X11Forwarding
if enabled in an SSH
server will allow a connecting client to tunnel a graphical program executed on the server to be displayed on the client.
There could be some security risk associated with forwarding X
or display over SSH
but with proper mitigations the risk could be minimised.
X11Forwarding
Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server maybe exposed to attack when the SSH client requests forwarding(see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
X
display forwarding could be enabled or disabled by configuring X11Forwarding
directive in SSHd
configuration file on the SSH
server.
sshd
configuration file using favourite text editor. $ sudo vi /etc/ssh/sshd_config [sudo] password for user:
X11Forwarding
directive and set the option to no
to disallow X
forwarding and yes
to allow. X11Forwarding no
Add the line if it doesn't already exist and remove the #
at the beginning of the line if exists.
SSH
server service for the changes to take effect. $ sudo systemctl restart sshd
Comment anonymously. Login not required.