Remote X display access
Chris Tyler
chris at tylers.info
Sun Jan 2 19:12:57 UTC 2011
On Sun, 2011-01-02 at 13:53 -0500, Alex wrote:
> Hi,
>
> >> What is the best way to securely permit a remote X application to
> >> display on as local system?
> ...
>
> > Here's what I do:
> > local machine: ssh -YC username at remotemachine.com
>
> I tried "ssh -X user at host" and that appeared to work fine. What is the
> difference between these two commands? Will I be able to perform all
> functions remotely using my method, or is the -Y preferred?
>
> Thanks for everyone's help. xhost with X11R5 is what I recalled using :-)
-C is compression (recommended)
-X is untrusted X forwarding
-Y is trusted X forwarding
TBH, there's rarely a difference between -X and -Y at this point, though
-Y should in theory permit some things that -X doesn't (and therefore -X
could be more secure). See the SECURITY extension for X for details
(short version: there are two different levels of authorization
available via MIT Cookies; using an untrusted cookie should help
mitigate risks such as the remote system snooping your activity,
injecting events into other windows, or taking a screenshot/screencast).
Note that you can place a command at the end of the ssh command:
ssh -XC user at host system-config-config-services
And then you can put that in an application launcher if you want. Using
key-based access, you could then just click an icon/menu entry/panel
button to run the app remotely.
-Chris
More information about the users
mailing list