1 |
On Sun, Dec 21, 2014 at 6:25 AM, Harry Putnam <reader@×××××××.com> wrote: |
2 |
> |
3 |
> Still kind of puzzled about how ssh determines, when -Y is used, when |
4 |
> xll-forwardings are `TRUSTED'. |
5 |
> |
6 |
|
7 |
When -Y is used, all forwarding is trusted, and when -X is used |
8 |
nothing is trusted. With -Y all ssh does is forward X11 traffic to |
9 |
the X server unfiltered. With -X there is an X11 security extension |
10 |
that gets used to prevent some things like keyboard snooping. X11 is |
11 |
pretty weak from a security standpoint - in its normal state any X |
12 |
client can do all kinds of stuff that could compromise security, like |
13 |
capture keyboard input to a window owned by another client. So, your |
14 |
music player can keylog your browser session/etc. Obviously remote X |
15 |
clients further compounds this. |
16 |
|
17 |
-X is supposed to protect against some of these issues, but it doesn't |
18 |
work on Gentoo. I'd have to research why again - I forget if it was |
19 |
an ssh issue, or an xorg issue. |
20 |
|
21 |
-- |
22 |
Rich |