4.2.12 Ensure SSH X11 forwarding is disabled

Information

The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.

Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.

Solution

Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the X11Forwarding parameter as follows:

X11Forwarding no

Run the following command to comment out any X11Forwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no

# grep -Pi '^h*X11Forwardingb' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri "/^s*X11Forwardings+/s/^/# /" "$(awk -F: '{print $1}' <<< $l_out)";done

See Also

https://workbench.cisecurity.org/benchmarks/12705

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: a3f376a1b792fe306a329bcc88d0a4d48569a3e45cfa92dbdaadd1c6ec6f3c1a