Re: [PLUG] X11 forwarding.

Jason Stelzer on 19 Aug 2010 07:04:35 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] X11 forwarding.

From: Jason Stelzer <jason.stelzer@gmail.com>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] X11 forwarding.

Date: Thu, 19 Aug 2010 10:04:30 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=7yis9UT8Kr83L2NYjJW6TaRpMf5HjwPdu4B/hwCYD04=; b=Wf78KmhNS5S2GhIp5oA6yXQbGIOKla4Vvhikolgf61IUP0XwfBIbSmMaNCck/McfL7 teAWp4AWU/LSoHlBKh09CA04QxcVWv4LtxnmuAO7SU23FNmkOzGdKXqLNxIkAFoasue6 EzYrILSuul2u/x735+UNaJ4fUnDkN9b9XUVC8=

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

On Wed, Aug 18, 2010 at 8:46 PM, Joe Kisela <jkisela@gmail.com> wrote: > for reliable X11 forwarding over sshd, I've usually used "ssh -X -C -P > $target"Â No, I can't remember what the incantation does, excersize for the > reader. > > The link that was included regarding -Y didn't clear its use for me, its the > first that I've heard about it, can you show what its used for, I'm > genuinely curious, not trying to challenge you.Â I mean, I used to make > XTerminals for a living :-) The -Y allows things that don't adhere to the X11 security extension. Trusted X11 means that you believe that the server isn't compromised and that X11 programs can do whatever they normally do. Screenshots, etc. Untrusted X11 is yet another layer of obscurity on top of an already suspect idea. What it tries to do is use xauth and the security extension to limit what X11 clients are allowed to do. But really... because the security extension has such a limited access control policy and is pretty arbitrary with what it can do across configurations... all it really gets you is a false sense of security and a bunch of X11 programs that don't work. For instance a few years back when this whole change happened, none of my gtk2 programs would start unless I used -Y. I'm sure that the BadAccess errors are fewer now, but I generally don't use remote X11 apps so honestly, I'm not sure how much of an issue it is these days. Here's the pdf that explains the X extension. http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBwQFjAA&url=http%3A%2F%2Fwww.xfree86.org%2Fcurrent%2Fsecurity.pdf&ei=pTZtTI3kDcOC8gbqi_3kCw&usg=AFQjCNH_JBPZ_SfLvezs-Uk1315l9lLx-g It's fairly old news. http://www.juniper.net/security/auto/vulnerabilities/vuln29666.html In a nutshell, -- J. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] X11 forwarding.
From: Joe Kisela <jkisela@gmail.com>

Prev by Date: [PLUG] %s vs. %S in Firefox "Quick Searches"

Next by Date: Re: [PLUG] pls recommend a text editor

Previous by thread: Re: [PLUG] X11 forwarding.

Next by thread: [PLUG] %s vs. %S in Firefox "Quick Searches"

Index(es):

Date

Thread