7 b(.)66 b(The)38 b(displa)n(y)e(in)i(question)f(is)h(pro)n(vided)e(lo)r(cally) 1918 1514 y(on)28 b(the)g(remote)g(host)g(b)n(y)g(means)g(of)g(an)g(X)g (pro)n(xy)f(of)h(the)1918 1614 y(SSH)33 b(serv)n(er.)50 b(When)33 b(connected)f(to)h(the)g(X)g(pro)n(xy)-7 b(,)32 b(the)1918 1713 y(X)j(clien)n(t)f(fetc)n(hes)h(the)f(authen)n(ticator)g (for)g(this)g(displa)n(y)1918 1813 y(n)n(um)n(b)r(er)g(from)g Fd(.Xauthority)29 b Fk(and)34 b(presen)n(ts)g(it)g(to)g(the)1918 1912 y(X)28 b(pro)n(xy)-7 b(.)2001 2012 y(The)33 b(latter)g(sends)g (the)g(authen)n(ticator)f(b)n(y)h(means)g(of)1918 2112 y(a)d(secure)f(c)n(hannel)h(to)g(the)g(SSH)h(clien)n(t)f(residing)f(on) h(the)1918 2211 y(user's)38 b(console)f(whic)n(h)i(in)g(turn)f(decides) h(whether)f(the)1918 2311 y(desired)29 b(access)g(is)h(to)g(b)r(e)h (allo)n(w)n(ed.)43 b(In)31 b(case)e(of)h(p)r(ositiv)n(e)1918 2411 y(authen)n(tication)24 b(the)i(SSH)f(clien)n(t)g(retriev)n(es)f (the)h(gen)n(uine)1918 2510 y(authen)n(tication)h(material)f(whic)n(h)i (the)f(random)g(authen-)1918 2610 y(ticator)f(acts)h(as)g(place)g (holder)g(for.)36 b(The)26 b(access)f(request)1918 2709 y(is)36 b(then)h(directed)f(to)g(and)g(scrutinized)g(b)n(y)g(the)h (real)e(X)1918 2809 y(serv)n(er.)2001 2909 y(If)20 b(access)e(is)i (gran)n(ted,)g(the)g(tra\016c)f(from)h(the)g(X)g(clien)n(t)g(is)1918 3008 y(forw)n(arded)26 b(b)n(y)i(the)h(X)f(pro)n(xy)f(to)h(the)h(SSH)f (clien)n(t)h(whic)n(h)1918 3108 y(in)41 b(turn)f(forw)n(ards)f(it)i(to) f(the)h(X)g(serv)n(er.)74 b(The)40 b(tra\016c)1918 3208 y(generated)25 b(in)i(the)g(opp)r(osite)f(direction)g(passes)f(the)i (SSH)1918 3307 y(clien)n(t,)32 b(then)f(is)g(forw)n(arded)e(to)i(the)g (X)g(pro)n(xy)e(and)i(after)1918 3407 y(that)d(is)f(distributed)h(to)g (the)g(X)g(clien)n(t.)2001 3506 y(The)e(\015o)n(w)g(of)g(authen)n (tication)g(material)f(b)r(et)n(w)n(een)h(dif-)1918 3606 y(feren)n(t)e(system)h(comp)r(onen)n(ts)f(is)h(sho)n(wn)f(b)n(y)g(the)i (solid)e(ar-)1918 3706 y(ro)n(ws)17 b(in)i(\014gure)f(4.3.)34 b(The)19 b(dashed)f(arro)n(w)f(denotes)h(the)i(re-)1918 3805 y(la)n(y)25 b(stations)h(co)n(v)n(ered)e(b)n(y)i(the)g(tra\016c)g (b)r(et)n(w)n(een)g(X)h(clien)n(t)1918 3905 y(and)g(X)h(serv)n(er.)1918 4179 y Fl(5)135 b(The)44 b(w)l(eak)i(link)2084 4360 y Fk(\\Sorry)35 b(to)h(in)n(terrupt)h(the)g(festivities,")i([.)14 b(.)g(.)f(])2084 4460 y(\\but)28 b(w)n(e)f(ha)n(v)n(e)f(a)h(problem.") 2284 4638 y Fb(Hal)g(in)h(2001:)35 b(A)28 b(Space)f(Odyssey)2425 4737 y Fi({Ar)-6 b(thur)31 b(C.)g(Clarke)2001 4915 y Fk(While)25 b(SSH)g(protects)f(X11)g(authen)n(tication)g(material)1918 5015 y(during)e(transmission)f(it)i(do)r(es)g(not)f(secure)g(access)g (to)g(the)1918 5114 y(pro)n(xy)h(v)-5 b(alue)25 b(stored)f(in)h(the)g Fd(.Xauthority)20 b Fk(\014le.)36 b(This)25 b(is)1918 5214 y(the)e(resp)r(onsibilit)n(y)g(of)g(the)g(underlying)g(\014le)g (system.)35 b(Of-)1918 5313 y(ten)22 b(there)f(is)g(inadequate)g (\014le)h(system)f(securit)n(y)f(in)i(place.)1918 5413 y(Who)r(ev)n(er)j(is)h(able)g(to)g(read)f(the)i(appropriate)d(p)r (ortion)i(of)1856 5662 y(3)p eop %%Page: 4 4 4 3 bop 535 1823 a @beginspecial 0 @llx 0 @lly 322 @urx 165 @ury 3220 @rwi @setspecial %%BeginDocument: ssh-x11_authentication.eps %Magnification: 1.00 /$F2psDict 200 dict def $F2psDict begin $F2psDict /mtrx matrix put /col-1 {0 setgray} bind def /col0 {0.000 0.000 0.000 srgb} bind def /col1 {0.000 0.000 1.000 srgb} bind def /col2 {0.000 1.000 0.000 srgb} bind def /col3 {0.000 1.000 1.000 srgb} bind def /col4 {1.000 0.000 0.000 srgb} bind def /col5 {1.000 0.000 1.000 srgb} bind def /col6 {1.000 1.000 0.000 srgb} bind def /col7 {1.000 1.000 1.000 srgb} bind def /col8 {0.000 0.000 0.560 srgb} bind def /col9 {0.000 0.000 0.690 srgb} bind def /col10 {0.000 0.000 0.820 srgb} bind def /col11 {0.530 0.810 1.000 srgb} bind def /col12 {0.000 0.560 0.000 srgb} bind def /col13 {0.000 0.690 0.000 srgb} bind def /col14 {0.000 0.820 0.000 srgb} bind def /col15 {0.000 0.560 0.560 srgb} bind def /col16 {0.000 0.690 0.690 srgb} bind def /col17 {0.000 0.820 0.820 srgb} bind def /col18 {0.560 0.000 0.000 srgb} bind def /col19 {0.690 0.000 0.000 srgb} bind def /col20 {0.820 0.000 0.000 srgb} bind def /col21 {0.560 0.000 0.560 srgb} bind def /col22 {0.690 0.000 0.690 srgb} bind def /col23 {0.820 0.000 0.820 srgb} bind def /col24 {0.500 0.190 0.000 srgb} bind def /col25 {0.630 0.250 0.000 srgb} bind def /col26 {0.750 0.380 0.000 srgb} bind def /col27 {1.000 0.500 0.500 srgb} bind def /col28 {1.000 0.630 0.630 srgb} bind def /col29 {1.000 0.750 0.750 srgb} bind def /col30 {1.000 0.880 0.880 srgb} bind def /col31 {1.000 0.840 0.000 srgb} bind def end save -30.0 209.0 translate 1 -1 scale /cp {closepath} bind def /ef {eofill} bind def /gr {grestore} bind def /gs {gsave} bind def /sa {save} bind def /rs {restore} bind def /l {lineto} bind def /m {moveto} bind def /rm {rmoveto} bind def /n {newpath} bind def /s {stroke} bind def /sh {show} bind def /slc {setlinecap} bind def /slj {setlinejoin} bind def /slw {setlinewidth} bind def /srgb {setrgbcolor} bind def /rot {rotate} bind def /sc {scale} bind def /sd {setdash} bind def /ff {findfont} bind def /sf {setfont} bind def /scf {scalefont} bind def /sw {stringwidth} bind def /tr {translate} bind def /tnt {dup dup currentrgbcolor 4 -2 roll dup 1 exch sub 3 -1 roll mul add 4 -2 roll dup 1 exch sub 3 -1 roll mul add 4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb} bind def /shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul 4 -2 roll mul srgb} bind def /DrawEllipse { /endangle exch def /startangle exch def /yrad exch def /xrad exch def /y exch def /x exch def /savematrix mtrx currentmatrix def x y tr xrad yrad sc 0 0 1 startangle endangle arc closepath savematrix setmatrix } def /DrawSplineSection { /y3 exch def /x3 exch def /y2 exch def /x2 exch def /y1 exch def /x1 exch def /xa x1 x2 x1 sub 0.666667 mul add def /ya y1 y2 y1 sub 0.666667 mul add def /xb x3 x2 x3 sub 0.666667 mul add def /yb y3 y2 y3 sub 0.666667 mul add def x1 y1 lineto xa ya xb yb x3 y3 curveto } def /$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def /$F2psEnd {$F2psEnteredState restore end} def $F2psBegin 10 setmiterlimit n 0 792 m 0 0 l 612 0 l 612 792 l cp clip 0.06000 0.06000 sc /Times-Roman ff 120.00 scf sf 2700 1725 m gs 1 -1 sc (faked cookie) dup sw pop 2 div neg 0 rm col-1 sh gr 7.500 slw % Ellipse n 2100 1950 75 150 0 360 DrawEllipse gs col7 0.20 shd ef gr gs col-1 s gr % Polyline n 2100 1800 m 3300 1800 l gs col-1 s gr % Polyline n 2100 2100 m 3300 2100 l gs col-1 s gr /Times-Roman ff 120.00 scf sf 2775 1950 m gs 1 -1 sc (secure channel) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline n 1005 1050 m 900 1050 900 1170 105 arcto 4 {pop} repeat 900 1275 1395 1275 105 arcto 4 {pop} repeat 1500 1275 1500 1155 105 arcto 4 {pop} repeat 1500 1050 1005 1050 105 arcto 4 {pop} repeat cp gs col-1 s gr /Times-Roman ff 150.00 scf sf 1200 1200 m gs 1 -1 sc (X server) dup sw pop 2 div neg 0 rm col-1 sh gr /Times-Roman ff 120.00 scf sf 1050 1725 m gs 1 -1 sc (authen-) dup sw pop neg 0 rm col-1 sh gr /Times-Roman ff 120.00 scf sf 1050 1575 m gs 1 -1 sc (real) dup sw pop neg 0 rm col-1 sh gr /Times-Roman ff 120.00 scf sf 1050 1875 m gs 1 -1 sc (tication) dup sw pop neg 0 rm col-1 sh gr % Polyline n 1080 1875 m 975 1875 975 1995 105 arcto 4 {pop} repeat 975 2100 1320 2100 105 arcto 4 {pop} repeat 1425 2100 1425 1980 105 arcto 4 {pop} repeat 1425 1875 1080 1875 105 arcto 4 {pop} repeat cp gs col-1 s gr /Times-Roman ff 150.00 scf sf 1200 2025 m gs 1 -1 sc (ssh) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline n 1875 900 m 525 900 l 525 2250 l 1875 2250 l cp gs col-1 s gr % Polyline gs clippath 1095 1446 m 1125 1302 l 1155 1446 l 1155 1260 l 1095 1260 l cp clip n 1125 1875 m 1125 1275 l gs col-1 s gr gr % arrowhead n 1095 1446 m 1125 1302 l 1155 1446 l 1125 1422 l 1095 1446 l cp gs 0.00 setgray ef gr col-1 s % Open spline gs clippath 4230 1554 m 4200 1698 l 4170 1554 l 4170 1740 l 4230 1740 l cp clip n 4425.0 1125.0 m 4312.5 1125.0 l 4312.5 1125.0 4200.0 1125.0 4200.0 1425.0 DrawSplineSection 4200.0 1725.0 l gs col-1 s gr gr % arrowhead n 4230 1554 m 4200 1698 l 4170 1554 l 4200 1578 l 4230 1554 l cp gs 0.00 setgray ef gr col-1 s /Times-Roman ff 120.00 scf sf 4125 1350 m gs 1 -1 sc (faked) dup sw pop neg 0 rm col-1 sh gr /Times-Roman ff 120.00 scf sf 4125 1500 m gs 1 -1 sc (cookie) dup sw pop neg 0 rm col-1 sh gr % Polyline n 5850 2400 m 4275 2400 l 4275 3225 l 5850 3225 l cp gs col-1 s gr % Polyline [66.7] 0 sd n 4005 1725 m 3900 1725 3900 1845 105 arcto 4 {pop} repeat 3900 1950 4395 1950 105 arcto 4 {pop} repeat 4500 1950 4500 1830 105 arcto 4 {pop} repeat 4500 1725 4005 1725 105 arcto 4 {pop} repeat cp gs col7 0.95 shd ef gr gs col-1 s gr [] 0 sd /Times-Roman ff 150.00 scf sf 4200 1875 m gs 1 -1 sc (X proxy) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline n 3930 1650 m 3825 1650 3825 2070 105 arcto 4 {pop} repeat 3825 2175 4470 2175 105 arcto 4 {pop} repeat 4575 2175 4575 1755 105 arcto 4 {pop} repeat 4575 1650 3930 1650 105 arcto 4 {pop} repeat cp gs col-1 s gr /Times-Roman ff 150.00 scf sf 4200 2100 m gs 1 -1 sc (sshd) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline [66.7] 0 sd n 5055 1650 m 4950 1650 4950 1770 105 arcto 4 {pop} repeat 4950 1875 5595 1875 105 arcto 4 {pop} repeat 5700 1875 5700 1755 105 arcto 4 {pop} repeat 5700 1650 5055 1650 105 arcto 4 {pop} repeat cp gs col7 0.95 shd ef gr gs col-1 s gr [] 0 sd /Times-Roman ff 150.00 scf sf 5325 1800 m gs 1 -1 sc (.Xauthority) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline n 4980 1575 m 4875 1575 4875 2070 105 arcto 4 {pop} repeat 4875 2175 5670 2175 105 arcto 4 {pop} repeat 5775 2175 5775 1680 105 arcto 4 {pop} repeat 5775 1575 4980 1575 105 arcto 4 {pop} repeat cp gs col-1 s gr /Times-Roman ff 150.00 scf sf 5325 2070 m gs 1 -1 sc (nfs) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline n 4530 1050 m 4425 1050 4425 1170 105 arcto 4 {pop} repeat 4425 1275 4920 1275 105 arcto 4 {pop} repeat 5025 1275 5025 1155 105 arcto 4 {pop} repeat 5025 1050 4530 1050 105 arcto 4 {pop} repeat cp gs col-1 s gr /Times-Roman ff 150.00 scf sf 4725 1200 m gs 1 -1 sc (X client) dup sw pop 2 div neg 0 rm col-1 sh gr % Polyline n 4530 2775 m 4425 2775 4425 2895 105 arcto 4 {pop} repeat 4425 3000 4920 3000 105 arcto 4 {pop} repeat 5025 3000 5025 2880 105 arcto 4 {pop} repeat 5025 2775 4530 2775 105 arcto 4 {pop} repeat cp gs col-1 s gr /Times-Roman ff 150.00 scf sf 4725 2925 m gs 1 -1 sc (X client) dup sw pop 2 div neg 0 rm col-1 sh gr % Open spline gs clippath 4614 1409 m 4711 1298 l 4666 1438 l 4758 1277 l 4706 1247 l cp clip [66.7] 0 sd n 3375.0 1875.0 m 3675.0 1875.0 l 3675.0 1875.0 3975.0 1875.0 4200.0 1837.5 DrawSplineSection 4200.0 1837.5 4425.0 1800.0 4575.0 1537.5 DrawSplineSection 4725.0 1275.0 l gs col-1 s gr gr [] 0 sd % arrowhead n 4614 1409 m 4711 1298 l 4666 1438 l 4652 1403 l 4614 1409 l cp gs 0.00 setgray ef gr col-1 s % Polyline n 3675 900 m 5850 900 l 5850 2250 l 3675 2250 l cp gs col-1 s gr % Polyline gs clippath 1596 1980 m 1452 1950 l 1596 1920 l 1410 1920 l 1410 1980 l cp clip n 2100 1950 m 1425 1950 l gs col-1 s gr gr % arrowhead n 1596 1980 m 1452 1950 l 1596 1920 l 1572 1950 l 1596 1980 l cp gs 0.00 setgray ef gr col-1 s % Polyline n 3825 1950 m 3375 1950 l gs col-1 s gr % Open spline gs clippath 1245 1446 m 1275 1302 l 1305 1446 l 1305 1260 l 1245 1260 l cp clip [66.7] 0 sd n 2100.0 1875.0 m 1800.0 1875.0 l 1800.0 1875.0 1500.0 1875.0 1387.5 1912.5 DrawSplineSection 1387.5 1912.5 1275.0 1950.0 1275.0 1612.5 DrawSplineSection 1275.0 1275.0 l gs col-1 s gr gr [] 0 sd % arrowhead n 1245 1446 m 1275 1302 l 1305 1446 l 1275 1422 l 1245 1446 l cp gs 0.00 setgray ef gr col-1 s % Open spline gs clippath 5196 1155 m 5052 1125 l 5196 1095 l 5010 1095 l 5010 1155 l cp clip n 5325.0 1650.0 m 5325.0 1387.5 l 5325.0 1387.5 5325.0 1125.0 5175.0 1125.0 DrawSplineSection 5025.0 1125.0 l gs col-1 s gr gr % arrowhead n 5196 1155 m 5052 1125 l 5196 1095 l 5172 1125 l 5196 1155 l cp gs 0.00 setgray ef gr col-1 s % Open spline gs clippath 5196 2880 m 5052 2850 l 5196 