Re: Some servers do not forward X11, but I do not know why.

On Wed, Dec 07, 2005 at 08:50:22AM -0800, Young, Randy wrote:
> The first question I have is did you set xhost to allow the other server
> in?  Normally setting "xhost +" is not a good idea, it's a security
> hole, so I usually do "xhost servername" to allow it in, and when done I
> "xhost -servername" to remove it.

NO NO NO NO NO!  

Using xhost is not necessary with SSH, and indeed you should *not* do
it!  SSH uses MIT-MAGIC-COOKIES which, despite the silly name, is a
far superior method of X authentication than the host-based
authentication that xhost provides.  If you run "xhost servername" you
are allowing anyone logged in on that host to connect to your display,
potentially steal keyboard events (like your password), etc.

Generally, this is very bad.  Instead, make sure SSH's automatic
manipulation of cookies (via xauth) is working properly.  It needs to
be enabled on the server (with X11Forwarding), and the client
needs to use the right options (-X and/or -Y on the command line, or
ForwardX11 in your ssh options file).  As long as this is configured
properly, using xhost is completely unnecessary, and also generally
defeats the purpose of using SSH in the first place.  See Darren's
message in this thread if that isn't sufficient to make it work...

I'm sorry if this sounds harsh, but you are giving out bad advice, and
that needs to be made clear.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

pgpon2pDbj9H1.pgp
Description: PGP signature