6.3 Disable X11 Forwarding for SSH

Information

The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies
whether or not X11 Forwarding via SSH is enabled on the server- The Secure Shell service
provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used
to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can
be used to forward an 'X Window' session through the encrypted tunnel, allowing the
remote user to have a GUI interface.

As enabling X11Forwarding on the host can permit a malicious user to secretly open
another X11 connection to another remote client during the session and perform
unobtrusive activities such as keystroke monitoring, if the X11 services are not required for
the system's intended function, it should be disabled or restricted as appropriate to the
user's needs.

Solution

Perform the following to implement the recommended state-# awk '/^X11Forwarding / { $2 = 'no' }
{ print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS
# mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config
# svcadm restart svc-/network/ssh

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|3.1

Plugin: Unix

Control ID: 2bc938e789f401b8a2e793e8d33566815054cf73b6be887430dbbc38ee924f43