On Sat, Oct 30, 2004 at 11:06:13AM -0600, Michal Jaegermann wrote: > On Sat, Oct 30, 2004 at 10:54:35AM -0500, Satish Balay wrote: > > > > If you ssh into FC3 (from a different machine with older ssh) - you > > can run firefox. If you ssh from FC3 into any other machine - you > > need 'ssh -y' for it to work. > > Actually this is '-Y' and not '-y' and this makes a difference. :-) > > There is another problem, though. 'man ssh' says: > > X11 and TCP forwarding > If the ForwardX11 variable is set to "yes" (or see the description of the > -X and -x options described later) and the user is using X11 (the DISPLAY > environment variable is set), the connection to the X11 display is auto- > matically forwarded to the remote side in such a way that any X11 pro- > grams started from the shell (or command) will go through the encrypted > channel, and the connection to the real X server will be made from the > local machine. > > and not a peep about some '-Y'. It is true that some other places > you can find some mentions about "trusted" but what "trusted" may > be is never really explained. The short-and-probably-inadequate explanation is that untrusted clients can only interact/mess with other untrusted clients, the idea being that you have clients which might misbehave, and those that you trust to not. There's a bit more on the specifics of the -X/ForwardX11 and -Y/ForwardX11Trusted options in the ssh_config(5) man page, and a bit more in xauth(1)'s documentation of the "generate" command. There's also the security extension spec itself [1]. HTH, Nalin [1] http://www.xfree86.org/snapshot/security.pdf