On Sun, Dec 21, 2014 at 6:25 AM, Harry Putnam <rea...@newsguy.com> wrote: > > Still kind of puzzled about how ssh determines, when -Y is used, when > xll-forwardings are `TRUSTED'. >
When -Y is used, all forwarding is trusted, and when -X is used nothing is trusted. With -Y all ssh does is forward X11 traffic to the X server unfiltered. With -X there is an X11 security extension that gets used to prevent some things like keyboard snooping. X11 is pretty weak from a security standpoint - in its normal state any X client can do all kinds of stuff that could compromise security, like capture keyboard input to a window owned by another client. So, your music player can keylog your browser session/etc. Obviously remote X clients further compounds this. -X is supposed to protect against some of these issues, but it doesn't work on Gentoo. I'd have to research why again - I forget if it was an ssh issue, or an xorg issue. -- Rich
