Date: Thu, 10 May 2018 23:26:59 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Jan Beich <jbeich@freebsd.org> Cc: Niclas Zeising <zeising+freebsd@daemonic.se>, "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org> Subject: Re: ssh -X remote does not work due to problem with xauth Message-ID: <CAN6yY1ubbqJG97qPCBJvJRqm7y3UERj=ieC33fQ6HA-GTewvTQ@mail.gmail.com> In-Reply-To: <k1sa-iwk2-wny@FreeBSD.org> References: <20180510182928.GA3747@c720-r314251> <20180510192510.GA38033@elch.exwg.net> <20180510194701.GB38033@elch.exwg.net> <466cd23b-344a-8d8a-d936-3ac38edff4a8@daemonic.se> <k1sa-iwk2-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 10, 2018 at 10:35 PM, Jan Beich <jbeich@freebsd.org> wrote: > Niclas Zeising <zeising+freebsd@daemonic.se> writes: > > > On 05/10/18 21:47, Christoph Moench-Tegeder wrote: > > > >> ## Christoph Moench-Tegeder (cmt@burggraben.net): > >> > >>> I haven't yet checked what causes these differing defaults. > >> > >> Well, now that I thought about it: most Linux distributions build their > >> X server with "--enable-xcsecurity" in the configure flags. FreeBSD > >> does not set that flag, as far as I can see. Next question: why? > >> > > > > Hi! > > It could be because of backwards compatibility, or, because at least I > > wasn't really aware of that flag. Is it for xserver or some other > > package? > > See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221984 > I'm a bit confused. I always have found that the simple solution to this was the '-Y' option as described in the man page for ssh. -X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information. IIRC, FreeBSD (and OpenBSD) chose to require -Y to emphasize the risks involved. I'm guessing that des@ was responsible on the FreeBSD side.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1ubbqJG97qPCBJvJRqm7y3UERj=ieC33fQ6HA-GTewvTQ>