On Wednesday 12 May 2010 02:25 PM, birger wrote: > On Wed, 2010-05-12 at 11:15 -0700, Suvayu Ali wrote: >> On Wednesday 12 May 2010 08:55 AM, Kevin Fenzi wrote: >>> On Tue, 11 May 2010 21:42:35 -0700 >>> Suvayu Ali<fatkasuvayu+linux@xxxxxxxxx> wrote: >>> >>>> I think the man page for ssh is a little misleading (mis-worded >>>> maybe?). I posted the relevant section from `man 5 ssh_config' in >>>> another message to this thread. That seems to imply otherwise. >>>> >>>> I'm not at all well versed in anything X, given the above mentioned >>>> doc would you still think its better to use -X over -Y? >>> >>> Yes. >>> >>> Only use -Y if -X doesn't work, or you are in a isolated/trusted env >>> where you know no one else will ever have access to the machine you are >>> connecting to. ;) >>> >>> At least that would be my advice. >>> >> >> Okay, thanks for the response. :) I'll see whether this affects my use >> case for ssh (usually its some remote server with _no_ physical access >> to anyone). > > I would like to clarify one thing. This isn't about physical access. If > you use -Y then no access controls apply. That is, X apps do not have to > identify themselves to the server using a secret from your .Xauthority > file. Anyone logged into the remote system can set DISPLAY to point to > your socket and listen in to everything going on in your X server. They > can mirror windows to their own screen, grab all keyboard input, etc... > > If you cannot get -X to work it may be as simple as the xauth command > not being installed at the remote end. sshd needs to run xauth to push > the authentication secret into the .Xauthority file. > > When ssh'ing between systems with a common home directory the file is > there already, so a missing xauth may not really matter. > Thank you for this very clear explanation. This wasn't clear to me from the documentation (my lack of understanding of X definitely shows :-p). I'll start changing all my `ssh -Y' aliases to `ssh -X'. -- Suvayu Open source is the future. It sets us free. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
