UCF STIG Viewer Logo

The SSH client must be configured to not allow X11 forwarding.


Overview

Finding ID Version Rule ID IA Controls Severity
GEN005520-ESXI5-705 GEN005520-ESXI5-705 GEN005520-ESXI5-705_rule Low
Description
X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-GEN005520-ESXI5-705_chk )
Disable lock down mode.
Enable the ESXi Shell. Check the SSH client configuration for the X11 forwarding setting. # grep -i "^ForwardX11" /etc/ssh/ssh_config

If "ForwardX11" is set to "yes", this is a finding.

Re-enable lock down mode.
Fix Text (F-GEN005520-ESXI5-705_fix)
Disable lock down mode.
Enable the ESXi Shell.

Edit the SSH client configuration and add/modify the "ForwardX11" configuration to "no".
# vi /etc/ssh/ssh_config

Re-enable lock down mode.