On Sat, Jan 05, 2008 at 11:38:24PM -0500, Douglas A. Tutty wrote:
> On Sat, Jan 05, 2008 at 07:48:53PM -0800, Ted Unangst wrote:
> > On 1/5/08, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> > > Is there anything that, bug-wise, could go wrong with that remote
> > > browser that would be able to read or alter anything on the local
> > > machine? I'm talking about using ssh's X forwarding features, not using
> > > X's native forwarding.
> >
> > a lot more can go wrong than can go right. in theory, yes, you are
> > insulated from the client acting up. in practice, the isolation is
> > often too complete. i have never had an app actually work via an ssh
> > -X connection.
>
> I do it all the time. The __only__ "normal app" I can't get to work is
> from an OpenBSD box, ssh -X to a Debian box running Iceweasel (Firefox).
> Debian-Debian even Iceweasel works just fine.
>From the ssh_config manpage on Debian (Etch):
ForwardX11Trusted
If this option is set to ``yes'' then remote X11 clients will
have full access to the original X11 display.
If this option is set to ``no'' then remote X11 clients will be
considered untrusted and prevented from stealing or tampering
with data belonging to trusted X11 clients. Furthermore, the
xauth(1) token used for the session will be set to expire after
20 minutes. Remote clients will be refused access after this
time.
The default is ``yes'' (Debian-specific).
^^^ ^^^^^^^^^^^^^^^
