[Triumf-linux-managers] FYI: SSH -X vs. -Y for X11 access

Frederick Jones fwj@triumf.ca
Fri, 02 Dec 2005 14:35:08 -0800 

Andrew,
Thanks for researching this...
it may explain why I observed that xrdb (needed to
set X resources in the server) was silently failing
on recent (SL3 & 4) systems.

Unfortunately this is all too typical of SSH and of Linux,
where people continue to make "improvements" that foul
everything up, and then give you a work-around to restore
previous behaviour, without properly documenting any of it.

One question that occurs is, if remote clients are now by
default untrusted, how can they be made trusted?

In the meantime, we can only hope that the -Y option will
not be taken away in a future "improvement".

Fred


Andrew Daviel wrote:

> FYI
> 
> Later versions of SSH have a different X11 tunnelling procedure.
> To get X11 to work between SSH clients and servers of different versions,
> you may need to use the "-Y" option. Otherwise you may see odd behaviour.
> 
> Reportedly, SSH to MacOS 10 will not work at all without -Y
> 
> SSH -X to some Linux systems will work for 20 minutes, then stop.
> 
> SSH -X to other systems may be just weird. The application may start, but
> be unable to spawn subwindows. Or drop-down menus may be blank. Or it
> might crash when you select some menus, but not others.
> 
> On Fri, 14 Oct 2005, Greg Hackman wrote:
> 
> 
>>What's the difference between using -X and -Y for X11 port forwarding via
>>SSH?  Why do I sometimes have to use -Y and other times can't use it at all?
>>I've already tried the man pages and found no useful information.
>>
> 
> 
> I'd never heard of it until your email ...
> 
> I see it is in version 4 but not version 3.6
> 
> In the source code it says:
>                 case 'X':
>                         options.forward_x11 = 1;
>                         break;
>                 case 'Y':
>                         options.forward_x11 = 1;
>                         options.forward_x11_trusted = 1;
>                         break;
> 
> changelog says:
>    - markus@cvs.openbsd.org 2003/10/11 08:24:08
>      [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
>      remote x11 clients are now untrusted by default, uses xauth(8) to
>      generate untrusted cookies; ForwardX11Trusted=yes restores old
>      behaviour.
>      ok deraadt; feedback and ok djm/fries
> 
> There is some discussion in "man 5 ssh_config"
>   ("man /usr/share/man/man5/ssh_config.5.gz" on ibm00)
> If you keep the old ssh_config when upgrading (as I did) then you don't
> see this commented-out parameter
> 
> ForwardX11Trusted
>   If this option is set to "yes" then remote X11
>   clients will have full access to the original X11 display.  If this
>   option is set to "no" then remote X11 clients will be considered
>   untrusted and prevented from stealing or tampering with data belonging
>   to trusted X11 clients.  Furthermore, the xauth(1) token used for the
>   session will be set to expire after 20 minutes.  Remote clients will be
>   refused access after this time.
> 
> I presume that -Y forces the X11Trusted behaviour if that's not
> set in the config file.
> 
>