[pkg-x2go-devel] Bug#714776: x2goclient: NX/X2go apparently directly connects (parts of?) the remove with the local X

Christoph Anton Mitterer calestyo at scientia.net
Tue Jul 2 18:22:14 UTC 2013

Source: x2goclient
Severity: important


A recent discussion[0] at turned (to my very big suprise) out, that
NX/X2Go doesn't work like VNC/RDP (i.e. that it more or less sends the
pixbuffers which are locally drawin), but rather that there is some direct
injection of the remote's X clients X protocol into the local X server.

At upstream it was compared with running "ssh -X" respectively
plain X forwarding (after some xauth)...

As we all know, plain X forwarding has many serious security implications,
which basically means that no sane person will/should ever use it unless
the remote host is fully trusted.

To my understanding, this is typically not the case with VNC/RDP/NX... people
often use it to connect to systems out of their control.
Moroever, I guess many people expect NX to work conceptually more like
VNC/RDP, i.e. just drawing images (in a very sophisticated way), which is
probably more secure[1] than directly going into the X server.

a) I started a discussion upstream, whether one could make this somehow
better/more secure (my poor man's understanding would be that using a nested
X server (like Xephyr) for the communication with the remote NX could perhaps
help - but that's just guessing)... but it will at least take a lot of time
until anything comes out there (if at all).

b) To tell people about what really happens, I think the Debian package
should include a warning in the package description, that NX/X2go technology
is much more like plain X forwarding, with all its security implications.

In the case of the x2goclient source package, this should IMHO go to all
x2goclient, x2goplugin, x2goplugin-provider


[0] http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=258
[1] Obviously secure for the local server - I don't talk about the network
communication between remote and local server which is pretty bad for VNC/RDP,
unless tunneled.

More information about the Pkg-x2go-devel mailing list