Re: What's the deal on the -X vs -Y thing?

From: Dan Stromberg (strombrg_at_dcs.nac.uci.edu)
Date: 01/25/05 

Date: Mon, 24 Jan 2005 16:58:47 -0800

On Tue, 25 Jan 2005 00:12:35 +0000, Darren Tucker wrote:

> In article <pan.2005.01.24.23.32.49.499688@dcs.nac.uci.edu>, Dan
> Stromberg <strombrg@dcs.nac.uci.edu> wrote:
>>Why was -X changed to -Y, and was it really worth breaking user-training
>>compatibility?
>
> -X still does X11 forwarding but with an untrusted xauth cookie by
> default. Whether or not you need a trusted cookie depends on your X
> applications. You can revert to the previous behaviour

-X has been rendered largely useless.

> Also consider that with a trusted cookie, an attacker on the SSH server
> can do some neato things like dump your screen contents and/or log your
> keystrokes (see [1]). Remember that this channel is from the SSH server
> to the client, so if you SSH through your firewall to a compromised host
> with X forwarding and a trusted cookie then an attacker on that host
> gets a free swing at your X server.

Yes, yes, yes. But at least with a functional -X, users don't "xhost +"
anymore.

>>With this apparently-intentional breakage, it's going to be a mess for
>>years to come, helping users understand when to use -X and when to use
>>-Y.
>>
>>Or am I missing something? Is there still a consistent way of getting
>>X11 forwarding, across versions of openssh?
>
> You probably missed it when you read the (3.8) release notes? Also see
> http://www.openssh.com/faq.html#3.13

I'd seen this, but I'll repeat: it's not -consistent-. Some versions of
ssh -require- this (or -Y), while others -choke- on it. And if you have
multiple versions of openssh on your systems, woe betide you if you
rearrange your paths for some reason - your ssh-based automation scripts
start breaking.

This is going to mean a lot of retraining, recoding, and even users
getting frustrated and going back to xhost +. It strikes me as a
particularly arbitrary and capricious breakage of backward compatibility.