On Sat, Jan 05, 2008 at 11:38:24PM -0500, Douglas A. Tutty wrote:
quoted text
> On Sat, Jan 05, 2008 at 07:48:53PM -0800, Ted Unangst wrote:
> > On 1/5/08, Douglas A. Tutty <dtutty@porchlight.ca> wrote:
> > > Is there anything that, bug-wise, could go wrong with that remote
> > > browser that would be able to read or alter anything on the local
> > > machine?  I'm talking about using ssh's X forwarding features, not using
> > > X's native forwarding.
> > 
> > a lot more can go wrong than can go right.  in theory, yes, you are
> > insulated from the client acting up.  in practice, the isolation is
> > often too complete.  i have never had an app actually work via an ssh
> > -X connection.
> 
> I do it all the time.  The __only__ "normal app" I can't get to work is
> from an OpenBSD box, ssh -X to a Debian box running Iceweasel (Firefox).
> Debian-Debian even Iceweasel works just fine.

From the ssh_config manpage on Debian (Etch):

     ForwardX11Trusted
             If this option is set to ``yes'' then remote X11 clients will
             have full access to the original X11 display.

             If this option is set to ``no'' then remote X11 clients will be
             considered untrusted and prevented from stealing or tampering
             with data belonging to trusted X11 clients.  Furthermore, the
             xauth(1) token used for the session will be set to expire after
             20 minutes.  Remote clients will be refused access after this
             time.

             The default is ``yes'' (Debian-specific).
			      ^^^    ^^^^^^^^^^^^^^^