Re: Xorg and X11 forwarding via ssh

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Thu, 19 Jun 2008 14:44:05 +0200
Rhialto <rhialto%falu.nl@localhost> wrote:

> On Thu 19 Jun 2008 at 08:25:35 +0200, Michael van Elst wrote:
> > For some environments this might be ok, but in general, you need to
> > use xdm or create a cookie manually with xauth.
> 
> There is another advantage to starting X from xdm, that I noticed.
> 
> If you start X manually with "startx", and someone has physical access
> to your screen/keyboard, even having a screen locker does not protect
> you against the attacker accessing a shell as you.
> 
> They can switch to text consoles, in particular the one you started X
> from, and suspend the whole X server and thereby get access to a shell
> running as you.
> 
> If you start from xdm or similar, there is no such shell available.
> 
For a number of reasons, I don't want to run xdm; what I do on
physically vulnerable machines is something like this

                echo -n Starting X
                sleep 1; echo -n .
                sleep 1; echo -n .
                exec ssh-agent xinit

in my .profile.  The exec means that if the X server exits, you get a
login prompt.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb