Bug 137685

Summary: 'ssh -Y' and X forwarding documentation is misleading (remote X programs don't run, cut & paste crashes, ...)
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: barryn, dfwc1, dgunchev, francois-xavier.kowalski, glenn, gt, hpa, ivo, james, linkr, mharris, moniot, njh, persteinar.iversen, rhbugzillamarcw, ubeck, vader
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-3.9p1-10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-07 03:40:56 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Michal Jaegermann 2004-10-30 13:35:28 EDT
Description of problem:

'man ssh' states the following:

   X11 and TCP forwarding
     If the ForwardX11 variable is set to "yes" (or see the
     description of the -X and -x options described later)
     and the user is using X11 (the DISPLAY environment
     variable is set), the connection to the X11 display is
     automatically forwarded to the remote side in such a
     way that any X11 programs started from the shell (or
     command) will go through the encrypted channel, and the
     connection to the real X server will be made from the
     local machine.

and nothing in this description mentions anything about "trusted".
It is true that the later is mentioned exactly two times elsewhere
in the same document but nothing explains what that may really
be, when it should be used, how it differs from '-X' and why
'ForwardX11' variable is not setting it.

Version-Release number of selected component (if applicable):
openssh-3.9p1-7
Comment 1 Tomas Mraz 2005-01-31 15:35:43 EST
*** Bug 142609 has been marked as a duplicate of this bug. ***
Comment 2 Tomas Mraz 2005-01-31 15:36:55 EST
*** Bug 142162 has been marked as a duplicate of this bug. ***
Comment 3 Tomas Mraz 2005-01-31 15:39:47 EST
*** Bug 141894 has been marked as a duplicate of this bug. ***
Comment 4 Tomas Mraz 2005-01-31 15:44:06 EST
*** Bug 141515 has been marked as a duplicate of this bug. ***
Comment 5 Tomas Mraz 2005-01-31 15:45:17 EST
*** Bug 139336 has been marked as a duplicate of this bug. ***
Comment 6 Tomas Mraz 2005-01-31 15:50:03 EST
*** Bug 139846 has been marked as a duplicate of this bug. ***
Comment 7 Tomas Mraz 2005-01-31 15:50:30 EST
*** Bug 136976 has been marked as a duplicate of this bug. ***
Comment 8 Tomas Mraz 2005-01-31 16:29:06 EST
*** Bug 135849 has been marked as a duplicate of this bug. ***
Comment 9 Tomas Mraz 2005-01-31 16:31:23 EST
*** Bug 134534 has been marked as a duplicate of this bug. ***
Comment 10 Tomas Mraz 2005-02-03 02:46:21 EST
*** Bug 146239 has been marked as a duplicate of this bug. ***
Comment 11 Tomas Mraz 2005-02-07 03:08:14 EST
*** Bug 147294 has been marked as a duplicate of this bug. ***
Comment 12 Tomas Mraz 2005-02-08 10:32:41 EST
So the default in the ssh_config file was set to enable ForwardX11Trusted. But
the X11 forwarding stays off by default. So from the openssh-3.9p1-10 you can
use either ssh -X or ssh -Y with the same results - working X11 forwarding.
Comment 13 Tomas Mraz 2005-02-08 10:56:16 EST
*** Bug 125698 has been marked as a duplicate of this bug. ***
Comment 14 Need Real Name 2005-02-22 18:19:03 EST
For the record, I think changing the default for the sake of
convenience and so you stop getting pestered by bug reports by people
who for the most part don't read documentation, is a very bad idea.

The whole point of X security extensions is to mitigate the
long-standing problem with forwarding X in general, which is that a
remote "trusted" X client can snoop the keyboard/mouse of ANY X
PROCESS running on that X server.  This includes terminals where users
might be typing their passwords, etc.

Now that X finally incorporates some mechanism for controlling this,
OpenSSH thoughtfully made use of this.  Changing this default
effectively defeats the whole purpose.

If I were in charge, I'd be duping these bugs up to a parent bug which
said "RTFM" in huge letters, and had links to where it's documented
(including the FC3 release notes!! as has already been pointed out). 
But, I'm not in charge, so the best I can do is whine on Bugzilla.
Comment 15 Mike A. Harris 2005-02-22 22:06:56 EST
> For the record, I think changing the default for the sake of
> convenience and so you stop getting pestered by bug reports by
> people who for the most part don't read documentation, is a
> very bad idea.

I respectfully disagree.  Our goal is to produce an easy to use
OS, for a diverse userbase.  To do that, we need to configure things
for the "general" case, and we sometimes need to make some
compromises along the way, as well as changing some "default"
settings in some applications.  This is one of those cases.

> The whole point of X security extensions is to mitigate the
> long-standing problem with forwarding X in general, which is
> that a ...

Actually, the X-SECURITY extension does not at all fit well with
the needs of the modern desktop.  The X-SECURITY extension was
designed to meet the needs of a 3 letter government agency which
had a very specific usage case in mind designed to compartmentalize
applications of a higher security clearance level from those of
lower security clearance.  As such, the X-SECURITY extension is
only useful essentially in 3 letter government/military agencies
with very customized software.  X-SECURITY is not a reasonable
general purpose security model for general desktop deployment.

There is some research underway in the community with SElinux
and other efforts to bring a sane and useable security model
to X11, which meet the needs of a modern desktop system, while
retaining useability.  The X-SECURITY extension essentially causes
all current modern applications to break, because they are
unaware of X-SECURITY, or can't work properly within it's limited
framework.

Our goal is to make the OS work out of the box for people, the
way most people will expect things to work, while putting a high
eye on security matters at the same time.

Our decision on how to handle this specific issue was based on
the goals we've set forth for both security and useability.

Thanks for your feedback!

Comment 21 Tomas Mraz 2005-03-07 03:40:56 EST
This is fixed for FC3 in updates - 3.9p1-8.0.1 and in rawhide too.
Comment 22 Tomas Mraz 2005-03-07 03:45:03 EST
*** Bug 138875 has been marked as a duplicate of this bug. ***
Comment 23 Phil Schaffner 2005-05-19 13:14:05 EDT
Given all the duplicates pointed to this bug this is a common problem.  Even
after reading and following everything about -X, -Y, "ForwardX11 yes", and
"ForwardX11Trusted yes" still had one EL 4 machine that refused to forward.

Installed xorg-x11-xauth on that machine per advice in
https://www.redhat.com/archives/fedora-list/2004-November/msg03616.html and it
now works like the others.