Strange DISPLAYs in xauth

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello All,

I have a Solaris 10 machine that can access Internet via NAT
(masquerading) firewall on another machine.
There is no RDR back to this machine from the outside world.

This Solaris machine runs sshd2 (tectia) on a non-standard port, which
is blocked by firewall, and is only accessible via intranet interfaces
(other NICs with no access to the firewal/internet)

All unix commands like "last" show logins only from the internal
However, "xauth list" shows the tunnelled X11 displays associated with
external alien IP addresses

Could someone please try to explain, how is it possible? Speculations
are welcome.


Re: Strange DISPLAYs in xauth

Quoted text here. Click to load it

Assuming another machine on the internal network CAN be accessed
inbound from the ouside world, one non-panic scenario would be that
users have ssh'd in from another internal box (via vpn or allowed ssh
from the internet to that other internal box), ssh'd to your Solaris
box, then pushed X displays back to their IP address (by manually
setting DISPLAY environment variables).  

If your sshd allows X11 forwarding, however, this would be Weird(tm)
because anyone who cares about their connection not being sniffed
along the way would push that X traffic over an ssh X forwarding
tunnel.  If this is a shared use box, one might search internal web
pages to see if anyone's documented a procedure for setting DISPLAY
variables if you see this happening en masse.  If this is a university
machine, stuff like this seems to happen a lot.  

Now the panic scenarios:

If the IP's are VERY foreign as in no legit user should be in those

Box could be partially trojaned and the OS level commands are not all
telling you the truth.

Todd H. /

Re: Strange DISPLAYs in xauth

Quoted text here. Click to load it

Nah, why would it then appear in xauth?
My understanding was that if someone manually sets DISPLAY in shell,
it just uses an IP address, and no additional authentication on X
client side
(on my Solaris box, in this case)

Quoted text here. Click to load it

I indeed have played with WeirdX a while ago, not exactly from this
box, but may have forwarded some connections via ssh tunnel.
This must be it. Thanks alot for the hint!

Quoted text here. Click to load it

Yes, the addresses are VERY foreight, and the box is VERY private.
Is it correct to assume that an entry like x.y.z.h:11:0 is added to
xauth only after
successful ssh login?

Now, I'll start questioning all my sshd's that were considered secure
enough before -
only public key auth, no root login, no TCP forwarding except X11,
Looks like they still can break it  ((

Site Timeline