On Thu, 21 Sep 2017 16:44:47 -0700, Rick wrote in message <[email protected]>:
> Quoting Arnt Karlsen ([email protected]): > > > ..my prefecence was the -X option: ssh -X root@localhost > > until Debian killed it with some new policy. > > Was it Debian that did that? I was never sure. I just remember that > 'ssh -X' suddenly no longer did X11 forwarding as it used to, but I > looked up the problem and saw that 'ssh -Y' now did that. I never > chased down the matter further. ..hum, agreed, one of us should have. > (/me Web-searches:) > > It has something to do with 'untrusted X11', mentioned in passing > here: > https://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-to-run-graphics-applications-remotely > > -Y 'enables trusted X11 forwarding': > > https://serverfault.com/questions/273847/what-does-warning-untrusted-x11-forwarding-setup-failed-xauth-key-data-not-ge > > "Untrusted" in this context means you don't trust the connection. > SSH will use additional security measures to try to make X11 > forwarding safer. "Trusted" means you are entirely confident that no > on on the remote host will get access to your Xauth data and use it > to monitor your keystrokes for instance. > > This terminology actually confused me for years. I thought "Trusted" > connections were safer. But actually it's an option you're supposed > to use in situations where the connection IS trustworthy and you want > to run stuff without extra security measures getting in your way. > "Untrusted" is the one that makes it (somewhat) safer to deal with > an untrusted remote host. > > An "Untrusted" connection attempts to limit what a black hat could > do to you by engaging the X11 security extension and disabling other > extensions that you (hopefully) don't need. This is probably why > RandR is disabled with -X. Do you need to be able to rotate your X > display from the remote host? ..not really, I would possibly "need" gradual rotations controlled by an head tracker for use in FlightGear or flying fpv with one of these: > It's also important to note that "untrusted" X11 forwarding turns > off after a certain amount of time to keep you from accidentally > leaving it on. New attempts to open windows will just fail after > that. That bit me several times before I read enough docs to > understand what was happening. ..if you use passwd-free ssh authorisation, it's simply another [arrow-up] hit and you're back in. > My surmise is, not a Debian change, so much as a Portable OpenSSH > change. > > _______________________________________________ > Dng mailing list > [email protected] > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
