[CentOS] ssh -X versus -Y

Mon Jul 6 11:31:56 UTC 2015
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Mon, 6 Jul 2015, Liam O'Toole wrote:

> On 2015-07-05, Gordon Messmer > <gordon.messmer at gmail.com> wrote:
>> On 07/05/2015 04:51 AM, Liam O'Toole wrote:
>>
>> At this point, I don't think it's even possible to set
>> ForwardX11Trusted=no any more.  The X SECURITY extension was replaced
>> with "X Access Control Extension" several years ago.
>
> The perceived difference was a general impression on my part, and not
> measured scientifically. Moreover, it was formed years ago, and on a
> variety of Linux systems. I concede that it may well be obsolete.

EL6:

ssh -X -o ForwardX11Trusted=no somehost xterm
<select some text in the window>

X Error of failed request:  BadAccess (attempt to access private resource denied)

ssh -Y -o ForwardX11Trusted=no somehost xterm
<select some text in the window>

All well.

ssh -X -o ForwardX11Trusted=yes somehost xterm
<select some text in the window>

All well (unsurprising really, seeing as it means the same thing).

-X/-Y/ForwardX11Trusted still do exactly what they've always done, no?

You're trusting the remote host to not misbehave if you use -Y or
ForwardX11Trusted=yes since at the very least you're opening up a fairly large
information leakage to the remote host.  That's fine if you do trust it, but
it really isn't if you don't, surely?

jh