On Thu, 21 Sep 2017 16:44:47 -0700, Rick wrote in message 
<[email protected]>:

> Quoting Arnt Karlsen ([email protected]):
> 
> > ..my prefecence was the -X option: ssh -X root@localhost
> > until Debian killed it with some new policy.
> 
> Was it Debian that did that?  I was never sure.  I just remember that
> 'ssh -X' suddenly no longer did X11 forwarding as it used to, but I
> looked up the problem and saw that 'ssh -Y' now did that.  I never
> chased down the matter further.

..hum, agreed, one of us should have.

> (/me Web-searches:)
> 
> It has something to do with 'untrusted X11', mentioned in passing
> here:
> https://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-to-run-graphics-applications-remotely
> 
> -Y 'enables trusted X11 forwarding':
> 
> https://serverfault.com/questions/273847/what-does-warning-untrusted-x11-forwarding-setup-failed-xauth-key-data-not-ge
> 
>   "Untrusted" in this context means you don't trust the connection.
> SSH will use additional security measures to try to make X11
> forwarding safer. "Trusted" means you are entirely confident that no
> on on the remote host will get access to your Xauth data and use it
> to monitor your keystrokes for instance.
> 
>   This terminology actually confused me for years. I thought "Trusted"
>   connections were safer. But actually it's an option you're supposed
> to use in situations where the connection IS trustworthy and you want
> to run stuff without extra security measures getting in your way.
>   "Untrusted" is the one that makes it (somewhat) safer to deal with
> an untrusted remote host.
> 
>   An "Untrusted" connection attempts to limit what a black hat could
> do to you by engaging the X11 security extension and disabling other
>   extensions that you (hopefully) don't need. This is probably why
> RandR is disabled with -X. Do you need to be able to rotate your X
> display from the remote host?

..not really, I would possibly "need" gradual rotations controlled 
by an head tracker for use in FlightGear or flying fpv with one of 
these: 

>   It's also important to note that "untrusted" X11 forwarding turns
> off after a certain amount of time to keep you from accidentally
> leaving it on. New attempts to open windows will just fail after
> that. That bit me several times before I read enough docs to
> understand what was happening.

..if you use passwd-free ssh authorisation, it's simply another
[arrow-up] hit and you're back in.

> My surmise is, not a Debian change, so much as a Portable OpenSSH
> change.
> 
> _______________________________________________
> Dng mailing list
> [email protected]
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


-- 
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.
_______________________________________________
Dng mailing list
[email protected]
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Reply via email to