Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 28 Jul 2001 22:08:49 -0400
From:      User & Ian Patrick Thomas <ipthomas_77@yahoo.com>
To:        freebsd-questions@freebsd.org
Subject:   conflicting info on OpenSSH
Message-ID:  <20010728220849.A38121@localhost>
next in thread | raw e-mail | index | archive | help 
	I've been reading up on OpenSSH recently, the man page to be exact, and
I've come to a point where the man page seems to contradict itself.  Also,
there is a part in the page that specifys what the system default is and
yet /etc/ssh/ssh_config has something different.

 	Here is the seeming contradiction.

If the user is using X11 (the DISPLAY environment variable is set), the
connection to the X11 display can be forwarded to the remote side in such
a way that any X11 programs started from the shell (or command) will go
through the encrypted channel, and the connection to the real X server
will be made from the local machine.  The user should not manually set
DISPLAY.  Forwarding of X11 connections weakens the security of ssh and
is disabled by default.  X11 forwarding can be enabled on the command
line or in configuration files.

	On one hand it says that forwarding of X11 connections weakens the
security of ssh.  On the other hand it says that the connection to the X11
display can be forwarded to the remote side so programs started from the
shell will go through a secure channel.  This seems like a good thing.

	Here is where the man page defers from the config file.

ForwardX11
             Specifies whether X11 connections will be automatically redi-
             rected over the secure channel and DISPLAY set.  The argument
             must be ``yes'' or ``no''.  The default is ``no''.

	Here is the defualt

# Site-wide defaults for various options
# Host *
#   ForwardAgent yes
#   ForwardX11 yes

	I hope it doesn't seem like I'm splitting hairs.  I just want to know
the most secure way to run X programs remotely.

Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010728220849.A38121>