On Thu, Oct 23, 2003 at 01:15:40PM -0400, Joe Altman wrote: > >From the FreeBSD man page: > > X11Forwarding > Specifies whether X11 forwarding is permitted. The > argument must be ``yes'' or ``no''. The default is > ``yes''. > > >From the NetBSD page: > > X11Forwarding > Specifies whether X11 forwarding is permitted. The > argument must be ``yes'' or ``no''. The default is > ``no''. > > I don't mean to compare apples and oranges, nor to start a "My OS can > kick your OSes butt" thread; but I am wondering about the > difference. It seems the NetBSD default is safer, but I am also no > security wonk. It occurred to me that the man page for FreeBSD could > be incorrect; but I doubt that...it actually strikes me as a choice > made to reflect a balance between options. > > Is the default set to no a more secure option? Or is it something that > can be arguH^H^discussed at length?
By default it's enabled in the server but disabled in the client. > I do note that the man page for both OSes states that UseLogin > defaults to no, and that if used, X11 forwarding is turned off. > However, in the default config file for sshd, the line for UseLogin is > commented out. Given this latter state of affairs, can I continue to > assume that X11 forwarding is in fact _not_ enabled by default in > FreeBSD? That's incorrect; X11 forwarding does not depend on UseLogin. > Oh, and what is the difference between the entry in the ssh_config > file and the sshd_config file? Client vs server. > Hmmm....now I'm thinking that this: serverargs="-nolisten tcp" > > in /usr/X11R6/bin/startx/ may make this a bit of a moot point....is > this correct? No, ssh's X forwarding uses a local socket to communicate to the server. Kris
Description: PGP signature