X11 access to remote hosts

General support questions
Post Reply
phil.e
Posts: 97
Joined: 2018/02/13 20:28:14

X11 access to remote hosts

Post by phil.e » 2023/02/01 18:12:34

Our security department runs Nessus to scan for vulnerabilities (on CentOS 7). One ding that keeps coming up is regarding "x11 unauthenticated access" - Tenable plugin ID 19948.

The users often share x11 screens to collaborate with each other, and they've got some monitoring things going on where they also share screens with other users.

The hosts they come from to access these screens is often different - it's a dynamic list of hosts.

What is the correct way to restrict access to remote X11 servers? Tenable says use xhosts; from what I've read xhosts seems to just be a rudimentary access control based on username and/or hostname. But, as mentioned, the hosts the users are coming from can be different each time; maintaining a long fluid host list sounds like a management headache.

Any suggestions?

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: X11 access to remote hosts

Post by tunk » 2023/02/02 11:07:30

How do they connect? Use firewall to restrict access?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: X11 access to remote hosts

Post by jlehtone » 2023/02/02 11:36:38

"To see remote desktop ..."
VNC and X2Go do something like that
https://linuxconfig.org/how-to-share-yo ... ing-x11vnc
https://wiki.x2go.org/doku.php
Both tunnel via SSH, which is way stronger security.

The basics of X11 is that "X client" runs somewhere and sends data (the window) to "X server" for rendering.
Normally client and server run in the same machine.

The client can run in remote and the server on the local, where you see the screen.
In the "good" old days the applications did send the data over network with X11 protocol and X servers did accept connections from anywhere.
That option has been more or less disabled. X11 forwarding via SSH tunnel is still possible; the client thinks that the server is in localhost (but ssh forwards the data elsewhere).

With VNC and X2Go (fork of NoMachine) the X server is in the remote machine (but might not have physical display) and ssh transfers essentially stream of screenshots to our local machine for viewing (without need for X server on local machine).

Post Reply