예전 글들을 보다 보니 X11 forwarding과 Trusted X11 forwarding 두가지가 존재하는걸 알게 되었는데..

$ man ssh
     -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             user's X authorization database) can access the local X11 display
             through the forwarded connection.  An attacker may then be able
             to perform activities such as keystroke monitoring.

             For this reason, X11 forwarding is subjected to X11 SECURITY
             extension restrictions by default.  Please refer to the ssh -Y
             option and the ForwardX11Trusted directive in ssh_config(5) for
             more information.

     -x      Disables X11 forwarding.

     -Y      Enables trusted X11 forwarding.  Trusted X11 forwardings are not
             subjected to the X11 SECURITY extension controls. 

-X로 해서 untrusted X11 이 안되면 -Y로 하라는 단순 명료 배째기식 FAQ 발견 ㅋㅋ
일단 보안정책상 trusted X11 forwarding만 지원할 수 도 있으니 안되면 옵션을 바꾸어서 사용하라는 열린결론 -_-
3.8. ssh -X now says "Warning: untrusted X11 forwarding setup failed: xauth key data not generated"

See Q: 6.1. and following. See point 3 in this mail. Use ssh -Y.

Technical details: ssh tried to run xauth generate to create a untrusted cookie for the session, which failed because the server isn't compiled with the XCSECURITY extension built-in.

[링크 : http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-ssh-y]


6.3. I'm confused about the difference between trusted and untrusted X11 forwarding. What does "Warning: untrusted X11 forwarding setup failed: xauth key data not generated" mean? Why is the SECURITY extension disabled?

The warning means that ssh is going to use trusted X11 forwarding because untrusted X11 forwarding depends on the security extension, which isn't built into the Xserver and has been disabled by default upstream.

Trusted X11 forwarding means that you trust the server that you wish to ssh into. The X server will allow remote clients to do whatever a local client would be able to do to your X session, for example, monitor your keypresses and take a screenshot. Such programs could be run by a malicious or compromised root user on the ssh server, or under your account if it was compromised on the ssh server.

So why is this disabled? Untrusted X11 forwarding was meant to be a way to allow logins to unknown or insecure systems. It generates a cookie with xauth and uses the security extension to limit what the remote client is allowed to do. But this is widely considered to be not useful, because the security extension uses an arbitrary and limited access control policy, which results in a lot of applications not working correctly and what is really a false sense of security. See this mail for more on the subject.

(Words adapted from an email by Yaakov Selkowitz)

[링크 : http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding] 

2009/03/24 - [프로그램 사용/cygwin / Xming] - Xming - Xwindow launcher for windows using cygwin/x
2012/01/24 - [Linux/Ubuntu] - ssh X11 터널링

'프로그램 사용 > ssh scp sftp' 카테고리의 다른 글

sshd server key 경로  (0) 2015.01.06
ssh 아이디 입력후 로그인 패스워드 입력이 지연되는 문제  (0) 2014.09.03
ssh X11 forwarding 옵션  (0) 2012.01.25
ssh X11 터널링  (0) 2012.01.24
scp 사용하기  (0) 2011.04.18
다중 X11 터널링?  (0) 2010.11.12
Posted by 구차니

댓글을 달아 주세요