What is the difference between `ssh -Y` (trusted X11 forwarding) and `ssh -X` (untrusted X11 forwarding)?

1

A1: for Cygwin 1.7

If you have a UTF-8 locale configured, this should all just work :-).

To confirm this is working properly, you may try the following:

If you want to be able type unicode characters into this xterm, you'll need to configure your bash shell not to escape 8-bit characters, see Q: 5.2.1.

A2: for Cygwin 1.5

Start your xterm in UTF-8 mode as xterm +lc -u8.

To confirm this is working properly, you may try the following

For reasons I don't currently understand, the default fixed font is only capable of supplying accented roman, hiragana and katakana characters, so if you wish to work with e.g. greek, cyrillic, hebrew, thai, etc. you'll need to start your xterm specifying a suitable font e.g. xterm +lc -u8 -fn -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso10646-1

To confirm this is working properly, you may try the following

For other programs run from your xterm to output properly (e.g....

0 0
2
-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X
authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activi-
ties such as keystroke monitoring.

For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the
ForwardX11Trusted directive in ssh_config(5) for more information.
...

0 0
3

> my Mac to the same server but not from my Ubuntu install.

> So it's (presumably) a client thing.

FWIW, it works fine for me (Trusty -> Trusty). Not aware that I am doing
anything special, just "X11Forwarding yes" in /etc/ssh/sshd_config on
the (SSH) server. I assume you restarted the SSH server after changing
this setting?

Bob Edwards.

>

>

> a

>

> On 19 May 2015 at 14:00, Andrew Janke

[hidden email]

> wrote:

>> I was crossing my fingers that this one was right, It's sounds simple

>> enough to be true. But nope.

>>

>> $ df -h /tmp

>> Filesystem Size Used Avail Use% Mounted on

>> /dev/md126 551G 209M 522G 1% /tmp

>>

>> Plenty of space on the client too.

>>

>>

>>

>> a

>>

>> On 19 May 2015 at 12:26, Brett Worth

[hidden email]

> wrote:

>>> What about "df - h...

0 0
4

I believe this is incorrect. The authentication protocols are still used (thus the need for the xorg-x11-xauth package on CentOS).

This is not the same as ‘xhost +’ which should never be used.

Both -X and -Y require read access to the ~/.Xauthority file on the remote system in order to connect back to the X server. You can see this by using the ‘xauth remove’ command to remove the authentication token for the display and clients can no longer connect.

Likewise, I’ve used ssh/X for 20+ years on a variety of systems. In most cases -X is sufficient, but some applications seem to require -Y
and I have not dug into all of the reasons.

On Debian and FreeBSD ‘man ssh_config’ now shows:

ForwardX11Timeout
Specify a timeout for untrusted X11 forwarding using
the format described in the TIME FORMATS section of
sshd_config(5). X11 connections received by ssh(1)
after this time will be refused. The default is to
disable...

0 0
5
$ man ssh

-X Enables X11 forwarding. This can also be specified on a per-host

basis in a configuration file.

X11 forwarding should be enabled with caution. Users with the

ability to bypass file permissions on the remote host (for the

user's X authorization database) can access the local X11 display

through the forwarded connection. An attacker may then be able

to perform activities such as keystroke monitoring.

For this reason, X11 forwarding is subjected to X11 SECURITY

extension restrictions by default. Please refer to the ssh -Y

option and the ForwardX11Trusted directive in ssh_config(5) for

more information.

-x Disables X11 forwarding.

-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not

subjected to the X11 SECURITY extension...
0 0
6

SSH

is a wonderful tool. It enables you to securely login to a remote system (without a password, if you configure it appropriately) and run a shell or a specified command. It also enables you to create encrypted tunnels for other tools and protocols to use.

SSH provides extra support for X11 tunnels so that you can execute a GUI application on one system and view the user interface on another system. When setting up an SSH tunnel for X11, the Xauth key will automatically be copied to the remote system(in a munged form to reduce the risk of forgery) and the DISPLAY variable will be set. This key is a long random number which must be presented to the display server -- the software running the display in front of the user -- before the connection will be accepted.

This support for X11 means that if you are logged in on a system named red and want to run OpenOffice.org writer on the machine named blue, you can just execute this command:

$ ssh -XC...

0 0
7

I thought I'd blog this just in case someone else is having problems using XQuartz on OS X as a server to remote X11 applications (i.e. using ssh -X somehost).

At first this works but after some time (20 minutes, to be exact) you'll get "can't open display: localhost:10.0" errors when applications attempt to connect to the X server. This is because the X forwarding is "untrusted" and that has a 20 minute timeout. There are two solution here: increase the X11 timeout (the maximum is 596 hours) or enable trusted forwarding.

It's probably only best to enable trusted forwarding if you're connecting to machines you, well, trust. The option is ForwardX11Trusted yes and this can be set globally in /etc/ssh_config or per host in...

0 0
8

Running Ubuntu 13.10, I cannot run emacs when sshing to my box

ssh -l username someipaddress

When I run emacs, it simply hangs.

I have also have recently installed dbus-x11 . Before installing dbus-x11, I would get a crash when trying to run emacs.

(emacs:3306): GConf-WARNING **: Client failed to connect to the D-BUS daemon: //bin/dbus-launch terminated abnormally without any error message (emacs:3306): GConf-WARNING **: Client failed to connect to the D-BUS daemon: //bin/dbus-launch terminated abnormally without any error message (emacs:3306): GConf-WARNING **: Client failed to connect to the D-BUS daemon: //bin/dbus-launch terminated abnormally without any error message (emacs:3306): GConf-WARNING **: Client failed to connect to the D-BUS daemon: //bin/dbus-launch terminated abnormally without any error message (emacs:3306): GConf-WARNING **: Client failed to connect to the D-BUS daemon: //bin/dbus-launch terminated abnormally without any error...
0 0
9
Next message: Doug Lee: "Recommended answering machine software?" Date: Fri, 4 Jun 2004 19:07:11 -0700 To: Simon Timms

On Fri, Jun 04, 2004 at 06:06:24PM -0600, Simon Timms wrote:
> On Fri, 4 Jun 2004, Kris Kennaway wrote:
>
> > On Fri, Jun 04, 2004 at 08:59:31AM -0600, Simon Timms wrote:
> >
> > > Oooh, you know I think I'm just doing 'ssh' and expecting it to work or
> > > give me a huge obvious error. I have enabled ForwardX11 in
> > > /etc/ssh/ssh_conf on the desktop. You're probably right that it is a
> > > question of '-X' or '-Y'. I shall have to try this out when I get home
> > > tonight. What is the difference between trusted and untrusted X11
> > > forwarding?
> >
> > Untrusted is safer when you don't trust the security of the machine
> > you're connecting to, but it doesn't work for a lot of X applications.
>
> You were right a -Y did it. I'm sure i've done this with just -X...

0 0