Untrusted Cookies

Kevin Steves stevesk at pobox.com
Sat Dec 28 08:08:11 EST 2002

On Fri, Dec 27, 2002 at 11:55:28AM -0800, Kevin Steves wrote:
> On Wed, Dec 11, 2002 at 08:04:27AM +0000, Aurelio Turco wrote:
> > How can I get ssh to use
> > "untrusted" cookies (see xauth(1), X11-SECURITY-Extension)
> > with forwarded X clients?
> i'm not sure.  for the most part we try to handle what 'xauth l
> $DISPLAY' has, but we don't use any X libraries.

ssh.com has some support for this, but it requires X libs.

	* ssh2: Applied Roland Mainz's patch for X11 SECURITY
	  extension. If the extension is found, ssh2 informs the Xserver
	  that the client applications should be treated as untrusted by
	  default. If you specify the "+X" command-line option, the X11
	  clients are treated as trusted, which is essentially the same
	  behaviour as before. An exception; If the SECURITY extension is
	  present but we fail to obtain a new cookie via SECURITY extension
	  X11 forwarding gets disabled.  Failing to obtain a cookie via the
	  SECURITY extension is usually a restricion by the Xserver security
	  policy and should be honored by ssh code. If this feature causes
	  you problems, you can disable it by configuring with
	  "--without-x11-security". Additional details are under option
	  "TrustX11Applications" in ssh2_config(5). Note that pre-compiled
	  binaries don't support the SECURITY extension, as it requires the
	  X11 shared libraries.

More information about the openssh-unix-dev mailing list