Make sure X11Fowarding is disabled


The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. The X11 protocol was never built with security in mind. As it opens up channel back to the client, the server could send malicious commands back to the client.

This feature should only be used in very specific cases.

this is disable by default. This test ensures the default configuration is in place.

Why you should not enable X11Fowarding

The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attack when the SSH client requests forwarding.

To start the connection SSH server accepts an X11 authentication credential from the client. This credential is supplied to the xauth utility to establish it for X11 applications that the user runs. But the contents of the credential’s components are not sanitized to exclude meta-characters, that way an attacker can supply a credential that injected commands to xauth.

The attacker could use several xauth commands to read or overwrite arbitrary files subject to file permissions, connect to local ports or perform attacks on xauth itself. This can lead to several types of attacks, such as intercept and introduce keystrokes and mouse movement.

To avoid that and harden the service, X11Forwarding must be disabled.

How to disable X11Fowarding

You need to delete the line containing X11Forwarding, since the default value is the correct one. Or change to no.

grep X11Forwarding /etc/ssh/sshd_config

If the output isn’t empty, the argument is present in the file. Edit the file /etc/ssh/sshd_config and replace the current X11Forwarding value for no. Or just remove the line.

If the output is empty, this argument could still be defined in a .conf file at /etc/ssh/sshd_config.d/. Check there too:

grep X11Forwarding /etc/ssh/sshd_config.d/*.conf
The /etc/ssh/sshd_config.d/ directory doesn’t exist at Ubuntu 18.04, you only need to check it if you`re using Ubuntu 20.04 or more recent.

If the output isn’t empty, edit the file where the argument is defined, changing its value to no.

If you couldn’t find the argument definition anywhere, and it is still enabled, edit the file /etc/ssh/sshd_config and include the following line:

X11Forwarding no

Finally, restart the SSHD service:

sudo systemctl restart sshd