Date: Sat, 28 Jul 2001 22:20:49 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: conflicting info on OpenSSH Message-ID: <20010728222049.A30348@acadia.ne.mediaone.net> In-Reply-To: <20010728220849.A38121@localhost> References: <20010728220849.A38121@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey. I see how that can be confusing. I agree with your ideas on forwarding X11 connections, but I don't know exactly what the man page author had in mind when he/she wrote it. As for the config file, this is probably a case of 'uncomment the following to change the default behavior. Notice those lines are commented? And they do specify 'Site-wide defaults' not OpenSSH defaults. I do see this behavior in distribution configs vs. documented defaults from time to time, though they usually are more clearly labeled as such. I could be wrong, but we may never know until the author(s) speaks up to confirm or deny. I have in the past run X11 forwarding on OpenSSH, but I gotta tell you it's *REAL* slow. For the most part, I find that I don't really even need it, so I never bothered to reconfigure it in subsequent installs. You will probably have no trouble doing everything you need for sysadmin stuff from the command line, and you really don't want to be playing xboard on an ssh connection - believe me, your network neighbors will be pissed if they find out how you are killing their servers and/or network performance thru the gateway :| HTH Lou On 07/28/01 10:08 PM, User & Ian Patrick Thomas sat at the `puter and typed: > I've been reading up on OpenSSH recently, the man page to be exact, and > I've come to a point where the man page seems to contradict itself. Also, > there is a part in the page that specifys what the system default is and > yet /etc/ssh/ssh_config has something different. > > Here is the seeming contradiction. > > If the user is using X11 (the DISPLAY environment variable is set), the > connection to the X11 display can be forwarded to the remote side in such > a way that any X11 programs started from the shell (or command) will go > through the encrypted channel, and the connection to the real X server > will be made from the local machine. The user should not manually set > DISPLAY. Forwarding of X11 connections weakens the security of ssh and > is disabled by default. X11 forwarding can be enabled on the command > line or in configuration files. > > On one hand it says that forwarding of X11 connections weakens the > security of ssh. On the other hand it says that the connection to the X11 > display can be forwarded to the remote side so programs started from the > shell will go through a secure channel. This seems like a good thing. > > Here is where the man page defers from the config file. > > ForwardX11 > Specifies whether X11 connections will be automatically redi- > rected over the secure channel and DISPLAY set. The argument > must be ``yes'' or ``no''. The default is ``no''. > > Here is the defualt > > # Site-wide defaults for various options > # Host * > # ForwardAgent yes > # ForwardX11 yes > > I hope it doesn't seem like I'm splitting hairs. I just want to know > the most secure way to run X programs remotely. > > Ian > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Data, n.: An accrual of straws on the backs of theories. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010728222049.A30348>