| 1 |
On Sun, Dec 21, 2014 at 6:25 AM, Harry Putnam <reader@×××××××.com> wrote: |
| 2 |
> |
| 3 |
> Still kind of puzzled about how ssh determines, when -Y is used, when |
| 4 |
> xll-forwardings are `TRUSTED'. |
| 5 |
> |
| 6 |
|
| 7 |
When -Y is used, all forwarding is trusted, and when -X is used |
| 8 |
nothing is trusted. With -Y all ssh does is forward X11 traffic to |
| 9 |
the X server unfiltered. With -X there is an X11 security extension |
| 10 |
that gets used to prevent some things like keyboard snooping. X11 is |
| 11 |
pretty weak from a security standpoint - in its normal state any X |
| 12 |
client can do all kinds of stuff that could compromise security, like |
| 13 |
capture keyboard input to a window owned by another client. So, your |
| 14 |
music player can keylog your browser session/etc. Obviously remote X |
| 15 |
clients further compounds this. |
| 16 |
|
| 17 |
-X is supposed to protect against some of these issues, but it doesn't |
| 18 |
work on Gentoo. I'd have to research why again - I forget if it was |
| 19 |
an ssh issue, or an xorg issue. |
| 20 |
|
| 21 |
-- |
| 22 |
Rich |
Archives