Subject: | |
From: | |
Reply To: | |
Date: | Thu, 7 Jul 2005 10:21:25 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On our SL 4.0 machine we have the following openssh rpms installed:
rpm -qa | grep openssh
openssh-server-3.9p1-8.RHEL4.1.i386
openssh-3.9p1-8.RHEL4.1.i386
openssh-askpass-gnome-3.9p1-8.RHEL4.1.i386
openssh-clients-3.9p1-8.RHEL4.1.i386
openssh-askpass-3.9p1-8.RHEL4.1.i386
If I do yum check-update
I only see kernel and afs items, which is to be expected given the standard
configuration of /etc/yum.d/yum.cron.excludes so we seem to be up to date.
I see from "man ssh_config" that what I need to do is insert the line
ForwardX11Trusted yes
into
/etc/ssh/ssh_config
I assume that is what you meant by saying it is the default configuration.
Troy Dawson wrote:
> Sorry for jumping in so late in the conversation. But it looks like
> this is something that people got upset with RedHat about, because they
> changed the default's with Update 1. Here is a clip from out release
> notes for 4.1
>
> o The openssh-3.9p1 package included in Scientific Linux 4.x
> introduced two different modes of X11 forwarding: trusted and
> untrusted. In the default Scientific Linux 4.x configuration,
> passing the -X flag to /usr/bin/ssh (or using the "ForwardX11 on"
> configuration option) enables untrusted X11 forwarding. This mode
> restricts the X11 protocol to prevent a malicious application
> using a
> forwarded SSH connection from compromising the security of the local
> X11 server (for example, by performing keystroke monitoring); but
> few
> X11 applications are usable in this mode.
>
> In Scientific Linux 4.1, the default configuration of
> the openssh client has been changed such that passing the -X flag
> enables trusted X11 forwarding. The trusted forwarding mode
> allows all
> X applications to work correctly when forwarded over an SSH
> connection; but, as with previous releases of Scientific
> Linux, it should only be used when invoking trusted applications.
>
>
> So ... I'm wondering, which openssh are you using? The original one
> with 4.0, or the one that came with 4.1 ... which I think was also one
> of the security errata.
>
> Troy
>
> Devin Bougie wrote:
>
>> Hi All,
>>
>>>> On Wed, 6 Jul 2005, Alex Finch wrote:
>>>> 2) secure shell to a remote machine with x forwarding enabled:
>>>>
>>>> emacs - click in the window to edit, sooner or later it crashes
>>>> saying:
>>>> =======
>>>> X protocol error: BadWindow ( invalid window parameter ) on
>>>> protocol request 38
>>
>>
>>
>> We saw similar problems that were solved by using trusted X11
>> forwarding. Try using "ssh -Y" instead of "ssh -X," or add
>> "ForwardX11Trusted yes" to your ~/.ssh/config.
>>
>> I hope this helps,
>> Devin
>>
>
>
--
Alex Finch, Research Fellow, Physics Department, Lancaster University.
|
|
|