:: Re: [DNG] New behaviour under Devua…
Góra strony
Delete this message
Reply to this message
Autor: Rick Moen
Data:  
Dla: dng
Temat: Re: [DNG] New behaviour under Devuan.
Quoting Arnt Karlsen (arnt@???):

> ..my prefecence was the -X option: ssh -X root@localhost
> until Debian killed it with some new policy.


Was it Debian that did that? I was never sure. I just remember that
'ssh -X' suddenly no longer did X11 forwarding as it used to, but I
looked up the problem and saw that 'ssh -Y' now did that. I never
chased down the matter further.

(/me Web-searches:)

It has something to do with 'untrusted X11', mentioned in passing here:
https://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-to-run-graphics-applications-remotely

-Y 'enables trusted X11 forwarding':

https://serverfault.com/questions/273847/what-does-warning-untrusted-x11-forwarding-setup-failed-xauth-key-data-not-ge

"Untrusted" in this context means you don't trust the connection. SSH
will use additional security measures to try to make X11 forwarding
safer. "Trusted" means you are entirely confident that no on on the
remote host will get access to your Xauth data and use it to monitor
your keystrokes for instance.

This terminology actually confused me for years. I thought "Trusted"
connections were safer. But actually it's an option you're supposed to
use in situations where the connection IS trustworthy and you want to
run stuff without extra security measures getting in your way.
"Untrusted" is the one that makes it (somewhat) safer to deal with an
untrusted remote host.

An "Untrusted" connection attempts to limit what a black hat could do to
you by engaging the X11 security extension and disabling other
extensions that you (hopefully) don't need. This is probably why RandR
is disabled with -X. Do you need to be able to rotate your X display
from the remote host?

It's also important to note that "untrusted" X11 forwarding turns off
after a certain amount of time to keep you from accidentally leaving it
on. New attempts to open windows will just fail after that. That bit me
several times before I read enough docs to understand what was
happening.

My surmise is, not a Debian change, so much as a Portable OpenSSH change.