UBTU-20-010049 - The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

Solution

Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.

Edit the '/etc/ssh/sshd_config' file to uncomment or add the line for the 'X11UseLocalhost' keyword and set its value to 'yes' (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):

X11UseLocalhost yes

Restart the SSH daemon for the changes to take effect:

$ sudo systemctl restart sshd.service

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R9_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-238220r858535_rule, STIG-ID|UBTU-20-010049, Vuln-ID|V-238220

Plugin: Unix

Control ID: a1a614e2da8067117400cc5e7c81c6ed3984975956f7b89cf9327979e057014f