Default forwarding features; default cipher

Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
Thu Oct 25 06:30:30 EST 2001

On Wed, Oct 24, 2001 at 02:49:47PM -0400, Ed Phillips wrote:
> Okay... that makes sense.  I've been looking at this from the viewpoint of
> using ssh between "trusted" machines (managed by our group)... in which
> case, we probably want forwarding of X11 connections and authentication
> to, at least, be available.  I guess the only gotcha is that you have to
> enable X11 forwarding in sshd_config.  It appears that by default "ssh -X"
> is silently ignored on the server side, and "ssh -A" works fine... and
> normally you get no forwarding from the client without adding the "-A" or
> "-X".  Is this correct?

I don't think that X11 forwarding on the server side introduces a problem.
For the client side it is up to you. If your hosts only communicate
between each other, you can enable forwarding globally in ssh_config.
Having the user make a responsible decision itself is even better,
especially when your users also open connections to the outside.
SSH is the recommended protocol for doing this and adding a -A and/or -X
for trusted hosts is more secure than having to remember to add -a/-x
in case one is not sure.
The question, how many users actually understand enough of these problems
to come to a responsible decision or, at least, understand what we are
talking about, is not covered in this discussion :-) (actually this should
be a :-(, as most users don't understand or care about it).

Best regards,
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

More information about the openssh-unix-dev mailing list