2820 l 5010 2820 l 5010 2880 l cp clip [15 50.0] 50.0 sd n 5325.0 1875.0 m 5325.0 2362.5 l 5325.0 2362.5 5325.0 2850.0 5175.0 2850.0 DrawSplineSection 5025.0 2850.0 l gs col-1 s gr gr [] 0 sd % arrowhead n 5196 2880 m 5052 2850 l 5196 2820 l 5172 2850 l 5196 2880 l cp gs 0.00 setgray ef gr col-1 s % Open spline gs clippath 1170 1446 m 1200 1302 l 1230 1446 l 1230 1260 l 1170 1260 l cp clip [15 50.0] 50.0 sd n 2100.0 2025.0 m 1725.0 2025.0 l 1725.0 2025.0 1350.0 2025.0 1275.0 1987.5 DrawSplineSection 1275.0 1987.5 1200.0 1950.0 1200.0 1612.5 DrawSplineSection 1200.0 1275.0 l gs col-1 s gr gr [] 0 sd % arrowhead n 1170 1446 m 1200 1302 l 1230 1446 l 1200 1422 l 1170 1446 l cp gs 0.00 setgray ef gr col-1 s % Open spline gs clippath 4755 2604 m 4725 2748 l 4695 2604 l 4695 2790 l 4755 2790 l cp clip [15 50.0] 50.0 sd n 3375.0 2025.0 m 3487.5 2025.0 l 3487.5 2025.0 3600.0 2025.0 3975.0 1950.0 DrawSplineSection 3975.0 1950.0 4350.0 1875.0 4500.0 1875.0 DrawSplineSection 4500.0 1875.0 4650.0 1875.0 4687.5 1950.0 DrawSplineSection 4687.5 1950.0 4725.0 2025.0 4725.0 2400.0 DrawSplineSection 4725.0 2775.0 l gs col-1 s gr gr [] 0 sd % arrowhead n 4755 2604 m 4725 2748 l 4695 2604 l 4725 2628 l 4755 2604 l cp gs 0.00 setgray ef gr col-1 s /Times-Roman ff 150.00 scf sf 1200 825 m gs 1 -1 sc (user's console) dup sw pop 2 div neg 0 rm col-1 sh gr /Times-Roman ff 150.00 scf sf 4725 825 m gs 1 -1 sc (remote shell host) dup sw pop 2 div neg 0 rm col-1 sh gr /Times-Roman ff 150.00 scf sf 5025 3450 m gs 1 -1 sc (intruder) dup sw pop 2 div neg 0 rm col-1 sh gr /Times-Roman ff 120.00 scf sf 5400 2550 m gs 1 -1 sc (faked) col-1 sh gr /Times-Roman ff 120.00 scf sf 5400 2700 m gs 1 -1 sc (cookie) col-1 sh gr /Times-Roman ff 120.00 scf sf 5400 1350 m gs 1 -1 sc (faked) col-1 sh gr /Times-Roman ff 120.00 scf sf 5400 1500 m gs 1 -1 sc (cookie) col-1 sh gr % Arc gs n 3187.5 1950.0 187.5 -53.1 53.1 arc gs col-1 s gr gr $F2psEnd rs %%EndDocument @endspecial 782 2006 a Fk(Figure)27 b(1:)37 b(X11)27 b(Authen)n(tication)h(and)f(tra\016c)g(mediation)h(via)f(SSH)0 2271 y(the)c Fd(.Xauthority)18 b Fk(\014le)k(ma)n(y)g(masquerade)f(as)g (the)i(legiti-)0 2371 y(mate)c(\014le)g(o)n(wner)f(and)h(access)f(the)i (user's)e(X)h(displa)n(y)-7 b(.)34 b(The)0 2470 y(sp)r(ectrum)j(of)h (feasible)f(attac)n(ks)f(reac)n(hes)f(from)i(passiv)n(e)0 2570 y(surv)n(eillance)23 b(to)h(activ)n(e)g(denial)g(of)g(service)f (and)h(plan)n(ting)0 2670 y(of)k(bac)n(kdo)r(ors)460 2640 y Fh(8)495 2670 y Fk(.)83 2771 y(There)53 b(are)f(sev)n(eral)g (tec)n(hniques)h(a)n(v)-5 b(ailable)52 b(to)h(in-)0 2870 y(trude)40 b(in)n(to)h(a)f(system)g(and)g(gain)g(sup)r(er)g(user)g (privile-)0 2970 y(ges)33 b(\(see)g(the)g(bugtraq)g(mailing)g(list)g (for)g(actual)g(exam-)0 3069 y(ples\).)56 b(Equipp)r(ed)34 b(with)h(these)f(privileges)f(an)g(in)n(truder)0 3169 y(or)26 b(ev)n(en)g(a)g(rogue)f(administrator)g(is)h(able)g(to)h(read)e (ev)n(ery)0 3269 y(\014le)33 b(stored)f(on)h(the)g(in)n(v)n(olv)n(ed)e (mac)n(hine.)53 b(F)-7 b(urther)32 b(non-)0 3368 y(in)n(v)-5 b(asiv)n(e)17 b(metho)r(ds)i(to)f(obtain)g(the)h Fd(.Xauthority)14 b Fk(\014le)19 b(are)0 3468 y(feasible)35 b(when)h(an)g(attac)n(k)n(er) e(either)h(has)g(some)g(insider)0 3568 y(kno)n(wledge)i(or)g(the)h(net) n(w)n(ork)f(service)g(NFS)h(\()p Fj(N)p Fk(et)n(w)n(ork)0 3667 y Fj(F)p Fk(ile)25 b Fj(S)p Fk(ystem\))g([No)n(w89)n(,)g(RF)n(C)g (1094])d(is)j(insecurely)f(con-)0 3767 y(\014gured.)35 b(Both)25 b(tec)n(hniques)g(are)f(brie\015y)g(outlined)h(in)g(the)0 3866 y(follo)n(wing)i(section.)0 4106 y Fc(5.1)112 b(A)m(ttac)m(k!)0 4262 y Fk(T)-7 b(o)27 b(simplify)i(the)f(description)f(a)h(sample)f (output)i(of)e(the)0 4361 y(attac)n(k)n(er's)g(and)j(victim's)f(shell)g (session)g(is)g(supplied.)43 b(It)0 4461 y(is)19 b(assumed)g(that)g (the)h(reader)d(is)i(familiar)g(with)h(the)f Fi(Unix)0 4560 y Fk(op)r(erating)27 b(system.)37 b(The)27 b(shell)h(prompt)g(as)f (used)g(b)r(elo)n(w)0 4660 y(consists)32 b(of)h(the)g(acting)f(sub)5 b(ject's)33 b(accoun)n(t)e(name)i(and)0 4760 y(the)27 b(name)f(of)h(the)f(mac)n(hine)g(in)h(use.)36 b(Bac)n(kslash)25 b(c)n(harac-)0 4859 y(ters)g(\()p Fd(\\)p Fk(\))h(trailing)f(output)h (lines)g(denote)f(the)h(concatena-)0 4959 y(tion)i(with)g(the)g(follo)n (wing)e(line.)83 5060 y(The)149 b(user)f(Jo)r(e)f(uses)i(the)g(mac)n (hines)0 5159 y Fd(target.innocent.)o(org)124 b Fk(and)132 b Fd(proxy.host.org)0 5259 y Fk(under)29 b(the)h(accoun)n(t)e(names)h Fd(joe)f Fk(and)h Fd(victim)p Fk(,)e(resp)r(ec-)p 0 5336 734 4 v 92 5390 a Fg(8)127 5413 y Ff(F)-6 b(or)23 b(some)g(examples)h (of)f(bac)n(kdo)r(ors)i(see)f([Kla97].)1918 2271 y Fk(tiv)n(ely)-7 b(.)85 b(The)43 b(attac)n(k)n(er)f(acts)h(under)h(the)g(name)f Fd(dood)1918 2371 y Fk(on)50 b(her)h(mac)n(hine)f Fd(haque.evil.org)p Fk(.)101 b(In)51 b(case)f(the)1918 2470 y(attac)n(k)n(er)45 b(has)i(an)f(accoun)n(t)h(on)f Fd(proxy.host.org)c Fk(at)1918 2570 y(her)32 b(disp)r(osal,)h(its)f(name)g(shall)g(b)r(e)h Fd(hacker)p Fk(.)48 b(This)33 b(case)1918 2670 y(is)e(presen)n(ted)f (\014rst)h(for)g(it)g(is)g(far)g(simpler)f(than)i(the)f(one)1918 2769 y(in)n(v)n(olving)26 b(purely)h(remote)g(hac)n(king.)1918 2945 y Fd(dood@haque$)39 b(ssh)j(-l)h(hacker)e(proxy.host.org)1918 3045 y(hacker's)f(password:)1918 3145 y(Last)i(login:)f(Wed)h(Jul)h(23) f(13:28:02)f(1997)g(from\\)1961 3244 y(haque.evil.org)1918 3444 y(Welcome)f(on)j(proxy.host.org.)1918 3643 y(hacker@proxy$)38 b(echo)k($DISPLAY)1918 3742 y(proxy:10.0)1918 3842 y(hacker@proxy$)c(w) 43 b(|)g(grep)f(victim)1918 3942 y(victim)128 b(p3)43 b(target.innocent.)o(or)o(g)81 b(12:46PM)41 b(\\)1961 4041 y(1)j(-bash)1918 4141 y(hacker@proxy$)38 b(lsof)k(-i)h(TCP:ssh)d (|)436 b(\\)1961 4241 y(grep)42 b(target.innocent.o)o(rg)1918 4340 y(sshd)347 b(211)217 b(root)172 b(5u)87 b(inet)216 b(\\)1961 4440 y(0x0063f200)345 b(0t0)i(TCP)h(\\)1961 4539 y(proxy.host.org:ss)o(h->)o(ta)o(rg)o(et.)o(in)o(noc)o(en)o(t.)o (org)o(:\\)1961 4639 y(1022)2001 4815 y Fk(The)124 b(attac)n(k)n(er)e (la)n(ys)h(lo)n(w)g(and)h(observ)n(es)1918 4915 y Fd(proxy.host.org)55 b Fk(un)n(til)61 b(Jo)r(e)g(logs)f(in)h(as)f Fd(victim)p Fk(.)1918 5015 y(F)-7 b(urthermore)35 b(she)h(notes)g(her)g(session's)e (displa)n(y)i(n)n(um-)1918 5114 y(b)r(er)49 b(allo)r(cated)g(b)n(y)h (the)g(SSH)g(serv)n(er.)101 b(The)49 b(displa)n(y)1918 5214 y(n)n(um)n(b)r(er)60 b(of)g Fd(victim)f Fk(can)h(b)r(e)g(deduced)h (from)f(this)1918 5313 y(n)n(um)n(b)r(er.)115 b(If)54 b Fd(victim)d Fk(logs)i(in)n(to)g Fd(proxy.host.org)1918 5413 y Fk(directly)40 b(after)g Fd(hacker)f Fk(his)h(displa)n(y)g(n)n (um)n(b)r(er)g(will)h(b)r(e)1856 5662 y(4)p eop %%Page: 5 5 5 4 bop 0 531 a Fk(one)27 b(greater)f(than)i Fd(hacker)p Fk('s)d(displa)n(y)i(n)n(um)n(b)r(er.)0 732 y Fd(joe@target$)39 b(ssh)j(-l)h(victim)e(proxy.host.org)0 832 y(victim's)f(password:)0 932 y(Last)i(login:)f(Mon)h(Jul)h(14)f(18:20:11)f(1997)h(from\\)44 1031 y(target.innocent)o(.or)o(g)0 1231 y(Welcome)f(on)h (proxy.host.org.)83 1428 y Fk(If)h Fd(victim)d Fk(has)i(not)g(y)n(et)g (used)h(X11)e Fd(.Xauthority)0 1528 y Fk(\014les,)138 b(the)116 b(follo)n(wing)f(message)g(will)h(notify)0 1627 y Fd(victim)69 b Fk(that)j(the)f(pro)n(xy)f(v)-5 b(alue)72 b(whic)n(h)f(is)g(nec-)0 1727 y(essary)103 b(for)h(transparen)n(t)f(access)g(to)i(the)g(X)0 1826 y(serv)n(er)f(has)i(b)r(een)g(placed)g(in)g Fd(.Xauthority)p Fk(:)0 1926 y Fd(/usr/X11/bin/xau)o(th:)80 b(creating)41 b(new)0 2026 y(authority)f(file)i(/home/victim/.Xa)o(ut)o(hor)o(it)o(y) 0 2227 y(hacker@proxy$)c(su)0 2326 y(Password:)0 2426 y(root@proxy#)h(xauth)j(-f)g(~victim/.Xauthori)o(ty)37 b(\\)44 2526 y(extract)j(~hacker/proxyauth)d(proxy:11.0)0 2625 y(root@proxy#)i(chown)j(hacker)f(~hacker/proxyau)o(th)0 2725 y(root@proxy#)e(exit)0 2825 y(exit)0 2924 y(hacker@proxy$)f(ftp)43 b(haque.evil.org)0 3024 y(Connected)d(to)j(haque.evil.org.)0 3123 y(220)f(haque)g(FTP)g(server)f(\(Version)g(6.2\))h(ready.)0 3223 y(Name)g(\(haque:hacker\):)37 b(dood)0 3323 y(331)42 b(Password)f(required)f(for)i(dood.)0 3422 y(Password:)0 3522 y(230-)0 3622 y(230-)g(Welcome)f(on)h(haque.evil.org.)0 3721 y(230-)0 3821 y(230)g(User)g(dood)g(logged)f(in.)0 3920 y(Remote)g(system)g(type)h(is)h(UNIX.)0 4020 y(Using)f(binary)f (mode)h(to)g(transfer)f(files.)0 4120 y(ftp>)h(put)g(proxyauth)0 4219 y(local:)f(proxyauth)f(remote:)h(proxyauth)0 4319 y(200)h(PORT)g(command)f(successful.)0 4419 y(150)h(Opening)f(BINARY)g (mode)h(data)g(connection)83 b(\\)44 4518 y(for)42 b('proxyauth'.)0 4618 y(226)g(Transfer)f(complete.)0 4717 y(104)h(bytes)g(sent)g(in)h (0.04)e(seconds)g(\(2.26)h(KB/s\))0 4817 y(ftp>)g(quit)0 4917 y(221)g(Goodbye.)0 5016 y(hacker@proxy$)c(exit)0 5116 y(logout)0 5216 y(Connection)h(to)k(proxy.host.org)38 b(closed.)83 5413 y Fk(When)33 b Fd(hacker)d Fk(sees)i Fd(victim)e Fk(en)n(tering)i(the)h(system,)1918 531 y(she)e(will)g (assume)2485 501 y Fh(9)2553 531 y Fk(sup)r(er)g(user)f(privileges)g (and)h(extract)1918 631 y Fd(victim)p Fk('s)49 b(pro)n(xy)i(authen)n (tication)h(v)-5 b(alue.)111 b(She)52 b(will)1918 731 y(then)23 b(transfer)f(the)h(authen)n(ticator)e(to)i(her)f(o)n(wn)g (mac)n(hine)1918 830 y Fd(haque.evil.org)g Fk(and)27 b(lea)n(v)n(e)f Fd(proxy.host.org)p Fk(.)2001 935 y(If)19 b(the)h(attac)n(k)n(er)d(cannot)h(access)g(an)h(arbitrary)e(accoun)n(t) 1918 1035 y(on)30 b Fd(proxy.host.org)25 b Fk(she)31 b(can)f(exploit)h(w)n(eaknesses)e(of)1918 1134 y(the)36 b(net)n(w)n(ork)e(service)g(NFS)j(to)e(obtain)g(the)h(pro)n(xy)e(au-) 1918 1234 y(then)n(ticator.)1918 1442 y Fd(dood@haque$)39 b(rpcinfo)i(-p)h(proxy.host.org)2049 1541 y(program)e(vers)i(proto)129 b(port)2092 1641 y(100000)172 b(2)130 b(tcp)173 b(111)86 b(portmapper)2092 1741 y(100000)172 b(2)130 b(udp)173 b(111)86 b(portmapper)2092 1840 y(100003)172 b(2)130 b(udp)g(2049)85 b(nfs)2092 1940 y(100005)172 b(1)130 b(udp)173 b(785)86 b(mountd)2092 2039 y(100003)172 b(3)130 b(udp)g(2049)85 b(nfs)2092 2139 y(100005)172 b(3)130 b(udp)173 b(785)86 b(mountd)2092 2239 y(100005)172 b(1)130 b(tcp)173 b(827)86 b(mountd)2092 2338 y(100003)172 b(2)130 b(tcp)g(2049)85 b(nfs)2092 2438 y(100005)172 b(3)130 b(tcp)173 b(827)86 b(mountd)2092 2538 y(100003)172 b(3)130 b(tcp)g(2049)85 b(nfs)2092 2637 y(300019)172 b(1)130 b(udp)173 b(729)86 b(amd)2092 2737 y(100001)172 b(1)130 b(udp)173 b(608)86 b(rstatd)2092 2836 y(100001)172 b(2)130 b(udp)173 b(608)86 b(rstatd)2092 2936 y(100001)172 b(3)130 b(udp)173 b(608)86 b(rstatd)2092 3036 y(100002)172 b(1)130 b(udp)173 b(850)86 b(rusersd)2092 3135 y(100002)172 b(2)130 b(udp)173 b(850)86 b(rusersd)2092 3235 y(100002)172 b(3)130 b(udp)173 b(850)86 b(rusersd)1918 3335 y(dood@haque$)39 b(showmount)h(-e)i(proxy.host.org)1918 3434 y(Exports)e(list)i(on)h (proxy.host.org:)1918 3534 y(/export/home)823 b(Everyone)1918 3633 y(dood@haque$)39 b(askhandle)h(proxy.host.org)212 b(\\)1961 3733 y(/export/home)39 b(>nfshandle)1918 3833 y(dood@haque$)g(nfsmenu)i(nfshandle)519 b(\\)1961 3932 y(proxy.host.org)38 b(/export/home)1918 4032 y(uid)k(=)h(-2,)g(gid)f(=) h(-2)1918 4132 y(proxy.host.org:/)o(ex)o(por)o(t/)o(ho)o(me>)37 b(getattr)215 b(\\)1961 4231 y(victim)1918 4331 y(type:)41 b(2)1918 4430 y(mode:)g(40755)1918 4530 y(nlink:)g(14)1918 4630 y(uid:)h(2001)1918 4729 y(gid:)g(42)1918 4829 y(size:)f(4096)1918 4929 y(atime:)g(Sat)h(Sep)h(13)f(17:49:29)f(1997)p 1918 5020 734 4 v 2010 5074 a Fg(9)2045 5098 y Ff(The)27 b(attac)n(k)n(er)h (ma)n(y)e(switc)n(h)g(to)h Fe(root)h Ff(b)n(y)f(sev)n(eral)f(w)n(a)n (ys.)40 b(She)1918 5176 y(ma)n(y)19 b(legitimately)h(kno)n(w)g(the)h (passw)n(ord)f(for)g(the)h Fe(root)g Ff(accoun)n(t)h(or)1918 5255 y(migh)n(t)k(ha)n(v)n(e)h(crac)n(k)n(ed)h(it.)40 b(There)27 b(are)g(ev)n(en)h(n)n(umerous)e(programs)1918 5334 y(around)33 b(whic)n(h)g(exploit)g(system)f(vulnerabilities)g(to)i (gain)f(sup)r(er)1918 5413 y(user)23 b(privileges)g(\(see)i(e.g.)e ([One96)q(]\).)1856 5662 y Fk(5)p eop %%Page: 6 6 6 5 bop 0 531 a Fd(mtime:)41 b(Sat)h(Sep)h(13)g(17:47:13)d(1997)0 631 y(ctime:)h(Sat)h(Sep)h(13)g(17:47:13)d(1997)0 731 y(proxy.host.org:/)o(exp)o(or)o(t/)o(hom)o(e>)d(id)43 b(2001)f(42)0 830 y(uid)g(=)i(2001,)d(gid)h(=)i(42)0 930 y(proxy.host.org:/)o(exp)o(or)o(t/)o(hom)o(e>)37 