[CentOS] ssh -X versus -Y

John Hodrien

J.H.Hodrien at leeds.ac.uk
Mon Jul 6 11:31:56 UTC 2015


On Mon, 6 Jul 2015, Liam O'Toole wrote:

> On 2015-07-05, Gordon Messmer > <gordon.messmer at gmail.com> wrote:
>> On 07/05/2015 04:51 AM, Liam O'Toole wrote:
>>
>> At this point, I don't think it's even possible to set
>> ForwardX11Trusted=no any more.  The X SECURITY extension was replaced
>> with "X Access Control Extension" several years ago.
>
> The perceived difference was a general impression on my part, and not
> measured scientifically. Moreover, it was formed years ago, and on a
> variety of Linux systems. I concede that it may well be obsolete.

EL6:

ssh -X -o ForwardX11Trusted=no somehost xterm
<select some text in the window>

X Error of failed request:  BadAccess (attempt to access private resource denied)

ssh -Y -o ForwardX11Trusted=no somehost xterm
<select some text in the window>

All well.

ssh -X -o ForwardX11Trusted=yes somehost xterm
<select some text in the window>

All well (unsurprising really, seeing as it means the same thing).

-X/-Y/ForwardX11Trusted still do exactly what they've always done, no?

You're trusting the remote host to not misbehave if you use -Y or
ForwardX11Trusted=yes since at the very least you're opening up a fairly large
information leakage to the remote host.  That's fine if you do trust it, but
it really isn't if you don't, surely?

jh



More information about the CentOS mailing list