On Tue, Jun 29, 2021 at 02:43:28PM -0400, Greg Wooledge wrote: > > On 2021-06-29 1:27 p.m., Greg Wooledge wrote: > > > On Tue, Jun 29, 2021 at 04:33:50PM +0000, Andrew M.A. Cater wrote: > > >> ssh -Y is similar to ssh -X but does some authentication - yuu don't have > > >> to use xhost+ or similar. > > > > > > You don't use xhost with ssh -X, either. At least, not explicitly. > > > ssh takes care of that for you. > > > > > > In fact, on Debian, ssh -X and ssh -Y do exactly the same thing, due > > > to changes that Debian made. This is documented in the ssh(1) man page. > > > > > > If you've been using "xhost +" together with "ssh -X", you've been doing > > > it wrong (and *dramatically* destroying all your network security) all > > > along. > > On Tue, Jun 29, 2021 at 02:05:18PM -0400, Polyna-Maude Racicot-Summerside > wrote: > > What I stated was pretty simple : > > That was the fucking point. >
Greg: If it helps, I get that - and have always got it. I hadn't appreciated that - for Debian - ssh -X and ssh -Y are essentially identical. Thanks for the pointer. Sorry to have created any confusion. It's _nearly_ July 1st. Tomorrow sometime I'll be getting round to reposting the debian-user mailing list FAQ. Please, no rude words, especially the f-ing word? As frustrating as any of us can be, it doesn't add merit to argument. Email is already hard enugh to understand and appreciate: there are folk here where English is a non-native language and swear words don't help carry meaning. All the very best to you both - and everybody reading and using this list and it's archives. Andy Cater > > Now, if you want to advocate that people should use xhost + because > that's how you learned things back in the early 1990s, that's your right, > but I hope you will at least point out how INCREDIBLY INSECURE this is, > and that it should only be done on an isolated private network, and only > for educational purposes, never for actual work. > > Even then, you wouldn't combine it with ssh -X. xhost + and manually > overriding DISPLAY bypasses the ssh encryption layer entirely. It also > involves starting the X server with a non-default option, so it's quite > a lot more work than using ssh -X. Which is good. We wouldn't want the > horribly broken way to be the easy way. >
