Results 1 to 9 of 9

Thread: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

  1. #1
    Join Date
    Mar 2019
    Beans
    215

    X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    Hi,

    I am not using X11 forwarding (as far as I know), but on a website about "bad security" it says it is best to set ForwardX11Trusted to "no."

    When I tried to edit the ssh_config file, I was unable to change ForwardX11Trusted to no, when I typed in the word 'no' and tried to save the file.

    I got this code:

    Code:
    (gedit:7186): Tepl-WARNING **: 18:57:37.709: GVfs metadata is not supported. Fallback to TeplMetadataManager. Either GVfs is not correctly installed or GVfs metadata are not supported on this platform. In the latter case, you should configure Tepl with --disable-gvfs-metadata.

  2. #2
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    How do you use gedit? That just shows a warning.
    Typically I use:
    Code:
    gedit admin://<your-path and application>
    When I bother with gnome.
    Just use Nano!
    before my edit:
    Code:
    # Site-wide defaults for some commonly used options.  For a comprehensive
    # list of available options, their meanings and defaults, please see the
    # ssh_config(5) man page.
    
    Include /etc/ssh/ssh_config.d/*.conf
    
    Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   ForwardX11Trusted[ yes
    #   PasswordAuthentication yes
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   GSSAPIKeyExchange no
    #   GSSAPITrustDNS no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h
    #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
        SendEnv LANG LC_*
        HashKnownHosts yes
        GSSAPIAuthentication yes
    After my edit:
    Code:
     cat /etc/ssh/ssh_config | grep ForwardX11Trusted
    #   ForwardX11Trusted no
    Last edited by 1fallen; April 16th, 2023 at 06:45 PM. Reason: add to
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  3. #3
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    This would be a normal error when you try to use a gnome graphical application with sudo, which you shouldn't because root doesn't have the home directory to support graphics. That specific error is saying that (if a normal user) that it is trying to write a metadata file to set a pointer, so that on reopening the file, that it starts at the last line number it was on at exit... But since you are not supposed to us gnome applications with sudo, because it can't write those files... Telling you that it cannot do that, would be normal...

    Instead, you should be using 'sudoedit' to edit files with escalated permissions.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    ssh_config or sshd_config? The server-side normally is the one we want to prevent ssh X11 forwarding inside. That's the sshd_config file.

    +1 for using sudoedit. You can use any EDITOR you like, but know that only CLI editors like nano, vim, emacs, will work on a system without a GUI (which is typical for remote servers). Any editor can be set in your startup files (~/.bashrc) with the export EDITOR= .... same for the default PAGER you want to use. These things have been around, probably since 1970 and are one of the very first things I setup on any new system, usually right after I purge nano.

    grep shows this.
    /etc/ssh/sshd_config:X11Forwarding yes
    /etc/ssh/ssh_config:# ForwardX11 no

    The ssh_config file is system-wide for all users, but usually any settings in there would be created in each user's ~/.ssh/config file instead. Enforce security policy inside the dæmon config file, not the client config file.

  5. #5
    Join Date
    Mar 2019
    Beans
    215

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    Thanks to all for the replies. I was away due to work, but will check out your recommendations.

  6. #6
    Join Date
    Mar 2019
    Beans
    215

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    Quote Originally Posted by

    [/code

    Code:
     cat /etc/ssh/ssh_config | grep ForwardX11Trusted
    #   ForwardX11Trusted no
    I just typed your command into the terminal and also got the same answer
    Code:
      ForwardX11Trusted no
    So that's interesting. Even though I got that error message, see post #1, somehow the initial yes was changed into a no.

    Not sure how that happened.
    Last edited by bhubunt; April 20th, 2023 at 06:09 PM.

  7. #7
    Join Date
    Mar 2019
    Beans
    215

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    Quote Originally Posted by MAFoElffen View Post
    This would be a normal error when you try to use a gnome graphical application with sudo, which you shouldn't because root doesn't have the home directory to support graphics. That specific error is saying that (if a normal user) that it is trying to write a metadata file to set a pointer, so that on reopening the file, that it starts at the last line number it was on at exit... But since you are not supposed to us gnome applications with sudo, because it can't write those files... Telling you that it cannot do that, would be normal...

    Instead, you should be using 'sudoedit' to edit files with escalated permissions.
    Can you give an example of such a sudoedit command line?

  8. #8
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    Quote Originally Posted by bhubunt View Post
    Can you give an example of such a sudoedit command line?
    Try:
    Code:
    sudoedit /etc/default/grub
    It's much the same as nano, yourjust adding a better/safer practice when editing configs.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: X11 Forwarding on Ubuntu 20.04 and ForwardX11Trusted

    Or
    Code:
    sudoedit /etc/ssh/sshd_config
    Or if you are already in the correct directory,
    Code:
    sudoedit sshd_config
    Works just like any other CLI editor. How it works to be safer than other methods is sorta cool.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •