Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Xorg and X11 forwarding via ssh
On Thu, 19 Jun 2008 14:44:05 +0200
Rhialto <rhialto%falu.nl@localhost> wrote:
> On Thu 19 Jun 2008 at 08:25:35 +0200, Michael van Elst wrote:
> > For some environments this might be ok, but in general, you need to
> > use xdm or create a cookie manually with xauth.
>
> There is another advantage to starting X from xdm, that I noticed.
>
> If you start X manually with "startx", and someone has physical access
> to your screen/keyboard, even having a screen locker does not protect
> you against the attacker accessing a shell as you.
>
> They can switch to text consoles, in particular the one you started X
> from, and suspend the whole X server and thereby get access to a shell
> running as you.
>
> If you start from xdm or similar, there is no such shell available.
>
For a number of reasons, I don't want to run xdm; what I do on
physically vulnerable machines is something like this
echo -n Starting X
sleep 1; echo -n .
sleep 1; echo -n .
exec ssh-agent xinit
in my .profile. The exec means that if the X server exits, you get a
login prompt.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Home |
Main Index |
Thread Index |
Old Index