b(cd)43 b(victim)0 1029 y(proxy.host.org:/)o(exp)o(or)o(t/)o(hom)o(e/)o (vic)o(ti)o(m>)37 b(read)42 b(\\)44 1129 y(.Xauthority)d(Xauth)0 1229 y(proxy.host.org:/)o(exp)o(or)o(t/)o(hom)o(e/)o(vic)o(ti)o(m>)e (quit)0 1328 y(dood@haque$)i(xauth)j(-f)g(Xauth)g(extract)302 b(\\)44 1428 y(proxyauth)39 b(proxy:11.0)83 1608 y Fk(First)27 b(the)h(attac)n(k)n(er)d(needs)j(to)f(kno)n(w)f(if)i(NFS)g(is)f(a)n(v) -5 b(ail-)0 1708 y(able)53 b(on)g Fd(proxy.host.org)p Fk(.)109 b(After)54 b(assuming)e(the)0 1807 y(user)38 b(and)g(group)f(ids)h(asso)r(ciated)f(with)h Fd(victim)e Fk(\(here)0 1907 y(uid=2001,)21 b(gid=42\))f(the)i Fd(.Xauthority)17 b Fk(\014le)22 b(is)g(read)e(via)0 2007 y(NFS)162 1976 y Fh(10)233 2007 y Fk(.)26 b(In)h(order)e(to)h(use)h(NFS)g(the)g(attac) n(k)n(er)d(needs)i(the)0 2106 y(\014le)36 b(handle)g(of)g(a)g (directory)e(ab)r(o)n(v)n(e)h(the)h Fd(.Xauthority)0 2206 y Fk(\014le.)49 b(Suc)n(h)31 b(a)g(handle)g(ma)n(y)g(b)r(e)h (obtained)f(b)n(y)g(moun)n(ting)0 2305 y(w)n(orld)22 b(accessible)572 2275 y Fh(11)664 2305 y Fk(or)g(re\015exiv)n(ely)1127 2275 y Fh(12)1219 2305 y Fk(moun)n(ted)h(directo-)0 2405 y(ries)i([vD91)o(].)36 b(In)26 b(case)e(these)i(metho)r(ds)f(fail,)h(a) f(co)r(op)r(erat-)0 2505 y(ing)g(insider)g(migh)n(t)g(ea)n(v)n(esdrop)e (on)j(in)n(ternal)e(NFS)i(tra\016c)0 2604 y(and)38 b(seize)f(a)h (suitable)g(\014le)g(handle)g([Kla95)n(].)69 b(The)38 b(\014le)0 2704 y(handles)i(of)g(some)f(NFS)i(implemen)n(tations)f(ma)n (y)f(ev)n(en)0 2804 y(b)r(e)28 b(obtained)f(with)h(some)f(elab)r(orate) g(guesses.)83 2903 y(The)70 b(describ)r(ed)h(tec)n(hniques)f(do)g(not)g (represen)n(t)0 3003 y(all)65 b(p)r(ossible)h(a)n(v)n(en)n(ues)d(to)j (get)f(hold)h(of)f Fd(victim)p Fk('s)0 3103 y Fd(.Xauthority)36 b Fk(\014le.)74 b(There)40 b(will)g(probably)f(b)r(e)h(easier)0 3202 y(or)35 b(more)g(elegan)n(t)g(w)n(a)n(ys)g(to)h(ac)n(hiev)n(e)f (this.)62 b(It)37 b(is)f(not)1765 3172 y Fh(13)0 3302 y Fk(the)f(aim)f(of)g(this)h(pap)r(er)f(to)g(presen)n(t)g(a)g (comprehensiv)n(e)0 3401 y(list)e(of)g(hac)n(king)e(tec)n(hniques)i (but)g(to)g(p)r(oin)n(t)g(out)f(that)h(it)0 3501 y(is)26 b(indeed)g(p)r(ossible)g(for)f(a)h(p)r(ersisten)n(t)f(attac)n(k)n(er)f (to)i(reac)n(h)0 3601 y(his)i(goal.)0 3781 y Fd(dood@haque$)39 b(xauth)j(merge)f(proxyauth)0 3880 y(dood@haque$)e(xkey)j (proxy.host.org:1)o(1.0)83 4061 y Fk(After)k(the)g(retriev)-5 b(al)45 b(of)h(the)g(pro)n(xy)e(authen)n(ticator)0 4160 y Fd(dood)18 b Fk(can)i(add)g(it)g(to)g(his)g(o)n(wn)f Fd(.Xauthority)d Fk(\014le)k(and)g(ac-)p 0 4231 734 4 v 62 4284 a Fg(10)127 4308 y Fe(nfsmenu)28 b Ff(is)d(an)h(NFS)g(clien)n (t)h(whic)n(h)f(in)n(teractiv)n(ely)h(allo)n(ws)e(di-)0 4387 y(rect)17 b(access)h(to)f(the)h(services)f(o\013ered)g(b)n(y)g (NFS.)f(The)i Fe(nfsmenu)g Ff(pac)n(k-)0 4466 y(aged)g(further)e (includes)h Fe(askhandle)p Ff(,)k Fe(pmapmount)e Ff(and)e(a)g(\014le)g (handle)0 4544 y(sni\013er.)62 4600 y Fg(11)127 4624 y Ff(As)f(sho)n(wn)h(in)f(the)h(sample)f(output)i Fe(askhandle)h Ff(can)e(b)r(e)g(used)g(to)0 4703 y(extract)h(the)f(\014le)f(handle)h (from)d(directories)i(that)i(ma)n(y)d(b)r(e)i(moun)n(ted.)62 4758 y Fg(12)127 4782 y Ff(Directories)23 b(whic)n(h)h(are)g(moun)n (ted)g(b)n(y)h(the)f(same)f(NFS)h(serv)n(er)0 4861 y(that)h(exp)r(orts) g(them)f(in)g(the)h(\014rst)g(place)f(are)h(said)f(to)h(b)r(e)f(moun)n (ted)0 4939 y(re\015exiv)n(ely)-6 b(.)54 b(T)-6 b(o)r(ols)30 b(lik)n(e)h Fe(pmapmount)i Ff(can)f(b)r(e)f(used)h(to)f(exploit)h(a)0 5018 y(w)n(eakness)c(in)f(some)f(p)r(ortmapp)r(er)h(implemen)n(tations) f(in)g(order)h(to)0 5097 y(moun)n(t)22 b(directories)h(whic)n(h)g(are)f (not)i(widely)e(exp)r(orted)i(but)g(re\015ex-)0 5176 y(iv)n(ely)g(moun)n(table.)62 5232 y Fg(13)127 5255 y Ff(Nev)n(ertheless)36 b(I)g(encourage)i(the)e(reader)g(to)g(share)f (original)0 5334 y(tec)n(hniques)28 b(with)f(the)g(author.)40 b(Learning)27 b(is)e(an)i(in)n(teresting)g(and)0 5413 y(nev)n(er)d(ending)h(pro)r(cess.)1918 531 y Fk(cess)2058 501 y Fh(14)2151 531 y Fk(the)e(X)g(serv)n(er)e(of)i Fd(joe)p Fk('s)f(console)g(via)g(the)i(X)f(pro)n(xy)1918 631 y(lo)r(cated)32 b(on)g Fd(proxy.host.org)26 b Fk(\(here)32 b Fd(xkey)f Fk(is)h(used)g(to)1918 731 y(ea)n(v)n(esdrop)i(on)j(k)n (eyb)r(oard)e(input)i(pro)r(cessed)f(b)n(y)g(the)h(X)1918 830 y(serv)n(er)26 b(of)h Fd(target.innocent.o)o(rg)o Fk(\).)1918 1016 y Fd(joe@proxy$)39 b(exit)1918 1116 y(logout)1918 1215 y(Waiting)h(for)j(forwarded)d(connections)f(to)217 b(\\)1961 1315 y(terminate...)1918 1415 y(The)42 b(following)e (connections)f(are)j(open:)2005 1514 y(X11)g(connection)e(from)i (haque.evil.org)212 b(\\)1961 1614 y(port)42 b(1995)1918 1714 y(Connection)d(to)k(proxy.host.org)38 b(closed.)2001 1899 y Fk(When)67 b Fd(victim)d Fk(lea)n(v)n(es)h Fd(proxy.host.org)60 b Fk(while)1918 1999 y Fd(dood)47 b Fk(is)i(still)g(connected)g(to)g (the)g(X)h(pro)n(xy)d Fd(victim)1918 2098 y Fk(will)e(b)r(e)g(w)n (arned.)88 b(F)-7 b(or)45 b(an)g(educated)f(Jo)r(e)h(this)g(is)g(a)1918 2198 y(go)r(o)r(d)2094 2168 y Fh(15)2194 2198 y Fk(sign)31 b(for)f(a)g(successful)h(p)r(enetration)f(from)h(host)1918 2297 y Fd(haque.evil.org)p Fk(.)1918 2533 y Fc(5.2)112 b(Conclusion)1918 2688 y Fk(If)37 b(SSH)h(supp)r(orts)f(the)g (mediation)g(of)g(X11)g(tra\016c)f(the)1918 2787 y(resistance)i(of)i (the)g(user's)e(mac)n(hine)h(do)r(es)h(not)f(merely)1918 2887 y(dep)r(end)30 b(on)f(its)h(o)n(wn)f(securit)n(y)g(but)h(also)f (on)g(the)h(o)n(v)n(erall)1918 2987 y(securit)n(y)d(of)g(the)h(remote)f (shell)h(hosts)f(in)h(use.)2001 3087 y(This)45 b(situation)f(recalls)g (problems)g(usually)g(kno)n(wn)1918 3187 y(from)31 b(trust)h(net)n(w)n (orks)f(suc)n(h)g(as)g(emplo)n(y)n(ed)g(b)n(y)h Fd(rlogin)p Fk(,)1918 3286 y Fd(rsh)p Fk(,)19 b(etc.)g([FV93,)g(dari96)n(].)34 b(In)19 b(case)f(one)g(of)h(the)g(remotely)1918 3386 y(used)29 b(SSH)g(serv)n(er)e(hosts)h(is)h(in\014ltrated,)g(evil)g (migh)n(t)g(b)r(e-)1918 3485 y(fall)39 b(the)g(SSH)h(clien)n(t)f(mac)n (hine.)71 b(Keep)38 b(in)i(mind)f(that)1918 3585 y(the)27 b(attac)n(k)g(describ)r(ed)g(is)g(only)g(feasible)g(during)g(the)g(ex-) 1918 