On Tuesday 11 July 2006 22:58, Bennett, Silas (GE Indust, Security) wrote: > You should use ssh -X not ssh -Y, read below...
After seeing everyone's kind responses, I realized that I had gone through this 5 or 6 years ago and simply turned on X11 forwarding in my default ssh conf file, and over all those years, when I upgraded, it remained turned on. When the problem happened now with a new distro, and thus X11 forwarding not turned on by default (quite reasonable), I went down the wrong track thinking it was an X permissions problem, and totally forgot that it is ssh that does the X forwarding. Duh ... Thanks for the help. You all saved me lots of time. > > >From the ssh manual: > >From the ssh manual: > > """ > -X Enables X11 forwarding. This can also be specified on a > per-host basis in a configuration file. > > X11 forwarding should be enabled with caution. Users with the > ability to bypass file permissions on the remote host (for the > user's X authorization database) can access the local X11 > display through the forwarded connection. An attacker may then be able to > perform activities such as keystroke monitoring. > > For this reason, X11 forwarding is subjected to X11 SECURITY > ex- tension restrictions by default. Please refer to the ssh -Y op- tion > and the ForwardX11Trusted directive in ssh_config(5) for more information. > > -x Disables X11 forwarding. > > -Y Enables trusted X11 forwarding. Trusted X11 forwardings are > not subjected to the X11 SECURITY extension controls. > """ > > >From the ssh_config manual: > > """ > ForwardX11 > Specifies whether X11 connections will be automatically > redirect- ed over the secure channel and DISPLAY set. The argument must be > ``yes'' or ``no''. The default is ``no''. > > X11 forwarding should be enabled with caution. Users with the > ability to bypass file permissions on the remote host (for the > user's X11 authorization database) can access the local X11 > dis- play through the forwarded connection. An attacker may then be able > to perform activities such as keystroke monitoring if the ForwardX11Trusted > option is also enabled. > > ForwardX11Trusted > If this option is set to ``yes'', remote X11 clients will have > full access to the original X11 display. > > If this option is set to ``no'', remote X11 clients will be > con- sidered untrusted and prevented from stealing or tampering with data > belonging to trusted X11 clients. Furthermore, the xauth(1) token used for > the session will be set to expire after 20 min- utes. Remote clients will > be refused access after this time. > > The default is ``no''. > > See the X11 SECURITY extension specification for full details > on the restrictions imposed on untrusted clients. > """ > > Using ssh -Y turns on ForwardX11Trusted, which enables the security hole > described above. With ssh -X you can still run any graphical app you want > on the remote machine without enabling ForwardX11Trusted. > > Cheers, > Silas Bennett > > =0) > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kern > Sibbald > Sent: Tuesday, July 11, 2006 1:35 PM > To: [EMAIL PROTECTED] > Cc: bacula-devel; bacula-users > Subject: Re: [Bacula-users] [Bacula-devel] Bacula Migration project > status +misc > > On Tuesday 11 July 2006 22:27, [EMAIL PROTECTED] wrote: > > On Tue, Jul 11, 2006 at 09:46:58PM +0200, Kern Sibbald wrote: > > > PS: more trivia while I have you on the line: > > > If anyone on the list understands X privileges, perhaps you could > > > point me to what needs to change to make X work between machines. > > > > While I can't actually claim to understand all of the implications of > > the X security model, I do know that recent releases of ssh generally > > require the use of "ssh -Y remote-host" to be able to run anything > > more graphical that an xterm on the remote system. > > Bravo, many thanks. That does the trick! I wonder if Fedora turns on the > Y option by default as I never had the problem between Fedora systems, > because the ssh version on SuSE and Fedora is the same. > > I'm copying the list because there may be someone else who is having this > problem, or maybe it was obvious to everyone but me. :-) > > Thanks again, > > Kern > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
