Bug 137685
| Summary: | 'ssh -Y' and X forwarding documentation is misleading (remote X programs don't run, cut & paste crashes, ...) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michal Jaegermann <michal> |
| Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | CC: | barryn, dfwc1, dgunchev, francois-xavier.kowalski, glenn, gt, hpa, ivo, james, linkr, mharris, moniot, njh, persteinar.iversen, rhbugzillamarcw, ubeck, vader |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-3.9p1-10 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-03-07 08:40:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 142609 has been marked as a duplicate of this bug. *** *** Bug 142162 has been marked as a duplicate of this bug. *** *** Bug 141894 has been marked as a duplicate of this bug. *** *** Bug 141515 has been marked as a duplicate of this bug. *** *** Bug 139336 has been marked as a duplicate of this bug. *** *** Bug 139846 has been marked as a duplicate of this bug. *** *** Bug 136976 has been marked as a duplicate of this bug. *** *** Bug 135849 has been marked as a duplicate of this bug. *** *** Bug 134534 has been marked as a duplicate of this bug. *** *** Bug 146239 has been marked as a duplicate of this bug. *** *** Bug 147294 has been marked as a duplicate of this bug. *** So the default in the ssh_config file was set to enable ForwardX11Trusted. But the X11 forwarding stays off by default. So from the openssh-3.9p1-10 you can use either ssh -X or ssh -Y with the same results - working X11 forwarding. *** Bug 125698 has been marked as a duplicate of this bug. *** For the record, I think changing the default for the sake of convenience and so you stop getting pestered by bug reports by people who for the most part don't read documentation, is a very bad idea. The whole point of X security extensions is to mitigate the long-standing problem with forwarding X in general, which is that a remote "trusted" X client can snoop the keyboard/mouse of ANY X PROCESS running on that X server. This includes terminals where users might be typing their passwords, etc. Now that X finally incorporates some mechanism for controlling this, OpenSSH thoughtfully made use of this. Changing this default effectively defeats the whole purpose. If I were in charge, I'd be duping these bugs up to a parent bug which said "RTFM" in huge letters, and had links to where it's documented (including the FC3 release notes!! as has already been pointed out). But, I'm not in charge, so the best I can do is whine on Bugzilla. > For the record, I think changing the default for the sake of > convenience and so you stop getting pestered by bug reports by > people who for the most part don't read documentation, is a > very bad idea. I respectfully disagree. Our goal is to produce an easy to use OS, for a diverse userbase. To do that, we need to configure things for the "general" case, and we sometimes need to make some compromises along the way, as well as changing some "default" settings in some applications. This is one of those cases. > The whole point of X security extensions is to mitigate the > long-standing problem with forwarding X in general, which is > that a ... Actually, the X-SECURITY extension does not at all fit well with the needs of the modern desktop. The X-SECURITY extension was designed to meet the needs of a 3 letter government agency which had a very specific usage case in mind designed to compartmentalize applications of a higher security clearance level from those of lower security clearance. As such, the X-SECURITY extension is only useful essentially in 3 letter government/military agencies with very customized software. X-SECURITY is not a reasonable general purpose security model for general desktop deployment. There is some research underway in the community with SElinux and other efforts to bring a sane and useable security model to X11, which meet the needs of a modern desktop system, while retaining useability. The X-SECURITY extension essentially causes all current modern applications to break, because they are unaware of X-SECURITY, or can't work properly within it's limited framework. Our goal is to make the OS work out of the box for people, the way most people will expect things to work, while putting a high eye on security matters at the same time. Our decision on how to handle this specific issue was based on the goals we've set forth for both security and useability. Thanks for your feedback! This is fixed for FC3 in updates - 3.9p1-8.0.1 and in rawhide too. *** Bug 138875 has been marked as a duplicate of this bug. *** Given all the duplicates pointed to this bug this is a common problem. Even after reading and following everything about -X, -Y, "ForwardX11 yes", and "ForwardX11Trusted yes" still had one EL 4 machine that refused to forward. Installed xorg-x11-xauth on that machine per advice in https://www.redhat.com/archives/fedora-list/2004-November/msg03616.html and it now works like the others. |
Description of problem: 'man ssh' states the following: X11 and TCP forwarding If the ForwardX11 variable is set to "yes" (or see the description of the -X and -x options described later) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. and nothing in this description mentions anything about "trusted". It is true that the later is mentioned exactly two times elsewhere in the same document but nothing explains what that may really be, when it should be used, how it differs from '-X' and why 'ForwardX11' variable is not setting it. Version-Release number of selected component (if applicable): openssh-3.9p1-7