3685 y(ploited)h(SSH)g(c)n(hannel's)f(lifetime.)1918 3963 y Fl(6)135 b(Coun)l(termeasures)1918 4146 y Fk(As)22 b(an)n(ticipated)g(ab)r(o)n(v)n(e)f(the)i(SSH)g(clien)n(t)f(host's)g(X) h(serv)n(er)1918 4245 y(needs)49 b(to)g(b)r(e)g(protected)g(against)f (unauthorized)h(ac-)1918 4345 y(cesses.)c(Unfortunately)30 b(there)g(are)g(no)g(means)g(to)h(iden-)1918 4445 y(tify)26 b(rogue)f(X)h(accesses)f(mediated)h(b)n(y)f(SSH.)i(It)f(is)g(there-) 1918 4544 y(fore)21 b(reasonable)e(to)i(disp)r(ense)h(with)g(this)g (dangerous)d(fea-)1918 4644 y(ture)27 b(of)h(SSH.)2001 4744 y(While)48 b(the)f(exploitation)g(of)g(the)g(X)h(tra\016c)f(medi-) 1918 4844 y(ation)g(directly)g(p)r(oses)g(a)g(threat)g(to)h(the)g(SSH)g (clien)n(t)1918 4944 y(mac)n(hine)33 b Fd(target.innocent)o(.or)o(g)p Fk(,)c(it)k(ma)n(y)g(indirectly)1918 5043 y(allo)n(w)54 b(attac)n(ks)h(directed)g(to)g(the)h(SSH)g(serv)n(er)e(host)p 1918 5099 V 1980 5153 a Fg(14)2045 5176 y Ff(It)22 b(is)e(assumed)g (that)j Fe(haque)f Ff(ma)n(y)e(reference)i Fe(proxy.host.org)1918 5255 y Ff(as)k Fe(proxy)p Ff(.)39 b(Otherwise)25 b Fe(xauth)i Ff(should)g(b)r(e)f(used)g(to)g(complete)h(the)1918 5334 y(name)c(of)g Fe(proxy)i Ff(to)g Fe(proxy.host.org)i Ff(in)c(\014le)h Fe(.Xauthority)p Ff(.)1980 5390 y Fg(15)2045 5413 y Ff(or)f(bad)h(|)f(ho)n(w)n(ev)n(er)i(rated)1856 5662 y Fk(6)p eop %%Page: 7 7 7 6 bop 0 531 a Fd(proxy.host.org)p Fk(.)53 b(The)36 b(passw)n(ord)d(of)i Fd(joe)e Fk(migh)n(t)i(b)r(e)0 631 y(iden)n(tical)28 b(to)h(the)g(passw)n(ord)d(of)j Fd(victim)p Fk(,)d(whic)n(h)j(in)g(case)0 731 y(of)38 b(compromise)f(of)h Fd(joe)p Fk(s)f(passw)n(ord)f(ma)n(y)i(lead)g(to)g(di-)0 830 y(rect)27 b(access)f(to)h Fd(proxy.host.org)p Fk(.)k(Consequen)n (tly)26 b(it)i(is)0 930 y(reasonable)i(to)h(prev)n(en)n(t)g(X)h (tra\016c)f(mediation)g(on)g(b)r(oth)0 1029 y(in)n(v)n(olv)n(ed)26 b(hosts.)0 1312 y Fc(6.1)112 b(Clien)m(t)36 b(mac)m(hine)0 1483 y Fk(After)22 b(ha)n(ving)f(considered)g(the)h(threat)f(p)r(osed)h (b)n(y)f(X)h(traf-)0 1583 y(\014c)38 b(mediation)f(administrators)f (migh)n(t)h(decide)h(to)f(dis-)0 1682 y(able)f(X)h(forw)n(arding.)63 b(Sometimes)36 b(administrators)f(do)0 1782 y(not)29 b(k)n(eep)f(up)h(with)g(curren)n(t)f(securit)n(y)g(practice.)40 b(In)29 b(an)n(y)0 1882 y(case)24 b(users)g(ma)n(y)g(prefer)g(not)g(to) h(rely)f(on)h(administrators)0 1981 y(to)i(protect)h(their)f(data.)0 2247 y Fj(6.1.1)94 b(Administrativ)m(e)0 2418 y Fk(When)21 b(disabling)f(X)h(mediation)g(in)g(a)f(system)g(wide)h(man-)0 2518 y(ner,)h(all)e(of)g(the)h(system's)f(users)g(will)h(b)r(e)g (protected.)34 b(This)0 2618 y(migh)n(t)21 b(b)r(e)h(p)r(erceiv)n(ed)f (as)f(a)h(dra)n(wbac)n(k)e(b)n(y)i(some)g(users)f(for)0 2717 y(they)j(no)g(longer)f(can)g(use)h(remote)f(X)i(clien)n(ts)f(and)f (had)h(no)0 2817 y(input)28 b(in)g(the)g(decision.)83 2926 y(T)-7 b(o)62 b(globally)f(disable)h(X)g(mediation)g(on)g(a)g (sys-)0 3026 y(tem,)105 b(one)89 b(sets)h Fd(ForwardX11)85 b Fk(to)k Fd(no)g Fk(in)h(\014le)0 3125 y Fd(/etc/ssh)p 357 3125 27 4 v 28 w(config)p Fk(.)223 b(P)n(aranoid)89 b(administrators)0 3225 y(ma)n(y)34 b(w)n(an)n(t)h(to)g(to)g(remo)n(v)n (e)f(X)h(forw)n(arding)e(capabilities)0 3325 y(at)50 b(compile)f(time.)104 b(This)50 b(can)f(b)r(e)i(done)e(using)g(the)0 3424 y(\015ag)100 b Fd(--disable)p 631 3424 V 28 w(client)p 923 3424 V 29 w(x11)p 1084 3424 V 30 w(forwarding)d Fk(when)0 3524 y(con\014guring)26 b(the)i(SSH)g(pac)n(k)-5 b(age.)83 3633 y(Additionally)24 b(users)f(ha)n(v)n(e)g(to)g(b)r(e)i(prev)n(en)n (ted)e(from)g(us-)0 3733 y(ing)36 b(SSH)h(clien)n(ts)e(built)i(on)f (their)g(o)n(wn.)62 b(Place)35 b(pac)n(k)n(et)0 3832 y(\014lters)204 3802 y Fh(16)305 3832 y Fk(at)30 b(y)n(our)g(b)r(order) g(routers)f(and/or)g(all)h(systems)0 3932 y(whic)n(h)h(allo)n(w)g (outgoing)f(pac)n(k)n(ets)g(destined)i(for)f(p)r(ort)h(22)0 4031 y(only)44 b(if)g(originated)f(from)h(a)g(privileged)f(p)r(ort)h (\(b)r(elo)n(w)0 4131 y(1024\).)60 b(Incoming)36 b(pac)n(k)n(ets)f (originated)f(from)i(p)r(ort)g(22)0 4231 y(are)26 b(allo)n(w)n(ed)g(to) h(pass)g(if)h(they)f(are)f(destined)i(for)f(a)g(privi-)0 4330 y(leged)g(p)r(ort)h(and)f(the)h(TCP)f Fd(ACK)p Fk(-Flag)e(is)j (set.)0 4596 y Fj(6.1.2)94 b(User)0 4767 y Fk(Securit)n(y)19 b(conscious)g(users)g(probably)f(w)n(an)n(t)h(to)h(disable)g(X)0 4867 y(forw)n(arding)g(on)i(their)g(o)n(wn.)34 b(This)22 b(can)g(b)r(e)h(accomplished)0 4967 y(temp)r(orarily)44 b(b)n(y)g(calling)h(SSH)g(with)h(the)f Fd(-x)f Fk(option.)0 5066 y(That)39 b(ma)n(y)g(b)r(e)h(reasonable)d(if)j(the)g(user)e(is)i (con)n(vinced)0 5166 y(that)25 b(most)f(of)h(his)f(remote)g(SSH)h(serv) n(ers)e(are)g(secure)h(and)p 0 5257 734 4 v 62 5311 a Fg(16)127 5334 y Ff(F)-6 b(or)26 b(an)h(in)n(tro)r(duction)h(on)e(ho)n (w)h(to)g(set)g(up)g(pac)n(k)n(et)h(\014lters)e(see)0 5413 y([W)n(C94)q(,)d(CB94,)g(Cha92)q(,)h(CZ95,)f(SH95)q(,)g(GS96)q(].) 1918 531 y Fk(X)e(access)f(normally)f(is)i(indisp)r(ensible.)35 b(Securit)n(y)21 b(mec)n(ha-)1918 631 y(nisms)k(o\013ered)g(b)n(y)g(X)g (clien)n(ts)g(should)g(b)r(e)h(activ)-5 b(ated)25 b(\(e.g.)1918 731 y(the)j Fd(Secure)41 b(Keyboard)24 b Fk(option)k(of)f Fd(xterm)p Fk(\).)2001 834 y(Setting)40 b Fd(ForwardX11)d Fk(to)j Fd(no)f Fk(in)i(\014le)f Fd(.ssh/config)1918 933 y Fk(p)r(ermanen)n(tly)27 b(protects)g(the)h(user's)f(sessions.) 