On Tuesday 11 May 2010, Tim wrote: >On Tue, 2010-05-11 at 14:43 -0700, Suvayu Ali wrote: >> May I suggest using -Y instead of -X. Its supposed to be more secure. > >That's not clear from the man file: > > -X Enables X11 forwarding. This can also be specified on a > per-host basis in a configuration file. > > X11 forwarding should be enabled with caution. Users with the > ability to bypass file permissions on the remote host (for the > user’s X authorization database) can access the local X11 > display through the forwarded connection. An attacker may then be able to > perform activities such as keystroke monitoring. > > For this reason, X11 forwarding is subjected to X11 SECURITY > extension restrictions by default. Please refer to the ssh -Y > option and the ForwardX11Trusted directive in ssh_config(5) > for more information. > > > > -Y Enables trusted X11 forwarding. Trusted X11 forwardings are > not subjected to the X11 SECURITY extension controls. > >Looking at that, it sounds like -Y is subjected to less controls, even >if it may have less of a flaw, in the first place. It doesn't sound >reassuring, either way. > If I can toss an oar in here, I have always used -Y, mainly because -X has never worked for me. -Y is flawless as long as the user is the X user. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) As a goatherd learns his trade by goat, so a writer learns his trade by wrote. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
