What is the difference between `ssh -Y` (trusted X11 forwarding) and `ssh -X` (untrusted X11 forwarding)?

118,138

Solution 1

Both options have something to do with X11 forwarding. This means if you enable this, you can use a graphical client through your SSH session (e.g., use Firefox or something else).

If you use ssh -X remotemachine the remote machine is treated as an untrusted client. So your local client sends a command to the remote machine and receives the graphical output. If your command violates some security settings you'll receive an error instead.

But if you use ssh -Y remotemachine the remote machine is treated as a trusted client. This last option can open security problems. Because other graphical (X11) clients could sniff data from the remote machine (make screenshots, do keylogging and other nasty stuff) and it is even possible to alter those data.

If you want to know more about those things, I suggest reading the Xsecurity manpage or the X Security extension spec. Furthermore, you can check the options ForwardX11 and ForwardX11Trusted in your /etc/ssh/ssh_config.

Solution 2

Use neither when you don't need to run X11 programs remotely; use -X when you do; and hypothetically use -Y if an X11 program you care about works better with -Y than with -X. But currently (Ubuntu 15.10), -X is identical to -Y, unless you edit ssh_config to say ForwardX11Trusted no. -X was originally intended to enable the X Security extension of the 1990's, but that is old and inflexible, and crashes some programs, and so is ignored by default.

Both ssh -Y and -X let you run an X11 program on a remote machine, with its windows appearing on the local X monitor. The issue is what the program is allowed to do to other programs' windows, and to the X server itself.

local$ ssh -X remote
remote$ xlogo
# Runs xlogo on remote, but the logo pops up on the local screen.

Trusted X11 forwarding is enabled by -Y. This is the historical behavior. A program with access to the display, is trusted with access to the entire display. It can screenshot, keylog, and inject input into all the windows of other programs. And it can use all X server extensions, including ones like accelerated graphics, which are security exposures. Which is good for running smoothly, but bad for security. You are trusting the remote programs to be as safe as your local programs.

Untrusted X11 forwarding tries to restrict remote programs to accessing only their own windows, and to using only those parts of X which are relatively secure. Which sounds good, but currently doesn't work well in practice.

The meaning of -X currently depends on your ssh configuration.

On Ubuntu 14.04 LTS, unless you edit your ssh_config, there is no difference between -X and -Y. "[B]ecause too many programs currently crash in [untrusted] mode."

ubuntu1404$ man ssh
...
 -X      Enables X11 forwarding.  This can also be specified on a per-host
         basis in a configuration file.
         ...
         (Debian-specific: X11 forwarding is not subjected to X11 SECURITY
         extension restrictions by default, because too many programs cur‐
         rently crash in this mode.  Set the ForwardX11Trusted option to
         “no” to restore the upstream behavior.  This may change in
         future depending on client-side improvements.)

ubuntu1404$ grep ForwardX11Trusted /etc/ssh/ssh_config
#   ForwardX11Trusted yes

If ForwardX11Trusted no, then -X enables untrusted forwarding. Otherwise, -X is treated the same as -Y, trusting that remote programs with display access are friendly.

Solution 3

The -X option enables X11 forwarding:

-X   Enables X11 forwarding.  This can also be specified on a per-host
     basis in a configuration file.

     X11 forwarding should be enabled with caution.  Users with the
     ability to bypass file permissions on the remote host (for the
     user's X authorization database) can access the local X11 display
     through the forwarded connection.  An attacker may then be able
     to perform activities such as keystroke monitoring.

     For this reason, X11 forwarding is subjected to X11 SECURITY
     extension restrictions by default.  Please refer to the ssh -Y
     option and the ForwardX11Trusted directive in ssh_config(5) for
     more information.

The option -Y, corresponding to the ForwardX11Trusted directive in ssh_config(5), is even less secure because, it removes X11 SECURITY extension controls.

-Y      Enables trusted X11 forwarding.  Trusted X11 forwardings are not
        subjected to the X11 SECURITY extension controls.

It's more secure to use -x

-x   Disables X11 forwarding.
Share:
118,138

Related videos on Youtube

somasekhar
Author by

somasekhar

Hi, I am Martin Ueding, a physicist (Dr.), Machine Learning researcher and programmer. My areas of interest are natural language processing, theoretical physics, numerical methods and high performance programming. My strongest programming languages are C++, Python, R and Bash.

Updated on September 18, 2022

Comments

  • somasekhar
    somasekhar over 1 year

    What is the difference between ssh -Y (trusted X11 forwarding) and ssh -X (untrusted X11 forwarding)? As far as I have understood it, it has something to do with security, but I did not grasp the difference and when to use which.

  • Torsten Bronger
    Torsten Bronger over 9 years
    The ssh manpage uses unfortunate wording, suggesting (at least to me) that -X is unsafe to use and -Y is better. So thank you for this answer.
  • Jessica P
    Jessica P over 9 years
    So, with -X is it impossible for other clients to sniff or alter data?
  • Wernight
    Wernight over 8 years
    So why would one want to use -Y instead of -X in general?
  • MakisH
    MakisH over 8 years
    I have the same question (why to use -Y) and the only case that I understood this may be useful is when the security control on the server side is somehow not implemented/not compatible. I have also read that forwarding X11 is generally a powerful and dangerous tool that should be treated as such.
  • serv-inc
    serv-inc almost 8 years
    @Wernight: because -X breaks many programs as of the answer by mitchell below.
  • Seb
    Seb over 7 years
    Answering the "Why use -Y instead of -X?" question, -X drops the forwarding after a timeout while -Y doesn't. You can override that config using ForwardX11Timeout for the -X option, though.