2001 1036 y(Users)37 b(should)h(alw)n(a)n(ys)e(mak)n(e)i(sure)f(all)h (legitimately)1918 1136 y(forw)n(arded)26 b(connections)i(are)f(closed) h(b)r(efore)g(exiting)g(an)1918 1235 y(SSH)19 b(session.)33 b(If)19 b(there)f(are)g(still)h(forw)n(arded)d(connections)1918 1335 y(op)r(en)24 b(whic)n(h)h(w)n(ere)e(not)i(caused)e(b)n(y)i(the)f (user,)h(the)g(X)g(ses-)1918 1435 y(sion's)19 b(authen)n(tication)g (information)g(has)f(to)i(b)r(e)g(c)n(hanged)1918 1534 y(immediately)-7 b(.)79 b(This)41 b(can)g(normally)g(b)r(e)h(ac)n(hiev) n(ed)e(b)n(y)1918 1634 y(closing)30 b(the)h(X)g(session.)46 b(F)-7 b(urthermore)29 b(the)j(host)e(origi-)1918 1733 y(nating)21 b(the)h(forw)n(arded)e(connection)i(shall)f(b)r(e)h(noted)g (and)1918 1833 y(the)28 b(administrator)e(b)r(e)i(informed)f(ab)r(out)h (the)g(inciden)n(t.)1918 2083 y Fc(6.2)112 b(Serv)m(er)38 b(mac)m(hine)1918 2242 y Fk(As)30 b(stated)h(ab)r(o)n(v)n(e)e(a)h (compromise)f(of)h(an)g(X)h(clien)n(t)f(ma)n(y)1918 2342 y(result)21 b(in)g(an)g(attac)n(k)f(on)g(the)i(SSH)g(serv)n(er)d(mac)n (hine.)34 b(F)-7 b(ur-)1918 2442 y(thermore,)38 b(rogue)e(users)g(of)i (the)f(SSH)h(serv)n(er)d(are)h(pre-)1918 2541 y(v)n(en)n(ted)31 b(to)h(engage)f(in)h(attac)n(ks)f(based)g(on)h(X11)f(against)1918 2641 y(the)d(clien)n(t)f(mac)n(hines.)1918 2874 y Fj(6.2.1)94 b(Administrativ)m(e)1918 3034 y Fk(T)-7 b(o)74 b(protect)h(the)g (remote)f(clien)n(ts)h(and)f(the)h(ad-)1918 3133 y(ministered)50 b(mac)n(hine,)55 b(administrators)49 b(ma)n(y)g(disable)1918 3233 y(X)54 b(forw)n(arding)e(b)n(y)i(setting)g Fd(X11Forwarding)49 b Fk(to)k Fd(no)1918 3332 y Fk(in)72 b(\014le)f Fd(/etc/sshd)p 2637 3332 27 4 v 28 w(config)p Fk(.)167 b(Additionally)71 b(the)1918 3432 y Fd(--disable)p 2319 3432 V 27 w(server)p 2610 3432 V 29 w(x11)p 2771 3432 V 31 w(forwarding)47 b Fk(\015ag)j(ma)n(y)g(b)r(e)1918 3532 y(used)28 b(when)h (con\014guring)e(the)j(SSH)f(pac)n(k)-5 b(age)27 b(to)h(remo)n(v)n(e) 1918 3631 y(the)g(X)g(mediation)f(feature)g(at)h(compile)f(time.)1918 3923 y Fl(7)135 b(Discussion)1918 4111 y Fk(It)36 b(is)f(to)h(b)r(e)g (p)r(oin)n(ted)g(out)g(explicitly)-7 b(,)38 b(that)e(the)g(attac)n(k) 1918 4211 y(describ)r(ed)h(is)g(not)g(merely)f(enabled)h(b)n(y)g (inappropriate)1918 4311 y(securit)n(y)23 b(mec)n(hanisms)g(in)h(the)g (Secure)g(Shell.)36 b(The)24 b(main)1918 4410 y(culprit)d(is)g(the)g (X11)g(windo)n(w)f(system.)35 b(F)-7 b(urther)21 b(vulnera-)1918 4510 y(bilities)e(of)g(NFS)h(or)e(p)r(ossibly)g(other)g(system)h(comp)r (onen)n(ts)1918 4609 y(con)n(tribute)27 b(to)g(the)h(feasibilit)n(y)g (of)f(the)h(attac)n(k.)2001 4712 y(Nev)n(ertheless)e(SSH)j(is)e(rep)r (onsible)h(for)f(binding)h(these)1918 4812 y(comp)r(onen)n(ts)33 b(in)i(a)e(w)n(a)n(y)-7 b(,)35 b(so)e(that)h(the)h(SSH)f(clien)n(t)h (sys-)1918 4912 y(tem)29 b(b)r(ecomes)g(vulnerable)f(to)g(remote)h (attac)n(ks,)f(ev)n(en)g(if)1918 5011 y(it)34 b(do)r(es)g(not)h(supp)r (ort)f(incoming)g(remote)f(sessions)g(lik)n(e)1918 5111 y(telnet,)28 b(rlogin,)f(ssh,)g(etc.)2001 5214 y(One)18 b(further)h(problem)f(is)g(created)g(b)n(y)h(the)g(SSH)g(abilit)n(y) 1918 5313 y(of)24 b(tra\016c)g(mediation.)36 b(Ev)n(en)24 b(if)h(traditional)e(a)n(v)n(en)n(ues)g(for)1918 5413 y(remote)34 b(access)g(ha)n(v)n(e)f(b)r(een)j(administrativ)n(ely)d (blo)r(c)n(k)n(ed)1856 5662 y(7)p eop %%Page: 8 8 8 7 bop 0 531 a Fk(\(for)33 b(example)g(b)n(y)g(using)h(pac)n(k)n(et)e (\014lters)h(and/or)f(wrap-)0 631 y(p)r(ers)23 b([V)-7 b(en92)o(]\),)25 b(those)e(services)f(can)g(successfully)h(b)r(e)h(ac-) 0 731 y(cessed)31 b(through)g(SSH)h(c)n(hannels)f(when)g(SSH's)h (services)0 830 y(are)38 b(o\013ered.)69 b(If)39 b(used)f(delib)r (erately)-7 b(,)41 b(the)e(user)f(has)g(to)0 930 y(sp)r(ecify)26 b(the)g(connection)f(to)g(b)r(e)h(forw)n(arded,)e(so)h(the)g(user)0 1029 y(con)n(trols)33 b(what)i(can)f(b)r(e)h(done)f(to)h(the)g(SSH)g (clien)n(t)f(ma-)0 1129 y(c)n(hine.)h(The)22 b(problem)g(arises)f(when) i(tra\016c)e(is)i(forw)n(arded)0 1229 y(without)d(the)h(kno)n(wledge)d (of)i(the)h(user,)g(whic)n(h)f(is)f(the)i(case)0 1328 y(with)28 b(X)g(tra\016c.)83 1428 y(The)h(measuremen)n(ts)f(prop)r (osed)g(in)i(section)e(6)h(do)g(not)0 1528 y(en)n(tirely)41 b(prev)n(en)n(t)f(users)g(from)h(setting)h(up)f(their)g(o)n(wn)0 1627 y(SSH)c(serv)n(er)406 1597 y Fh(17)510 1627 y Fk(somewhere)e(and)h (using)g(it.)62 b(The)36 b(same)0 1727 y(applies)42 b(to)g(other)f (tunneling)i(tec)n(hniques.)80 b(Ho)n(w)n(ev)n(er,)0 1826 y(the)35 b(users)e(ha)n(v)n(e)g(already)f(had)i(this)h(option)f(b) r(efore)f(the)0 1926 y(installation)27 b(of)h(SSH.)0 2199 y Fl(8)135 b(Ac)l(kno)l(wledgemen)l(ts)0 2381 y Fk(I)28 b(wish)g(to)f(thank)h(Andrew)g(D.)g(Isaacson,)f(Monik)-5 b(a)27 b(Lud-)0 2480 y(wig,)53 b(Da)n(vin)48 b(Milun,)54 b(Emily)48 b(Ratli\013,)54 b(Dieter)49 b(Stolte,)0 2580 y(Da)n(v)n(e)18 b(T)-7 b(a)n(ylor)18 b(and)h(Marc)f(Zimmermann)h(for)f (their)h(useful)0 2680 y(suggestions)26 b(ab)r(out)h(draft)h(v)n (ersions)e(of)h(this)h(pap)r(er.)0 2952 y Fl(References)0 3134 y Fk([Ala93])96 b(Kannan)42 b(Alagappan.)81 b Fa(RF)n(C1412:)68 b(T)-6 b(elnet)353 3234 y(A)n(uthentic)l(ation:)37 b(SPX)p Fk(.)31 b(Digital)24 b(Equipmen)n(t)353 3333 y(Corp)r(oration,)i(Jan)n (uary)f(1993.)0 3495 y([A)n(tk95a])45 b(Randall)59 b(A)n(tkinson.)133 b Fa(RF)n(C1825:)100 b(Se)l(cu-)353 3595 y(rity)37 b(A)n(r)l(chite)l (ctur)l(e)f(for)i(the)f(Internet)f(Pr)l(oto-)353 3694 y(c)l(ol)p Fk(.)51 b(Na)n(v)-5 b(al)32 b(Researc)n(h)f(Lab)r(oratory)-7 b(,)31 b(August)353 3794 y(1995.)0 3956 y([A)n(tk95b])41 b(Randall)21 b(A)n(tkinson.)26 b Fa(RF)n(C1826:)37 b(IP)24 b(A)n(uthen-)353 4055 y(tic)l(ation)30 b(He)l(ader)p Fk(.)37 b(Na)n(v)-5 b(al)27 b(Researc)n(h)f(Lab)r(ora-)353 4155 y(tory)-7 b(,)27 b(August)h(1995.)0 4316 y([A)n(tk95c])50 b(Randall)29 b(A)n(tkinson.)41 b Fa(RF)n(C1827:)j(IP)31 b(Enc)l(ap-)353 4416 y(sulating)37 b(Se)l(curity)g(Paylo)l(ad)i (\(ESP\))p Fk(.)61 b(Na)n(v)-5 b(al)353 4516 y(Researc)n(h)26 b(Lab)r(oratory)-7 b(,)25 b(August)j(1995.)0 4677 y([Bel94])104 b(Stev)n(en)28 b(M.)h(Bello)n(vin.)38 b Fa(RF)n(C1579:)k(Fir)l(ewal)t (l-)353 4777 y(F)-6 b(riend)t(ly)37 b(FTP)p Fk(.)59 b(A)-7 b(T&T)35 b(Researc)n(h,)g(F)-7 b(ebru-)353 4877 y(ary)26 b(1994.)p 0 4942 734 4 v 62 4995 a Fg(17)127 5019 y Ff(If)f(the)h(c)n (hosen)h(SSH)e(serv)n(er)g(mac)n(hine)g(allo)n(ws)g(incoming)f(con-)0 5098 y(nections)32 b(to)f(unprivileged)g(p)r(orts,)i(users)d(can)h (install)g(their)f(o)n(wn)0 5176 y(serv)n(ers.)40 b(Often)27 b(systems)f(are)h(con\014gured)h(to)f(allo)n(w)g(normal)e(\(ac-)0 5255 y(tiv)n(e\))e(FTP)f(sessions,)g(whic)n(h)g(in)g(most)f(cases)i (results)f(in)g(unlimited)0 5334 y(access)c(to)g(most)e(of)h(the)h (unprivileged)f(p)r(ort)h(n)n(um)n(b)r(ers)e([Bel94,)i(RF)n(C)0 5413 y(1579].)1918 531 y Fk([Bor93a])47 b(Da)n(vid)23 b(A.)i(Borman.)30 b Fa(RF)n(C1411:)38 b(T)-6 b(elnet)27 b(A)n(u-)2271 631 