[Triumf-linux-managers] FYI: SSH -X vs. -Y for X11 access

Andrew Daviel advax@triumf.ca
Fri, 2 Dec 2005 13:48:20 -0800 (PST) 

FYI

Later versions of SSH have a different X11 tunnelling procedure.
To get X11 to work between SSH clients and servers of different versions,
you may need to use the "-Y" option. Otherwise you may see odd behaviour.

Reportedly, SSH to MacOS 10 will not work at all without -Y

SSH -X to some Linux systems will work for 20 minutes, then stop.

SSH -X to other systems may be just weird. The application may start, but
be unable to spawn subwindows. Or drop-down menus may be blank. Or it
might crash when you select some menus, but not others.

On Fri, 14 Oct 2005, Greg Hackman wrote:

>
> What's the difference between using -X and -Y for X11 port forwarding via
> SSH?  Why do I sometimes have to use -Y and other times can't use it at all?
> I've already tried the man pages and found no useful information.
>

I'd never heard of it until your email ...

I see it is in version 4 but not version 3.6

In the source code it says:
                case 'X':
                        options.forward_x11 = 1;
                        break;
                case 'Y':
                        options.forward_x11 = 1;
                        options.forward_x11_trusted = 1;
                        break;

changelog says:
   - markus@cvs.openbsd.org 2003/10/11 08:24:08
     [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
     remote x11 clients are now untrusted by default, uses xauth(8) to
     generate untrusted cookies; ForwardX11Trusted=yes restores old
     behaviour.
     ok deraadt; feedback and ok djm/fries

There is some discussion in "man 5 ssh_config"
  ("man /usr/share/man/man5/ssh_config.5.gz" on ibm00)
If you keep the old ssh_config when upgrading (as I did) then you don't
see this commented-out parameter

ForwardX11Trusted
  If this option is set to "yes" then remote X11
  clients will have full access to the original X11 display.  If this
  option is set to "no" then remote X11 clients will be considered
  untrusted and prevented from stealing or tampering with data belonging
  to trusted X11 clients.  Furthermore, the xauth(1) token used for the
  session will be set to expire after 20 minutes.  Remote clients will be
  refused access after this time.

I presume that -Y forces the X11Trusted behaviour if that's not
set in the config file.


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security@triumf.ca