Jason Stelzer on 19 Aug 2010 07:04:35 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] X11 forwarding.

  • From: Jason Stelzer <jason.stelzer@gmail.com>
  • To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] X11 forwarding.
  • Date: Thu, 19 Aug 2010 10:04:30 -0400
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=7yis9UT8Kr83L2NYjJW6TaRpMf5HjwPdu4B/hwCYD04=; b=Wf78KmhNS5S2GhIp5oA6yXQbGIOKla4Vvhikolgf61IUP0XwfBIbSmMaNCck/McfL7 teAWp4AWU/LSoHlBKh09CA04QxcVWv4LtxnmuAO7SU23FNmkOzGdKXqLNxIkAFoasue6 EzYrILSuul2u/x735+UNaJ4fUnDkN9b9XUVC8=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org

On Wed, Aug 18, 2010 at 8:46 PM, Joe Kisela <jkisela@gmail.com> wrote:
> for reliable X11 forwarding over sshd, I've usually used "ssh -X -C -P
> $target"Â No, I can't remember what the incantation does, excersize for the
> reader.
> The link that was included regarding -Y didn't clear its use for me, its the
> first that I've heard about it, can you show what its used for, I'm
> genuinely curious, not trying to challenge you. I mean, I used to make
> XTerminals for a living :-)

The -Y allows things that don't adhere to the X11 security extension.

Trusted X11 means that you believe that the server isn't compromised
and that X11 programs can do whatever they normally do. Screenshots,

Untrusted X11 is yet another layer of obscurity on top of an already
suspect idea. What it tries to do is use xauth and the security
extension to limit what X11 clients are allowed to do. But really...
because the security extension has such a limited access control
policy and is pretty arbitrary with what it can do across
configurations... all it really gets you is a false sense of security
and a bunch of X11 programs that don't work.

For instance a few years back when this whole change happened, none of
my gtk2 programs would start unless I used -Y. I'm sure that the
BadAccess errors are fewer now, but I generally don't use remote X11
apps so honestly, I'm not sure how much of an issue it is these days.

Here's the pdf that explains the X extension.


It's fairly old news.

In a nutshell,

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug