On Tuesday 11 May 2010 07:25 PM, Tim wrote: > On Tue, 2010-05-11 at 14:43 -0700, Suvayu Ali wrote: >> May I suggest using -Y instead of -X. Its supposed to be more secure. > > That's not clear from the man file: > > -X Enables X11 forwarding. This can also be specified on a per-host > basis in a configuration file. > > X11 forwarding should be enabled with caution. Users with the > ability to bypass file permissions on the remote host (for the > user’s X authorization database) can access the local X11 display > through the forwarded connection. An attacker may then be able > to perform activities such as keystroke monitoring. > > For this reason, X11 forwarding is subjected to X11 SECURITY > extension restrictions by default. Please refer to the ssh -Y > option and the ForwardX11Trusted directive in ssh_config(5) for > more information. > > > > -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not > subjected to the X11 SECURITY extension controls. > > Looking at that, it sounds like -Y is subjected to less controls, even > if it may have less of a flaw, in the first place. It doesn't sound > reassuring, either way. > ForwardX11Trusted If this option is set to “yes”, remote X11 clients will have full access to the original X11 display. If this option is set to “no”, remote X11 clients will be consid- ered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth(1) token used for the session will be set to expire after 20 min- utes. Remote clients will be refused access after this time. The default is “no”. See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. I think this is clearer than the ssh man page. -- Suvayu Open source is the future. It sets us free. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines