Patch to add "warn" value to ForwardX11 and ForwardAgent

Dave Dykstra dwd at
Tue Oct 30 01:26:57 EST 2001

On Sat, Oct 27, 2001 at 12:09:24AM +0200, Markus Friedl wrote:
> On Fri, Oct 26, 2001 at 04:11:30PM -0500, Dave Dykstra wrote:
> > Because ForwardX11 and ForwardAgent are so useful but introduce risk when
> > used to a not well-secured server, I added a "warn" value to the ForwardX11
> > and ForwardAgent options which causes the ssh client to print a big warning
> > whenever the forwarding is actually used.  I plan to make "ForwardX11=warn"
> > the default in my ssh_config distribution.
> why is this better then having
> 	ForwardX11=no
> and using
> 	-X
> to enable forwarding on a 'need' basis?

With "warn", you can still use forwarding even though you know a server is
not very well secured, and you will be notified if someone does actually
break into the server and try to take over the forwarding on your session.
It can give you a lot more peace of mind about using forwarding.  I know
many people who have well-secured clients, but have to log into not
well-secured servers and need the X forwarding to run applications there.
Their alternative now is to take the risk of enabling forwarding without
any kind of indication when it is being used.  True, they could enable
debugging instead but that spits out so much stuff it isn't very useful for
this purpose.

Do you see what I mean?  Years ago I asked for a feature like this for
ForwardAgent to the original maintainers of the ssh 1.2.X series, but it
didn't dawn on me at the time that ForwardX11 was as big a risk.  They
said back then they thought it should go into the 2.X series which they
had begun to work on but hadn't yet released.

- Dave Dykstra

More information about the openssh-unix-dev mailing list