You should use ssh -X not ssh -Y, read below...
>From the ssh manual:
"""
-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY ex-
tension restrictions by default. Please refer to the ssh -Y op-
tion and the ForwardX11Trusted directive in ssh_config(5) for
more information.
-x Disables X11 forwarding.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
subjected to the X11 SECURITY extension controls.
"""
>From the ssh_config manual:
"""
ForwardX11
Specifies whether X11 connections will be automatically redirect-
ed over the secure channel and DISPLAY set. The argument must be
``yes'' or ``no''. The default is ``no''.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X11 authorization database) can access the local X11 dis-
play through the forwarded connection. An attacker may then be
able to perform activities such as keystroke monitoring if the
ForwardX11Trusted option is also enabled.
ForwardX11Trusted
If this option is set to ``yes'', remote X11 clients will have
full access to the original X11 display.
If this option is set to ``no'', remote X11 clients will be con-
sidered untrusted and prevented from stealing or tampering with
data belonging to trusted X11 clients. Furthermore, the xauth(1)
token used for the session will be set to expire after 20 min-
utes. Remote clients will be refused access after this time.
The default is ``no''.
See the X11 SECURITY extension specification for full details on
the restrictions imposed on untrusted clients.
"""
Using ssh -Y turns on ForwardX11Trusted, which enables the security hole
described above. With ssh -X you can still run any graphical app you want on
the remote machine without enabling ForwardX11Trusted.
Cheers,
Silas Bennett
=0)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kern
Sibbald
Sent: Tuesday, July 11, 2006 1:35 PM
To: [EMAIL PROTECTED]
Cc: bacula-devel; bacula-users
Subject: Re: [Bacula-users] [Bacula-devel] Bacula Migration project
status +misc
On Tuesday 11 July 2006 22:27, [EMAIL PROTECTED] wrote:
> On Tue, Jul 11, 2006 at 09:46:58PM +0200, Kern Sibbald wrote:
> > PS: more trivia while I have you on the line:
> > If anyone on the list understands X privileges, perhaps you could
> > point me to what needs to change to make X work between machines.
>
> While I can't actually claim to understand all of the implications of
> the X security model, I do know that recent releases of ssh generally
> require the use of "ssh -Y remote-host" to be able to run anything
> more graphical that an xterm on the remote system.
>
Bravo, many thanks. That does the trick! I wonder if Fedora turns on the Y
option by default as I never had the problem between Fedora systems, because
the ssh version on SuSE and Fedora is the same.
I'm copying the list because there may be someone else who is having this
problem, or maybe it was obvious to everyone but me. :-)
Thanks again,
Kern
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
