A question about X11 forwarding.
by camerabambai from LinuxQuestions.org on (#5A8B9)
Correct me if i'm wrong.
Probably theCode: ssh -Xoption is the more secure compared to Code:ssh -YBecause ssh -X require two type of authentication: the ssh(password, kerberos, or public key) and the x11(xauth, xhost) authentication.
When we use Code:ssh -Y which is called "trusted" we trust the host and we bypass the X11 auth so we don't need to use the command xhost.
So in my opinion Code:ssh -Xis more safest, there is only one problem: with the latest version of ssh seems to give this problem
I did
Code: ssh -vvv -X myhostand I get those two errors
Code: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Code: debug2: client_x11_get_proto: xauth command: /usr/bin/xauth -f /tmp/ssh-KYHfkmGN25fa/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1260 2>/dev/nullwhen I try to run xauth command directly give me this error
Code: /usr/bin/xauth -f /tmp/ssh-KYHfkmGN25fa/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1260
/usr/bin/xauth: error in locking authority file /tmp/ssh-KYHfkmGN25fa/xauthfileI did this (useless) workaround: editing ssh_config and enabled those lines
Code: Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yesssh -X now works fine but there is only one problem
I have try to disable access
Code: xhost -and running ssh -X still accept the host! So I think that
ForwardX11Trusted yes override ForwardX11 yes
After editing ssh_config
Code: Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted noand ssh -X don't work.
So the problem is still open.
The question is: we are forced to use ssh -Y or there is a solution?
Thanks
I'm on Slackware current with the latest ssh package
Probably theCode: ssh -Xoption is the more secure compared to Code:ssh -YBecause ssh -X require two type of authentication: the ssh(password, kerberos, or public key) and the x11(xauth, xhost) authentication.
When we use Code:ssh -Y which is called "trusted" we trust the host and we bypass the X11 auth so we don't need to use the command xhost.
So in my opinion Code:ssh -Xis more safest, there is only one problem: with the latest version of ssh seems to give this problem
I did
Code: ssh -vvv -X myhostand I get those two errors
Code: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Code: debug2: client_x11_get_proto: xauth command: /usr/bin/xauth -f /tmp/ssh-KYHfkmGN25fa/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1260 2>/dev/nullwhen I try to run xauth command directly give me this error
Code: /usr/bin/xauth -f /tmp/ssh-KYHfkmGN25fa/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1260
/usr/bin/xauth: error in locking authority file /tmp/ssh-KYHfkmGN25fa/xauthfileI did this (useless) workaround: editing ssh_config and enabled those lines
Code: Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yesssh -X now works fine but there is only one problem
I have try to disable access
Code: xhost -and running ssh -X still accept the host! So I think that
ForwardX11Trusted yes override ForwardX11 yes
After editing ssh_config
Code: Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted noand ssh -X don't work.
So the problem is still open.
The question is: we are forced to use ssh -Y or there is a solution?
Thanks
I'm on Slackware current with the latest ssh package