Re: [tlug] Accessing a program running on a different computer

["Stephen J. Turnbull" <stephen@example.com>]

Josh Glover writes:
 > On 29 January 2011 06:04, Stephen J. Turnbull <stephen@example.com> wrote:
 > 
 > > The more likely approach is to use SSH's port forwarding capability:
 > >
 > >    ssh -X you@example.com xterm
 > 
 > Ah, so ssh -X is just shorthand for "forward the X server port"?

Yes, at least it used to be (see below).  Ditto for the -A option
(except that since the agent *never* listens on TCP/IP so this is
actually a highly restricted gateway, not a pure forward.)

 > I always thought that it was some kind of secure X protocol or
 > something from the manpage. But I guess that's pretty much exactly
 > it, if it is X tunnelled over SSH. :)

Well, no, not *quite* exact.  For enhanced security X now has a
concept of "trusted remote application", which has more privileges on
the server ((not so?) obviously the application acquires privileges on
the client host from the client's OS).  I forget which is which, but
if you use -X (-Y?) the client appears as a local client and has all
privileges, while if you use -Y (-X?) it appears as a remote client
and privileges are restricted.

If it's all within an unrouteable HAN, you're almost certainly pretty
lax, and allowing full privileges to X is no big deal compared to the
other problems you have if an "inside" host gets pwnzred.  If you're
coming in from outside, you probably want the X server running
restricted, and then you may need the variant port-forwarding option.