Since packaging OpenSSH 3.8p1 for Debian, I've got a flood of bug reports and confusion about the new untrusted X client configuration. At least part of this seems to be the short (2 minutes!) timeout on the cookie, so that if you're impatient like me and open a connection to a machine that takes a little while to do the key exchange, go off and do something in another window in the meantime, and then come back when it's finished, you may well find that the untrusted cookie's expired in the meantime. This seems a bit excessive. Would anyone think I was crazy for defaulting to ForwardX11Trusted in our OpenSSH package for a while until this becomes more mature? At least then we don't regress. -- Colin Watson [cjwatson at flatline.org.uk]
On Tue, 9 Mar 2004, Colin Watson wrote:> Since packaging OpenSSH 3.8p1 for Debian, I've got a flood of bug > reports and confusion about the new untrusted X client configuration. > > At least part of this seems to be the short (2 minutes!) timeout on the > cookie, so that if you're impatient like me and open a connection to a > machine that takes a little while to do the key exchange, go off and do > something in another window in the meantime, and then come back when > it's finished, you may well find that the untrusted cookie's expired in > the meantime. This seems a bit excessive.Markus is looking at this.> Would anyone think I was crazy for defaulting to ForwardX11Trusted in > our OpenSSH package for a while until this becomes more mature? At least > then we don't regress.Some of the maturing needs to happen in the X11 server libraries, toolkits and applications as well. The X11 server libraries have fixed, but very coarse security policy for what actions an untrusted connection can perform. The toolkits and applications need to stop blindly assuming that every action is possible. -d
On Tue, Mar 09, 2004 at 03:44:20PM +0000, Colin Watson wrote:> At least part of this seems to be the short (2 minutes!) timeout on the > cookie, so that if you're impatient like me and open a connection to aI've changed this to 20 minutes. 1 minute is the default in xauth, and 2 minutes would be appropriate for ssh -f host xapp style forwarding.
Possibly Parallel Threads
- [Bug 2552] New: ssh -X and "ForwardX11Trusted no" break most applications, distros turn on "ForwardX11Trusted yes"
- OpenSSH v3.8p1 fails to interoperate for GSSAPI (Kerberos) and X-Windows
- [Bug 987] "man ssh" doesn't mention 'ForwardX11Trusted'
- [PATCH] allow indefinite ForwardX11Timeout by setting it to 0
- bug: X11 forwarding silently falls back to ForwardX11Trusted=yes