From: Liam Bedford (lbedford at domain lbedford.org)
Date: Thu 11 Jul 2002 - 12:17:38 IST
On Wed, 10 Jul 2002 23:25:45 +0100
kevin lyda <kevin at domain linux.ie> blurted in message
20020710232545.C23269 at domain ie.suberic.net:
> On Wed, Jul 10, 2002 at 01:06:33PM -0700, Rick Moen wrote:
> > Given that concern, you might want to consider avoiding xauth, because
> > it's a serious security hazard. Doing "ssh -X user at domain host" is my
>
> uh... ok, yes, ssh -X is better, but that's to avoid xhost, not xauth.
> ssh -X uses xauth. xhost should be avoided because it's host based
> "security."
>
xauth is nice... assuming you have an Xserver listening on tcp, you can
then do things like
xauth nlist | ssh new_machine xauth nmerge -
and once
DISPLAY=Xserver:0.0
is set on the new_machine, everything will behave (in theory).
Of course, you may want to be a little more selective with what you list
in xauth nlist... RTFM for more info.
/me doesn't trust ssh -X very much, as a malicious sshd can do some
particularly nasty things... I always have XForwarding turned off by
default. (Though, would you want to ssh into a known malicious machine?)
L.
--
Liam Bedford | Greg: Can't you see you're all alcoholics?
--------------| Guv: Oi. We don't call them that. We call
them fanatical followers of the Ale
Kaeda network.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:49 GMT