[Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))
Kent Borg
kentborg at borg.org
Mon Jan 19 11:12:55 EST 2026
On 1/19/26 5:01 AM, Rich Pieri wrote:
> The X11 SECURITY extension allows you to mark X11 clients as trusted or
> untrusted. Development was abandoned in the 1990s because hardly anyone
> used it, but the code still lives in X.Org. Problem is, clients marked
> untrusted don't work as expected and often not at all. -Y says "forward
> X11 SECURITY trust". In practice it marks your X11 clients as trusted
> which bypasses the extension so that they work correctly.
So when I "ssh -X 10.1.2.3" (no "-Y") I'm not getting best "work as
expected"? I have never used "-Y" and X forwarding has worked well for
me, so I can live with that.
But am I actually getting any security advantage by adding "-Y"? I
thought I saw someplace that "-Y" is (nearly?) a no-op.
Note, I don't run untrusted programs over X, but I also don't want to
trust all these "trusted" programs. Just because something is in an
official Debian package doesn't mean we should necessarily trust its
intentions. And it certainly doesn't mean we should trust its competence
(and so its relative invulnerability to exploit).
I sure know that since I looked at a little of the sources to Dovecot I
very much want to get off of it, when I get the chance.
-kb
More information about the Discuss
mailing list