Rule ID
SV-269271r1050153_rule
Version
V1R6
CCIs
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
Verify the SSH daemon prevents remote hosts from connecting to the proxy display with the following command: $ sshd -T | grep x11uselocalhost x11uselocalhost yes If the value is returned as "no", this is a finding.
Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": X11UseLocalhost yes Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ echo 'X11UseLocalhost yes' > /etc/ssh/sshd_config.d/40-x11local.conf Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service