From owner-freebsd-questions Sat Jul 28 19:11:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtprelay2.adelphia.net (smtprelay2.adelphia.net [64.8.25.7]) by hub.freebsd.org (Postfix) with ESMTP id C371D37B405 for ; Sat, 28 Jul 2001 19:11:13 -0700 (PDT) (envelope-from ipthomas_77@yahoo.com) Received: from scraemondaemon.my.domain ([24.49.96.3]) by smtprelay2.adelphia.net (Netscape Messaging Server 4.15) with ESMTP id GH7Q3I02.EII for ; Sat, 28 Jul 2001 22:11:42 -0400 Received: (from ipt@localhost) by scraemondaemon.my.domain (8.11.4/8.11.4) id f6T28nQ48061 for freebsd-questions@freebsd.org; Sat, 28 Jul 2001 22:08:49 -0400 (EDT) (envelope-from ipt) Date: Sat, 28 Jul 2001 22:08:49 -0400 From: User & Ian Patrick Thomas To: freebsd-questions@freebsd.org Subject: conflicting info on OpenSSH Message-ID: <20010728220849.A38121@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've been reading up on OpenSSH recently, the man page to be exact, and I've come to a point where the man page seems to contradict itself. Also, there is a part in the page that specifys what the system default is and yet /etc/ssh/ssh_config has something different. Here is the seeming contradiction. If the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display can be forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections weakens the security of ssh and is disabled by default. X11 forwarding can be enabled on the command line or in configuration files. On one hand it says that forwarding of X11 connections weakens the security of ssh. On the other hand it says that the connection to the X11 display can be forwarded to the remote side so programs started from the shell will go through a secure channel. This seems like a good thing. Here is where the man page defers from the config file. ForwardX11 Specifies whether X11 connections will be automatically redi- rected over the secure channel and DISPLAY set. The argument must be ``yes'' or ``no''. The default is ``no''. Here is the defualt # Site-wide defaults for various options # Host * # ForwardAgent yes # ForwardX11 yes I hope it doesn't seem like I'm splitting hairs. I just want to know the most secure way to run X programs remotely. Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message