Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Strange DISPLAYs in xauth

11 views
Skip to first unread message

aryzhov

unread,
Jul 17, 2009, 9:06:13 AM7/17/09
to
Hello All,

I have a Solaris 10 machine that can access Internet via NAT
(masquerading) firewall on another machine.
There is no RDR back to this machine from the outside world.

This Solaris machine runs sshd2 (tectia) on a non-standard port, which
is blocked by firewall, and is only accessible via intranet interfaces
(other NICs with no access to the firewal/internet)

All unix commands like "last" show logins only from the internal
network.
However, "xauth list" shows the tunnelled X11 displays associated with
external alien IP addresses

Could someone please try to explain, how is it possible? Speculations
are welcome.

Thanks,
Andrei

Todd H.

unread,
Jul 19, 2009, 12:50:24 PM7/19/09
to
aryzhov <ary...@spasu.net> writes:

Assuming another machine on the internal network CAN be accessed
inbound from the ouside world, one non-panic scenario would be that
users have ssh'd in from another internal box (via vpn or allowed ssh
from the internet to that other internal box), ssh'd to your Solaris
box, then pushed X displays back to their IP address (by manually
setting DISPLAY environment variables).

If your sshd allows X11 forwarding, however, this would be Weird(tm)
because anyone who cares about their connection not being sniffed
along the way would push that X traffic over an ssh X forwarding
tunnel. If this is a shared use box, one might search internal web
pages to see if anyone's documented a procedure for setting DISPLAY
variables if you see this happening en masse. If this is a university
machine, stuff like this seems to happen a lot.

Now the panic scenarios:

If the IP's are VERY foreign as in no legit user should be in those
geographies.

Box could be partially trojaned and the OS level commands are not all
telling you the truth.


--
Todd H.
http://www.toddh.net/

aryzhov

unread,
Jul 20, 2009, 9:44:55 AM7/20/09
to

> Assuming another machine on the internal network CAN be accessed
> inbound from the ouside world, one non-panic scenario would be that
> users have ssh'd in from another internal box (via vpn or allowed ssh
> from the internet to that other internal box), ssh'd to your Solaris
> box, then pushed X displays back to their IP address (by manually
> setting DISPLAY environment variables).

Nah, why would it then appear in xauth?
My understanding was that if someone manually sets DISPLAY in shell,
it just uses an IP address, and no additional authentication on X
client side
(on my Solaris box, in this case)

> If your sshd allows X11 forwarding, however, this would be Weird(tm)

Ah-ha...
I indeed have played with WeirdX a while ago, not exactly from this
box, but may have forwarded some connections via ssh tunnel.
This must be it. Thanks alot for the hint!

> Now the panic scenarios:
>
> If the IP's are VERY foreign as in no legit user should be in those
> geographies.
>
> Box could be partially trojaned and the OS level commands are not all
> telling you the truth.
>

Yes, the addresses are VERY foreight, and the box is VERY private.
Is it correct to assume that an entry like x.y.z.h:11:0 is added to
xauth only after
successful ssh login?

Now, I'll start questioning all my sshd's that were considered secure
enough before -
only public key auth, no root login, no TCP forwarding except X11,
etc...
Looks like they still can break it ((

0 new messages