X11 forward in F12
Gene Heskett
gene.heskett at verizon.net
Wed May 12 03:06:12 UTC 2010
On Tuesday 11 May 2010, Tim wrote:
>On Tue, 2010-05-11 at 14:43 -0700, Suvayu Ali wrote:
>> May I suggest using -Y instead of -X. Its supposed to be more secure.
>
>That's not clear from the man file:
>
> -X Enables X11 forwarding. This can also be specified on a
> per-host basis in a configuration file.
>
> X11 forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> user’s X authorization database) can access the local X11
> display through the forwarded connection. An attacker may then be able to
> perform activities such as keystroke monitoring.
>
> For this reason, X11 forwarding is subjected to X11 SECURITY
> extension restrictions by default. Please refer to the ssh -Y
> option and the ForwardX11Trusted directive in ssh_config(5)
> for more information.
>
>
>
> -Y Enables trusted X11 forwarding. Trusted X11 forwardings are
> not subjected to the X11 SECURITY extension controls.
>
>Looking at that, it sounds like -Y is subjected to less controls, even
>if it may have less of a flaw, in the first place. It doesn't sound
>reassuring, either way.
>
If I can toss an oar in here, I have always used -Y, mainly because -X has
never worked for me. -Y is flawless as long as the user is the X user.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
As a goatherd learns his trade by goat, so a writer learns his trade by
wrote.
More information about the users
mailing list