Make sure X11Fowarding is disabled
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. The X11 protocol was never built with security in mind. As it opens up channel back to the client, the server could send malicious commands back to the client.
This feature should only be used in very specific cases.
|this is disable by default. This test ensures the default configuration is in place.|
The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attack when the SSH client requests forwarding.
To start the connection SSH server accepts an X11 authentication credential from the client. This credential is supplied to the xauth utility to establish it for X11 applications that the user runs. But the contents of the credential’s components are not sanitized to exclude meta-characters, that way an attacker can supply a credential that injected commands to xauth.
The attacker could use several xauth commands to read or overwrite arbitrary files subject to file permissions, connect to local ports or perform attacks on xauth itself. This can lead to several types of attacks, such as intercept and introduce keystrokes and mouse movement.
To avoid that and harden the service, X11Forwarding must be disabled.
You need to delete the line containing
since the default value is the correct one. Or change to
grep X11Forwarding /etc/ssh/sshd_config
If the output isn’t empty, the argument is present in the file. Edit the file
/etc/ssh/sshd_config and replace the current
X11Forwarding value for
no. Or just remove the line.
If the output is empty, this argument could still be defined in a
/etc/ssh/sshd_config.d/. Check there too:
grep X11Forwarding /etc/ssh/sshd_config.d/*.conf
If the output isn’t empty, edit the file where the argument is defined,
changing its value to
If you couldn’t find the argument definition anywhere, and it is still enabled,
edit the file
/etc/ssh/sshd_config and include the following line:
Finally, restart the SSHD service:
sudo systemctl restart sshd