From owner-freebsd-questions  Sat Jul 28 19:40:44 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.147.1.144])
	by hub.freebsd.org (Postfix) with ESMTP id 9D89C37B403
	for <freebsd-questions@FreeBSD.ORG>; Sat, 28 Jul 2001 19:40:40 -0700 (PDT)
	(envelope-from leblanc@acadia.ne.mediaone.net)
Received: from acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189])
	by chmls06.mediaone.net (8.11.1/8.11.1) with ESMTP id f6T2eXg18309
	for <freebsd-questions@FreeBSD.ORG>; Sat, 28 Jul 2001 22:40:33 -0400 (EDT)
Received: (from leblanc@localhost)
	by acadia.ne.mediaone.net (8.9.3/8.9.3) id WAA30784;
	Sat, 28 Jul 2001 22:20:50 -0400
Date: Sat, 28 Jul 2001 22:20:49 -0400
From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>
To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject: Re: conflicting info on OpenSSH
Message-ID: <20010728222049.A30348@acadia.ne.mediaone.net>
Reply-To: freebsd-questions@FreeBSD.ORG
Mail-Followup-To: freebsd-questions@FreeBSD.ORG
References: <20010728220849.A38121@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20010728220849.A38121@localhost>
User-Agent: Mutt/1.3.19i
X-bright-idea: Lets abolish HTML mail!
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hey.  I see how that can be confusing.  I agree with your ideas on
forwarding X11 connections, but I don't know exactly what the man page
author had in mind when he/she wrote it.

As for the config file, this is probably a case of 'uncomment the
following to change the default behavior.  Notice those lines are
commented?  And they do specify 'Site-wide defaults'  not OpenSSH
defaults.  I do see this behavior in distribution configs vs.
documented defaults from time to time, though they usually are more
clearly labeled as such.  I could be wrong, but we may never know
until the author(s) speaks up to confirm or deny.

I have in the past run X11 forwarding on OpenSSH, but I gotta tell you
it's *REAL* slow.  For the most part, I find that I don't really even
need it, so I never bothered to reconfigure it in subsequent installs.
You will probably have no trouble doing everything you need for
sysadmin stuff from the command line, and you really don't want to be
playing xboard on an ssh connection - believe me, your network
neighbors will be pissed if they find out how you are killing their
servers and/or network performance thru the gateway :|

HTH

Lou

On 07/28/01 10:08 PM, User & Ian Patrick Thomas sat at the `puter and typed:
> 	I've been reading up on OpenSSH recently, the man page to be exact, and
> I've come to a point where the man page seems to contradict itself.  Also,
> there is a part in the page that specifys what the system default is and
> yet /etc/ssh/ssh_config has something different.
> 
>  	Here is the seeming contradiction.
> 
> If the user is using X11 (the DISPLAY environment variable is set), the
> connection to the X11 display can be forwarded to the remote side in such
> a way that any X11 programs started from the shell (or command) will go
> through the encrypted channel, and the connection to the real X server
> will be made from the local machine.  The user should not manually set
> DISPLAY.  Forwarding of X11 connections weakens the security of ssh and
> is disabled by default.  X11 forwarding can be enabled on the command
> line or in configuration files.
> 
> 	On one hand it says that forwarding of X11 connections weakens the
> security of ssh.  On the other hand it says that the connection to the X11
> display can be forwarded to the remote side so programs started from the
> shell will go through a secure channel.  This seems like a good thing.
> 
> 	Here is where the man page defers from the config file.
> 
> ForwardX11
>              Specifies whether X11 connections will be automatically redi-
>              rected over the secure channel and DISPLAY set.  The argument
>              must be ``yes'' or ``no''.  The default is ``no''.
> 
> 	Here is the defualt
> 
> # Site-wide defaults for various options
> # Host *
> #   ForwardAgent yes
> #   ForwardX11 yes
> 
> 	I hope it doesn't seem like I'm splitting hairs.  I just want to know
> the most secure way to run X programs remotely.
> 
> Ian
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 

-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Data, n.:
  An accrual of straws on the backs of theories.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message