Re: What's the deal on the -X vs -Y thing?

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 01/25/05 

Date: 25 Jan 2005 00:12:35 GMT

In article <pan.2005.01.24.23.32.49.499688@dcs.nac.uci.edu>,
Dan Stromberg <strombrg@dcs.nac.uci.edu> wrote:
>Why was -X changed to -Y, and was it really worth breaking user-training
>compatibility?

-X still does X11 forwarding but with an untrusted xauth cookie by
default. Whether or not you need a trusted cookie depends on your
X applications. You can revert to the previous behaviour

Also consider that with a trusted cookie, an attacker on the SSH server
can do some neato things like dump your screen contents and/or log your
keystrokes (see [1]). Remember that this channel is from the SSH server
to the client, so if you SSH through your firewall to a compromised
host with X forwarding and a trusted cookie then an attacker on that
host gets a free swing at your X server.

>With this apparently-intentional breakage, it's going to be a mess for
>years to come, helping users understand when to use -X and when to use -Y.
>
>Or am I missing something? Is there still a consistent way of getting X11
>forwarding, across versions of openssh?

You probably missed it when you read the (3.8) release notes?
Also see http://www.openssh.com/faq.html#3.13

[1] http://www.giac.org/practical/GCIH/Holger_Van_Lengerich_GCIH.pdf 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.