Untrusted Cookies
Kevin Steves
stevesk at pobox.com
Sat Dec 28 08:08:11 EST 2002
On Fri, Dec 27, 2002 at 11:55:28AM -0800, Kevin Steves wrote:
> On Wed, Dec 11, 2002 at 08:04:27AM +0000, Aurelio Turco wrote:
> > How can I get ssh to use
> > "untrusted" cookies (see xauth(1), X11-SECURITY-Extension)
> > with forwarded X clients?
>
> i'm not sure. for the most part we try to handle what 'xauth l
> $DISPLAY' has, but we don't use any X libraries.
ssh.com has some support for this, but it requires X libs.
* ssh2: Applied Roland Mainz's patch for X11 SECURITY
extension. If the extension is found, ssh2 informs the Xserver
that the client applications should be treated as untrusted by
default. If you specify the "+X" command-line option, the X11
clients are treated as trusted, which is essentially the same
behaviour as before. An exception; If the SECURITY extension is
present but we fail to obtain a new cookie via SECURITY extension
X11 forwarding gets disabled. Failing to obtain a cookie via the
SECURITY extension is usually a restricion by the Xserver security
policy and should be honored by ssh code. If this feature causes
you problems, you can disable it by configuring with
"--without-x11-security". Additional details are under option
"TrustX11Applications" in ssh2_config(5). Note that pre-compiled
binaries don't support the SECURITY extension, as it requires the
X11 shared libraries.
More information about the openssh-unix-dev
mailing list