On Mon, Jan 07, 2008 at 07:28:40AM +0200, [EMAIL PROTECTED] wrote: > On Sat, Jan 05, 2008 at 11:38:24PM -0500, Douglas A. Tutty wrote: > > On Sat, Jan 05, 2008 at 07:48:53PM -0800, Ted Unangst wrote: > > > On 1/5/08, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > > > > Is there anything that, bug-wise, could go wrong with that remote > > > > browser that would be able to read or alter anything on the local > > > > machine? I'm talking about using ssh's X forwarding features, not using > > > > X's native forwarding. > > > > > > a lot more can go wrong than can go right. in theory, yes, you are > > > insulated from the client acting up. in practice, the isolation is > > > often too complete. i have never had an app actually work via an ssh > > > -X connection. > > > > I do it all the time. The __only__ "normal app" I can't get to work is > > from an OpenBSD box, ssh -X to a Debian box running Iceweasel (Firefox). > > Debian-Debian even Iceweasel works just fine. > > >From the ssh_config manpage on Debian (Etch): > > ForwardX11Trusted > If this option is set to ``yes'' then remote X11 clients will > have full access to the original X11 display. > > If this option is set to ``no'' then remote X11 clients will be > considered untrusted and prevented from stealing or tampering > with data belonging to trusted X11 clients. Furthermore, the > xauth(1) token used for the session will be set to expire after > 20 minutes. Remote clients will be refused access after this > time. > > The default is ``yes'' (Debian-specific). > ^^^ ^^^^^^^^^^^^^^^
Right, but when I go from an OpenBSD box via ssh to a debian box to run apps, then that doesn't apply and I don't set ForwardX11Trusted on the OpenBSD box which I use ssh -X and not ssh -Y. Doug.
