On Sun, Mar 20, 2016 at 07:47:58AM +0800, Erich Dollansky wrote: > Hi, > > On Sat, 19 Mar 2016 08:23:09 -0600 > Ian Lepore <[email protected]> wrote: > > > On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote: > > > > > > nothing else was changed on the machine except the update. I could > > > use > > > > > > ssh 192.168.12.12 > > > > > > to connect to a jail running under that IP address before the update > > > without problems. > > > > > > It works now only with > > > > > > ssh -Y 192.168.12.12 > > > > > > The /etc/ssh/ssh_config file says: > > > > > > Host * > > > ForwardX11 yes > > > > > > So, it should allow to connect to all machines providing ssh and > > > forward X11. > > > > > > What did I miss? > > > > If -Y works, the ssh config file option that corresponds to that is > > ForwardX11Trusted. ForwardX11 corresponds to -X. (Not sure what > > changed, just throwing out the one little crumb of info I've got.) > > > I got this as an off-list reply: > > Could this be related to FreeBSD-SA-16:14.openssh?
Not FreeBSD-SA-16:14.openssh and CVE-2016-3115 respectively, but most likely the changes for CVE-2016-1908 which came in as part of the upgrade to OpenSSH 7.2p2, i. e. (among others): https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c The xorg-server port is built with the X11 SECURITY extension disabled. I just can suspect that the intent is to use a nested X server such as Xephyr for securely running applications instead. Actually, I'm surprised that such a fallback to trusted forwarding existed. I believe it wasn't present back when ForwardX11Trusted was introduced, essentially already causing the trouble you're now hitting. Marius
signature.asc
Description: PGP signature
