LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-16-2007, 07:33 AM   #1
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Rep: Reputation: 31
ssh -Y or ssh -X?


Hi!

what ist more secure: using ssh -Y or using ssh -X?
I read that ssh -X can be unsecure, but I didn't understand why, or what I have to change to make it more secure.

thanks for any explanation.
 
Old 03-16-2007, 08:49 AM   #2
Dox Systems - Brian
Member
 
Registered: Nov 2006
Posts: 344

Rep: Reputation: 31
What's the "-Y" option? My SSH doesn't seem to have that...
 
Old 03-16-2007, 09:20 AM   #3
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by Dox Systems - Brian
What's the "-Y" option? My SSH doesn't seem to have that...
man ssh:
Quote:
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.
but I still don't understand much about it. Is it better to use -X or -Y? Do I have to change the configuration?

the version of my ssh is
Quote:
OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005
. How old is yours? Doesn't it accept the command -Y ?
 
Old 03-16-2007, 09:42 AM   #4
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 66
It seems that -Y is less secure than -X because machines at both ends of the connection trust themselves.

Yves.
 
Old 03-16-2007, 10:02 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
I thought it was the opposite:
Quote:
-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the
remote host (for the user's X authorization database) can access the local X11 display through the for‐
warded connection. An attacker may then be able to perform activities such as keystroke monitoring.
I'm not sure how to enable untrusted but the problem with trusted is this:
Alice sitting on Client connects to Server.
Unfortunatly.. Bob has rooted Server. He has full access to files (like ~alice/.Xauthority)
Alice opens an xterm on Client.
Bob sets his display to the same that was given by Alice and through the tunnel, attaches to her display on Client: DISPLAY=localhost:10.0 xev -id <xterm_window_id> | awk '/XLookupString gives 1 bytes/{ print $6}' | uniq
Alice on the client:
su -
s3cr3t
Bob on the server:
"s"
"3"
"c"
"r"
"3"
"t"
Bob now has root password of client... EOG

With sudo, Alice wouldn't have typed her password
Unfortunatly, Bob can also trivially inject commands in the xterm.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 12:15 PM
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 03:50 AM
setting up an ssh soxy or local ssh tunnel from within an ssh soxy Mangenius Linux - Networking 0 03-05-2007 04:15 PM
ssh -> perl -> spawn background proces hangs ssh session rhoekstra Programming 2 04-25-2006 02:05 AM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 01:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration