On Tuesday 11 May 2010 07:25 PM, Tim wrote:
> On Tue, 2010-05-11 at 14:43 -0700, Suvayu Ali wrote:
>> May I suggest using -Y instead of -X. Its supposed to be more secure.
>
> That's not clear from the man file:
>
> -X Enables X11 forwarding. This can also be specified on a per-host
> basis in a configuration file.
>
> X11 forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> user’s X authorization database) can access the local X11 display
> through the forwarded connection. An attacker may then be able
> to perform activities such as keystroke monitoring.
>
> For this reason, X11 forwarding is subjected to X11 SECURITY
> extension restrictions by default. Please refer to the ssh -Y
> option and the ForwardX11Trusted directive in ssh_config(5) for
> more information.
>
>
>
> -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
> subjected to the X11 SECURITY extension controls.
>
> Looking at that, it sounds like -Y is subjected to less controls, even
> if it may have less of a flaw, in the first place. It doesn't sound
> reassuring, either way.
>
ForwardX11Trusted
If this option is set to “yes”, remote X11 clients will have full
access to the original X11 display.
If this option is set to “no”, remote X11 clients will be consid-
ered untrusted and prevented from stealing or tampering with data
belonging to trusted X11 clients. Furthermore, the xauth(1)
token used for the session will be set to expire after 20 min-
utes. Remote clients will be refused access after this time.
The default is “no”.
See the X11 SECURITY extension specification for full details on
the restrictions imposed on untrusted clients.
I think this is clearer than the ssh man page.
--
Suvayu
Open source is the future. It sets us free.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
