Subject: | |
From: | |
Reply To: | |
Date: | Wed, 6 Jul 2005 11:07:10 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Sorry for jumping in so late in the conversation. But it looks like
this is something that people got upset with RedHat about, because they
changed the default's with Update 1. Here is a clip from out release
notes for 4.1
o The openssh-3.9p1 package included in Scientific Linux 4.x
introduced two different modes of X11 forwarding: trusted and
untrusted. In the default Scientific Linux 4.x configuration,
passing the -X flag to /usr/bin/ssh (or using the "ForwardX11 on"
configuration option) enables untrusted X11 forwarding. This mode
restricts the X11 protocol to prevent a malicious application
using a
forwarded SSH connection from compromising the security of the local
X11 server (for example, by performing keystroke monitoring);
but few
X11 applications are usable in this mode.
In Scientific Linux 4.1, the default configuration of
the openssh client has been changed such that passing the -X flag
enables trusted X11 forwarding. The trusted forwarding mode
allows all
X applications to work correctly when forwarded over an SSH
connection; but, as with previous releases of Scientific
Linux, it should only be used when invoking trusted applications.
So ... I'm wondering, which openssh are you using? The original one
with 4.0, or the one that came with 4.1 ... which I think was also one
of the security errata.
Troy
Devin Bougie wrote:
> Hi All,
>
>>> On Wed, 6 Jul 2005, Alex Finch wrote:
>>> 2) secure shell to a remote machine with x forwarding enabled:
>>>
>>> emacs - click in the window to edit, sooner or later it crashes
>>> saying:
>>> =======
>>> X protocol error: BadWindow ( invalid window parameter ) on
>>> protocol request 38
>
>
> We saw similar problems that were solved by using trusted X11
> forwarding. Try using "ssh -Y" instead of "ssh -X," or add
> "ForwardX11Trusted yes" to your ~/.ssh/config.
>
> I hope this helps,
> Devin
>
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|
|
|