[CentOS] remote ssh to machine how display firefox

Fri Dec 7 23:35:15 UTC 2007

Les Mikesell wrote:
> Karanbir Singh wrote:
> 
>>>>> ssh -X <machine to connect to> firefox
>>>> you prolly meant -Y :D
>>>>
>>> Ok well just double checked and tested it here and -X works here.  I
>>> knew about -Y but thought you only use that if you absolutely have
>>> too :)
>>
>> the reason I would prefer -Y is that its ( well, the man page says
>> anyway ) more secure than -X. Also, these days a lot of admins will
>> disable -X functionality on machines. Have not come across anywhere -Y
>> didnt work ( and the host OS was installed in the last 5 years ).
>>
>> I am not doubting that -X will mostly work, but perhaps we should be
>> promoting the idea of -Y a bit more.
> 
> Coming from a fedora client, you have had to specify -Y for a while for
> most things to work.  But I don't think the man page makes it very clear
> what the difference is.  What's a 'trusted' forwarding mean as opposed
> to any other kind?
>

here is ( a badly formated scrape from the man page )

----8<----

X11 forwarding should be enabled with caution.  Users with the ability
to bypass file permissions on the remote host (for the user’s X
authorization database) can access the local X11 display through the
forwarded connection. An attacker may then be able to perform activities
such as keystroke monitor-ing.

----8<----

and the -Y option indicates:
     -Y      Enables trusted X11 forwarding.  Trusted X11 forwardings
are not subjected to the X11 SECURITY extension controls.

----8<----

I am not quite sure about the implications of the X11 Security extension
controls myself. But, i suppose thats worth some investigation.

-- 
Karanbir Singh : http://www.karan.org/ : 2522219 at icq