> On 2021-06-29 1:27 p.m., Greg Wooledge wrote: > > On Tue, Jun 29, 2021 at 04:33:50PM +0000, Andrew M.A. Cater wrote: > >> ssh -Y is similar to ssh -X but does some authentication - yuu don't have > >> to use xhost+ or similar. > > > > You don't use xhost with ssh -X, either. At least, not explicitly. > > ssh takes care of that for you. > > > > In fact, on Debian, ssh -X and ssh -Y do exactly the same thing, due > > to changes that Debian made. This is documented in the ssh(1) man page. > > > > If you've been using "xhost +" together with "ssh -X", you've been doing > > it wrong (and *dramatically* destroying all your network security) all > > along.
On Tue, Jun 29, 2021 at 02:05:18PM -0400, Polyna-Maude Racicot-Summerside wrote: > What I stated was pretty simple : I wasn't replying to what *you* said. I was replying to something that Andrew Cater said. > It's of not much use to start debate without reading fully the thread. I was replying to *one* message from a person who *was not you*, because that message contained massively important wrongness. It is important that this wrongness be called out and eradicated if possible. Because it's *dangerously* wrong. Your points about "people should start out by doing it the way we did it back in 1991 so they learn the old ways first, and then they can move on to the new ways" are irrelevant to my point from *that* message, which was: DO NOT USE xhost + WITH ssh -X OR ssh -Y That was the fucking point. Now, if you want to advocate that people should use xhost + because that's how you learned things back in the early 1990s, that's your right, but I hope you will at least point out how INCREDIBLY INSECURE this is, and that it should only be done on an isolated private network, and only for educational purposes, never for actual work. Even then, you wouldn't combine it with ssh -X. xhost + and manually overriding DISPLAY bypasses the ssh encryption layer entirely. It also involves starting the X server with a non-default option, so it's quite a lot more work than using ssh -X. Which is good. We wouldn't want the horribly broken way to be the easy way.
