[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-list
Subject: Re: X11 forward in F12
From: Gene Heskett <gene.heskett () verizon ! net>
Date: 2010-05-12 3:06:12
Message-ID: 201005112306.12409.gene.heskett () verizon ! net
[Download RAW message or body]
On Tuesday 11 May 2010, Tim wrote:
>On Tue, 2010-05-11 at 14:43 -0700, Suvayu Ali wrote:
>> May I suggest using -Y instead of -X. Its supposed to be more secure.
>
>That's not clear from the man file:
>
> -X Enables X11 forwarding. This can also be specified on a
> per-host basis in a configuration file.
>
> X11 forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> user's X authorization database) can access the local X11
> display through the forwarded connection. An attacker may then be able to
> perform activities such as keystroke monitoring.
>
> For this reason, X11 forwarding is subjected to X11 SECURITY
> extension restrictions by default. Please refer to the ssh -Y
> option and the ForwardX11Trusted directive in ssh_config(5)
> for more information.
>
>
>
> -Y Enables trusted X11 forwarding. Trusted X11 forwardings are
> not subjected to the X11 SECURITY extension controls.
>
>Looking at that, it sounds like -Y is subjected to less controls, even
>if it may have less of a flaw, in the first place. It doesn't sound
>reassuring, either way.
>
If I can toss an oar in here, I have always used -Y, mainly because -X has
never worked for me. -Y is flawless as long as the user is the X user.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
As a goatherd learns his trade by goat, so a writer learns his trade by
wrote.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic