From owner-freebsd-stable  Fri Feb 16 15:58:38 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75])
	by hub.freebsd.org (Postfix) with ESMTP id 00A6137B67D
	for <freebsd-stable@FreeBSD.ORG>; Fri, 16 Feb 2001 15:58:36 -0800 (PST)
Received: (from brdavis@localhost)
	by odin.ac.hmc.edu (8.11.0/8.11.0) id f1GNwLE07597;
	Fri, 16 Feb 2001 15:58:21 -0800
Date: Fri, 16 Feb 2001 15:58:21 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: openssh not setting DISPLAY
Message-ID: <20010216155821.A6697@Odin.AC.HMC.Edu>
References: <20010216152317.A97818@mollari.cthul.hu> <33610000.982366319@pyanfar.ece.cmu.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF"
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <33610000.982366319@pyanfar.ece.cmu.edu>; from allbery@ece.cmu.edu on Fri, Feb 16, 2001 at 06:31:59PM -0500
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 16, 2001 at 06:31:59PM -0500, Brandon S. Allbery KF8NH wrote:
> On Friday, February 16, 2001 15:23:17 -0800, Kris Kennaway <kris@obsecuri=
ty.org> wrote:
> +-----
> | It's not the default because it allows the remote system to snoop your
> | X display, and that's not something you might want so we default to
> | being secure.
> +--->8
>=20
> That's interesting, since the sshd manpage from openssh says:
>=20
>              Note that disabling X11 forwarding does not improve secu=AD
>              rity in any way, as users can always install their own for=AD
>              warders.

There are two different programs with two different defaults.  sshd
defaults to enabling X11 forwarding because it does not decrease the
security of the server, it just annoys the users.  In the other hand I
believe ssh (the client) defaults to disabling it because it gives root
on any host you connect to with forwarding enabled the ability to launch
arbitrary applications on your X server which is a security risk if you
don't trust the server.  The issues are entierly unrelated between the
client and the server.

-- Brooks

--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4

--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6jb6cXY6L6fI4GtQRAtW+AJ9tB273bSj1eCD7S+oF8KPSFGnkjACfQgBj
rQ9yPVrTBhxHuRTDb7VlYjw=
=h/Cy
-----END PGP SIGNATURE-----

--h31gzZEtNLTqOjlF--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message