On Sat, Jan 05, 2008 at 11:38:24PM -0500, Douglas A. Tutty wrote:

quoted text
> On Sat, Jan 05, 2008 at 07:48:53PM -0800, Ted Unangst wrote:

> > On 1/5/08, Douglas A. Tutty  wrote:

> > > Is there anything that, bug-wise, could go wrong with that remote

> > > browser that would be able to read or alter anything on the local

> > > machine?  I'm talking about using ssh's X forwarding features, not using

> > > X's native forwarding.

> >

> > a lot more can go wrong than can go right.  in theory, yes, you are

> > insulated from the client acting up.  in practice, the isolation is

> > often too complete.  i have never had an app actually work via an ssh

> > -X connection.

>

> I do it all the time.  The __only__ "normal app" I can't get to work is

> from an OpenBSD box, ssh -X to a Debian box running Iceweasel (Firefox).

> Debian-Debian even Iceweasel works just fine.

From the ssh_config manpage on Debian (Etch):
     ForwardX11Trusted

             If this option is set to ``yes'' then remote X11 clients will

             have full access to the original X11 display.
             If this option is set to ``no'' then remote X11 clients will be

             considered untrusted and prevented from stealing or tampering

             with data belonging to trusted X11 clients.  Furthermore, the

             xauth(1) token used for the session will be set to expire after

             20 minutes.  Remote clients will be refused access after this

             time.
             The default is ``yes'' (Debian-specific).

			      ^^^    ^^^^^^^^^^^^^^^