什么是
ssh -Y
(可信X11转发)和ssh -X
(不受信任的X11转发)之间的区别?据我所了解,这与安全有关,但我没有理解它们之间的区别以及何时使用哪个。ssh -Y
(可信X11转发)和ssh -X
(不受信任的X11转发)之间的区别?据我所了解,这与安全有关,但我没有理解它们之间的区别以及何时使用哪个。/etc/ssh/ssh_config
文件中查看ForwardX11
和ForwardX11Trusted
选项。-X
当您需要远程运行X11程序时;如果某个您关心的X11程序在-Y下比-X下表现更好,那么可以假设使用-Y
。但是目前(Ubuntu 15.10),-X与-Y是相同的,除非您编辑ssh_config
并设置ForwardX11Trusted no
。-X最初旨在启用1990年代的X安全扩展,但这已经过时且不灵活,并且会导致某些程序崩溃,因此默认情况下被忽略。-Y
和-X
都允许您在远程计算机上运行X11程序,并在本地X监视器上显示其窗口。问题在于该程序被允许对其他程序的窗口以及X服务器本身进行哪些操作。local$ ssh -X remote
remote$ xlogo
# Runs xlogo on remote, but the logo pops up on the local screen.
ubuntu1404$ man ssh
...
-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.
...
(Debian-specific: X11 forwarding is not subjected to X11 SECURITY
extension restrictions by default, because too many programs cur‐
rently crash in this mode. Set the ForwardX11Trusted option to
“no” to restore the upstream behavior. This may change in
future depending on client-side improvements.)
ubuntu1404$ grep ForwardX11Trusted /etc/ssh/ssh_config
# ForwardX11Trusted yes
ForwardX11Trusted no
,那么-X
会启用“不可信任”的转发。否则,-X
与-Y
被视为相同,相信远程具有显示访问权限的程序是友好的。-X
选项可以启用X11转发功能。-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY
extension restrictions by default. Please refer to the ssh -Y
option and the ForwardX11Trusted directive in ssh_config(5) for
more information.
-Y
对应于ssh_config(5)中的ForwardX11Trusted指令,但它更不安全,因为它移除了X11 SECURITY扩展控制。-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
subjected to the X11 SECURITY extension controls.
-x
更安全。-x Disables X11 forwarding.
来自人:
Debian特定:
在默认配置中:ForwardX11Trusted yes
-Y 等同于 -X (我认为这个描述更好:-X 使用起来和 -Y 一样简单,但风险相同)
-X
会破坏许多程序,正如下面 Mitchell 的回答所述。 - serv-incssh -Y remotemachine
也等同于ssh -o ForwardX11=yes -o ForwardX11Trusted=yes remotemachine
。 - kyrlon