X11 Remote

[fsainsbu]

oops, this is from os x 10.4 to fedora core .
well :
2 was option ssh -X
and that gives an xdisplay but not openGL support

option 4:
ssh -Y cor
frank@cor's password:
#check gecg.000251
works Yay!, and thanks.

[fsainsbu]

option 2 was ssh -X, could get an xterm but no openGL support.

option 4:Note from os x 10.4 to linux, Fedora core.
ssh -Y cor
worked ! Thanks,
NB option not in 10.3

[tomdkat]

Here is info from the OpenSSH man page on ssh:

Quote:

Originally Posted by OpenSSH manpage

-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.

X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.

For this reason, X11 forwarding is subjected to X11 SECURITY ex-
tension restrictions by default. Please refer to the ssh -Y op-
tion and the ForwardX11Trusted directive in ssh_config(5) for
more information.

-x Disables X11 forwarding.

-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
subjected to the X11 SECURITY extension controls.

I wasn't aware of the "-Y" option, until I found this thread. I hope all who use it are aware of the security implications of using it.

Peace...

[lurk]

Well in practice -Y is the new -X, all it is saying is basically that you trust the admin on the box you are connecting to, that the host itself is trusted. This is certainly nothing like the old issue of things like 'xhost +' and the like. Unless I am missing something, the new -Y is no less secure than the old -X that we have been using up to this point.

[tomdkat]

Quote:

Originally Posted by lurk

Unless I am missing something, the new -Y is no less secure than the old -X that we have been using up to this point.

The warning given in the -X description is enough for me and something I think should be considered.

I'm not saying don't use -Y but only be aware of the implications of doing so, that's all.

As for using "xhost +", I think that's something I would never do. I always use "xhost +localhost" to make sure no remote connections will be accepted, unless they are permitted by me.

Peace....

[nixgeek]

I didn't know about -Y either.....good to know. I knew that X11 forwarding was a little risky but I wasn't too concerned yet, but if using the -Y gives me some added security, I'll use that instead.

[tomdkat]

Quote:

Originally Posted by nixgeek

but if using the -Y gives me some added security, I'll use that instead.

I think it does the opposite. "-Y" means the remote X clients are trusted so local X security extension restrictions are bypassed. This will be fine if the remote system is known to be trusted, but if "-Y" is being viewed as similar to "xhost +", then I would consider it unsafe, in general.

Anywho, I just wanted to make those using "-Y" aware of the security implications.

Peace...