On 07/05/2015 04:51 AM, Liam O'Toole wrote:> One practical difference I have seen is the improved performance of -Y > over -X. I have long attributed that to the relaxation of security > controls in the former case.When and how did you measure that? The -Y change was introduced in Fedora Core 3, in November 2004. The default was changed to ForwardX11Trusted=yes just a month or two later. I'm not sure -X and -Y ever behaved differently on Enterprise Linux or CentOS. At this point, I don't think it's even possible to set ForwardX11Trusted=no any more. The X SECURITY extension was replaced with "X Access Control Extension" several years ago.
On 2015-07-05, Gordon Messmer <gordon.messmer at gmail.com> wrote:> On 07/05/2015 04:51 AM, Liam O'Toole wrote: >> One practical difference I have seen is the improved performance of >> -Y over -X. I have long attributed that to the relaxation of security >> controls in the former case. > > When and how did you measure that? > > The -Y change was introduced in Fedora Core 3, in November 2004. The > default was changed to ForwardX11Trusted=yes just a month or two > later. I'm not sure -X and -Y ever behaved differently on Enterprise > Linux or CentOS. > > At this point, I don't think it's even possible to set > ForwardX11Trusted=no any more. The X SECURITY extension was replaced > with "X Access Control Extension" several years ago.The perceived difference was a general impression on my part, and not measured scientifically. Moreover, it was formed years ago, and on a variety of Linux systems. I concede that it may well be obsolete. -- Liam
On Mon, 6 Jul 2015, Liam O'Toole wrote:> On 2015-07-05, Gordon Messmer > <gordon.messmer at gmail.com> wrote: >> On 07/05/2015 04:51 AM, Liam O'Toole wrote: >> >> At this point, I don't think it's even possible to set >> ForwardX11Trusted=no any more. The X SECURITY extension was replaced >> with "X Access Control Extension" several years ago. > > The perceived difference was a general impression on my part, and not > measured scientifically. Moreover, it was formed years ago, and on a > variety of Linux systems. I concede that it may well be obsolete.EL6: ssh -X -o ForwardX11Trusted=no somehost xterm <select some text in the window> X Error of failed request: BadAccess (attempt to access private resource denied) ssh -Y -o ForwardX11Trusted=no somehost xterm <select some text in the window> All well. ssh -X -o ForwardX11Trusted=yes somehost xterm <select some text in the window> All well (unsurprising really, seeing as it means the same thing). -X/-Y/ForwardX11Trusted still do exactly what they've always done, no? You're trusting the remote host to not misbehave if you use -Y or ForwardX11Trusted=yes since at the very least you're opening up a fairly large information leakage to the remote host. That's fine if you do trust it, but it really isn't if you don't, surely? jh