BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- Subject: [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- From: kentborg at borg.org (Kent Borg)
- Date: Mon, 19 Jan 2026 08:12:55 -0800
- In-reply-to: <20260119080150.7891b97d.Richard.Pieri@gmail.com>
- References: <61c91e0a-f658-415c-a91d-bc8cb008bf0b@borg.org> <26989.37879.578151.953291@gargle.gargle.HOWL> <26989.37936.100241.254462@gargle.gargle.HOWL> <c40fd68e-e540-471c-a253-7ae04dedaa65@borg.org> <20260119080150.7891b97d.Richard.Pieri@gmail.com>
On 1/19/26 5:01 AM, Rich Pieri wrote: > The X11 SECURITY extension allows you to mark X11 clients as trusted or > untrusted. Development was abandoned in the 1990s because hardly anyone > used it, but the code still lives in X.Org. Problem is, clients marked > untrusted don't work as expected and often not at all. -Y says "forward > X11 SECURITY trust". In practice it marks your X11 clients as trusted > which bypasses the extension so that they work correctly. So when I "ssh -X 10.1.2.3" (no "-Y") I'm not getting best "work as expected"? I have never used "-Y" and X forwarding has worked well for me, so I can live with that. But am I actually getting any security advantage by adding "-Y"? I thought I saw someplace that "-Y" is (nearly?) a no-op. Note, I don't run untrusted programs over X, but I also don't want to trust all these "trusted" programs. Just because something is in an official Debian package doesn't mean we should necessarily trust its intentions. And it certainly doesn't mean we should trust its competence (and so its relative invulnerability to exploit). I sure know that since I looked at a little of the sources to Dovecot I very much want to get off of it, when I get the chance. -kb
- Follow-Ups:
- [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- From: ron at bclug.ca (Ron)
- [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- References:
- [Discuss] Future of X11 (was Trying to connect to internet in Debian)
- From: kentborg at borg.org (Kent Borg)
- [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- From: dbarrett at blazemonger.com (Daniel Barrett)
- [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- From: kentborg at borg.org (Kent Borg)
- [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Future of X11 (was Trying to connect to internet in Debian)
- Prev by Date: [Discuss] Trying to connect to internet in Debian
- Next by Date: [Discuss] Future of X11 (was Trying to connect to internet in Debian)
- Previous by thread: [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- Next by thread: [Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
- Index(es):
