Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Why ssh -Y instead of -X?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Why ssh -Y instead of -X?
Authored by: meitar on Sep 22, '08 06:49:07PM

I've always used ssh -X for my X11 sessions, and I've known about -Y for a short while but never used it. I know that I don't understand the intricacies of X11 very well at all, so maybe I'm misunderstanding the ssh man page, but it sounds like -Y is less secure than -X. The manual page on my system for -Y says:

Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

while it says the following for -X:

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitor- ing.

For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.

So am I to understand that using -X makes X11 sessions obey the X11 SECURITY extension (is that the xauth stuff?) whereas -Y trusts any and all X11 connections? How is that better? Or am I misreading something…?

---
-Meitar Moscovitz
Professional: http://MeitarMoscovitz.com/
Personal: http://maymay.net/

[ Reply to This | # ]