9/10 Why does OpenSSH default to "ForwardX11 no"? Given X11's lack of
encryption, isn't this the best way to do X11?
\_ X programs can do more than just open windows on your desktop --
they can also do things like capture images of your display (as
xwd does) or intercept the keystrokes you type (as most window
managers do).
This means that, while it's safe to telnet to a random machine you
don't trust -- it can't do anything to your local account -- it's
*not* safe to ssh with X forwarding to a random machine, since
that machine could (say) start monitoring the passwords you type
into other windows.
\_ Yes, but they believe X11 forwarding should be something you
request as it can open security holes if you do it wrong.
\_ So what can I do wrong when using SSH's X11 port forwarding
\_ So what kind I do wrong when using SSH's X11 port forwarding
that would open a security hole?
\_ xhost +, which would then allow anyone on the remote machine
to snoop everything you type, completely destroying the
usefulness of ssh
\_ This doesn't make sense. Why would someone who is using
ssh want to use xhost at all and if you do "xhost +"
it shouldn't matter whether you use ssh or not because
either way there is a huge wide open hole at this point.
\_ less things to try to hack. period. |