y(thentic)l(ation:)56 b(Kerb)l(er)l(os)38 b(V)-6 b(ersion)38 b(4)p Fk(.)65 b(Cra)n(y)2271 731 y(Researc)n(h,)26 b(Inc.,)i(Jan)n(uary)d(1993.)1918 919 y([Bor93b])43 b(Da)n(vid)23 b(A.)i(Borman.)30 b Fa(RF)n(C1416:)38 b(T)-6 b(elnet)27 b(A)n(u-)2271 1018 y(thentic)l(ation)f(Option)p Fk(.)31 b(Cra)n(y)22 b(Researc)n(h,)g(Inc.,)2271 1118 y(F)-7 b(ebruary)26 b(1993.)1918 1306 y([CB94])104 b(William)60 b(R.)g(Cheswic)n(k)f(and)h(Stev)n(en)f(M.)2271 1406 y(Bello)n(vin.)25 b Fa(Fir)l(ewal)t(ls)h(and)e(Internet)e(Se)l(curity:)2271 1505 y(r)l(ep)l(el)t(ling)i(the)f(wily)i(hacker)p Fk(.)h(Addison-W)-7 b(esley)2271 1605 y(Professional)26 b(Computing)i(Series.)g(Addison-) 2271 1705 y(W)-7 b(esley)g(,)58 b(Reading,)g(Massac)n(h)n(usetts,)e (third)2271 1804 y(edition,)27 b(July)h(1994.)1918 1993 y([Cha92])75 b(D.)23 b(Bren)n(t)f(Chapman.)28 b(Net)n(w)n(ork)22 b(\(in\)securit)n(y)2271 2092 y(through)34 b(IP)g(pac)n(k)n(et)f (\014ltering.)58 b(In)34 b Fa(Pr)l(o)l(c)l(e)l(e)l(d-)2271 2192 y(ings)46 b(of)h(the)f(Thir)l(d)h(USENIX)e(Unix)h(Se)l(cu-)2271 2291 y(rity)29 b(Symp)l(osium)p Fk(,)f(pages)f(63{76,)e(Baltimore,)2271 2391 y(MD,)j(Septem)n(b)r(er)g(1992.)1918 2579 y([Cur92])84 b(Da)n(vid)39 b(A.)g(Curry)-7 b(.)71 b Fa(Unix)40 b(system)g(se)l (curity:)2271 2679 y(a)29 b(guide)h(for)g(users)e(and)i(system)f (administr)l(a-)2271 2778 y(tors)p Fk(.)48 b(Addison-W)-7 b(esley)30 b(Professional)f(Com-)2271 2878 y(puting)34 b(Series.)e(Addison-W)-7 b(esley)g(,)35 b(Reading,)2271 2978 y(Massac)n(h)n(usetts,)26 b(Ma)n(y)g(1992.)1918 3166 y([CZ95])112 b(D.)55 b(Bren)n(t)g(Chapman)f(and)h(Elizab)r(eth)g (D.)2271 3266 y(Zwic)n(ky)-7 b(.)47 b Fa(Building)34 b(Internet)e(Fir)l(ewal)t(ls)p Fk(.)50 b(In-)2271 3365 y(ternet)e(Securit)n(y)-7 b(.)47 b(O'Reilly)h(&)g(Asso)r(ciates,)2271 3465 y(Inc.,)61 b(103)53 b(Morris)f(Street,)61 b(Suite)55 b(A,)g(Se-)2271 3564 y(bastop)r(ol,)27 b(CA)g(95472,)f(No)n(v)n(em)n(b) r(er)g(1995.)1918 3753 y([dari96])79 b(daemon9)44 b(a.k.a)h(route)g (and)h(in\014nit)n(y)-7 b(.)91 b(IP-)2271 3852 y(sp)r(o)r(o\014ng)37 b(dem)n(ysti\014ed)h(-)g(trust-relationship)2271 3952 y(exploitation.)94 b Fa(Phr)l(ack)48 b(Inc.)p Fk(,)53 b(7\(48\),)e(July)2271 4051 y(1996.)1918 4240 y([FV93])107 b(Dan)21 b(F)-7 b(armer)20 b(and)h(Wietse)h(Zw)n(eitze)f(V)-7 b(enema.)2271 4339 y(Impro)n(ving)43 b(the)j(securit)n(y)e(of)i(y)n (our)e(site)h(b)n(y)2271 4439 y(breaking)26 b(in)n(to)h(it,)h(1993.) 1918 4627 y([GS96])112 b(Simson)61 b(Gar\014nk)n(el)f(and)i(Gene)f (Spa\013ord.)2271 4727 y Fa(Pr)l(actic)l(al)53 b(UNIX)e(and)i(Internet) e(Se)l(curity)p Fk(.)2271 4826 y(Computer)61 b(Securit)n(y)-7 b(.)61 b(O'Reilly)g(&)g(Asso-)2271 4926 y(ciates,)27 b(Inc.,)h(second)f(edition,)g(April)h(1996.)1918 5114 y([HM96])85 b(Neil)37 b(Haller)f(and)h(Craig)f(Metz.)64 b Fa(RF)n(C1938:)2271 5214 y(A)52 b(One-Time)g(Passwor)l(d)i(System)p Fk(.)109 b(Bell-)2271 5313 y(core;)32 b(Kaman)f(Sciences)g(Corp)r (oration,)f(Ma)n(y)2271 5413 y(1996.)1856 5662 y(8)p eop %%Page: 9 9 9 8 bop 0 531 a Fk([Jon95])92 b(Lauren)n(t)36 b(Jonc)n(hera)n(y)-7 b(.)61 b(A)37 b(simple)f(activ)n(e)g(at-)353 631 y(tac)n(k)30 b(against)g(TCP.)46 b(In)31 b Fa(Pr)l(o)l(c)l(e)l(e)l(dings)j(of)g(the) 353 731 y(Fifth)24 b(USENIX)e(Unix)h(Se)l(curity)f(Symp)l(osium)p Fk(,)353 830 y(Salt)28 b(Lak)n(e)e(Cit)n(y)-7 b(,)28 b(Utah,)g(June)f(1995.)0 996 y([Kla95])93 b(Christopher)26 b(Klaus.)36 b(Sni\013er)28 b(F)-9 b(A)n(Q,)27 b(1995.)0 1162 y([Kla97])93 b(Christopher)32 b(Klaus.)52 b(Bac)n(kdo)r(ors.)e (bugtraq)353 1262 y(mailing)27 b(list,)h(1997.)0 1428 y([Lin96])102 b(John)21 b(Linn.)28 b Fa(RF)n(C1964:)37 b(The)26 b(Kerb)l(er)l(os)f(V)-6 b(er-)353 1528 y(sion)25 b(5)g(GSS-API)e(Me)l(chanism)p Fk(.)29 b(Op)r(enVision)353 1627 y(T)-7 b(ec)n(hnologies,)26 b(June)h(1996.)0 1793 y([No)n(w89])61 b(Bill)36 b(No)n(wic)n(ki.)62 b Fa(RF)n(C1094:)57 b(NFS:)38 b(Network)353 1893 y(File)d(System)f(Pr)l(oto)l(c)l(ol)h(Sp)l (e)l(ci\014c)l(ation)p Fk(.)52 b(SUN)353 1993 y(Microsystems,)26 b(Inc.,)i(Marc)n(h)e(1989.)0 2159 y([One96])75 b(Aleph)35 b(One.)58 b(Smashing)35 b(the)g(stac)n(k)f(for)g(fun)353 2258 y(and)25 b(pro\014t.)32 b Fa(Phr)l(ack)c(Inc.)p Fk(,)e(7\(49\),)f(No)n(v)n(em)n(b)r(er)353 2358 y(1996.)0 2524 y([Sc)n(h87])96 b(Rob)r(ert)27 b(W.)h(Sc)n(hei\015er.)37 b Fa(RF)n(C1013:)j(X)29 b(WIN-)353 2623 y(DO)n(W)72 b(SYSTEM)h(PR)n (OTOCOL,)g(VER-)353 2723 y(SION)52 b(11)p Fk(.)116 b(Massac)n(h)n (usetts)51 b(Institute)k(of)353 2823 y(T)-7 b(ec)n(hnology)g(,)66 b(Lab)r(oratory)56 b(for)j(Computer)353 2922 y(Science,)27 b(alpha)g(edition,)h(April)g(1987.)0 3088 y([SH95])115 b(Karanjit)55 b(Siy)n(an)g(and)g(Chris)h(Hare.)119 b Fa(In-)353 3188 y(ternet)48 b(Fir)l(ewal)t(ls)k(and)d(Network)h(Se)l (curity)p Fk(.)353 3288 y(New)35 b(Riders)f(Publishing,)i(201)d(W)-7 b(est)35 b(103rd)353 3387 y(Street,)28 b(Indianap)r(olis,)f(IN)g (46290,)f(1995.)0 3553 y([vD91])116 b(Leendert)39 b(v)-5 b(an)40 b(Do)r(orn.)72 b(Computer)39 b(break-)353 3653 y(ins:)e(A)28 b(case)e(study)-7 b(,)28 b(1991.)0 3819 y([V)-7 b(en92])85 b(Wietse)49 b(Zw)n(eitze)g(V)-7 b(enema.)101 b(TCP)49 b(W)-7 b(rap-)353 3919 y(p)r(er:)85 b(Net)n(w)n(ork)50 b(monitoring,)57 b(access)51 b(con-)353 4018 y(trol)34 b(and)g(b)r(o)r(ob)n(y)g(traps.)56 b(In)35 b Fa(Pr)l(o)l(c)l(e)l(e)l (dings)i(of)353 4118 y(the)k(Thir)l(d)h(USENIX)e(Unix)h(Se)l(curity)f (Sym-)353 4218 y(p)l(osium)p Fk(,)60 b(pages)52 b(85{92,)58 b(Baltimore,)g(MD,)353 4317 y(Septem)n(b)r(er)28 b(1992.)0 4483 y([W)n(C94])80 b(John)51 b(P)-7 b(.)50 b(W)-7 b(ac)n(k)51 b(and)g(Lisa)f(J.)h(Carnahan.)353 4583 y(Keeping)19 b(y)n(our)g(site)g (comfortably)g(secure:)32 b(An)353 4682 y(in)n(tro)r(duction)i(to)h(in) n(ternet)f(\014rew)n(alls.)56 b(NIST)353 4782 y(Sp)r(ecial)29 b(Publication)f(800-10,)f(U.S.)i(Depart-)353 4882 y(men)n(t)e(of)h (Commerce,)e(National)h(Institute)h(of)353 4981 y(Standards)f(and)g(T) -7 b(ec)n(hnology)g(,)26 b(1994.)0 5147 y([Ylo97])96 b(T)-7 b(atu)34 b(Ylonen.)55 b(Ov)n(erview)32 b(of)h(Secure)g(Shell,) 353 5247 y(1997.)1856 5662 y(9)p eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF