I have the following problem:
I am remotely administrating a project on a Ubuntu VPS, which relies on GUI applications.
The anonymity of the TOR-network is essential, so I SSH out of my Whonix WS.
The difficulty lies with displaying said GUI-applications, as far as I know there are the two alternatives, tunneling VNC through SSH or using SSH X11 forwarding.
SSH X11 is argued against in Whonix SSH wiki, I quote “Forwarding X11 is not a good idea”. I wonder why, but it doesnt really matter since it is incredibly slow to the point of being unusable if routed through TOR.
Tunneling VNC through SSH yields better, but still pretty unusable results.
Is there any secret potion I am missing, any best practices for people running GUI apps through SSH over TOR or am I just shit out of luck then?
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client’s X11 display server may be exposed to attack when the SSH client requests forwarding (see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection.
The security risk of using X11 forwarding is that the client’s X11 display server maybe exposed to attack when the SSH client requests forwarding(see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.