On January 18, 2026, Kent Borg wrote: >I thought [ssh] -X was X11 forwarding. >And -A is ssh agent forwarding. >But then what is -Y? How is it different from -X? The name sounds all >secure, so does that make it related forwarding ssh credentials?
Quoted with small edits from "SSH, the Secure Shell: The Definitive Guide" from O'Reilly, p. 383: The X Windows protocol was not designed with much security in mind. Usually, once an application has access to an X display, it pretty much has the run of it. A malicious X client can easily read all keyboard input, see all screen contents, add or modify keystrokes, and so on. This is why X forwarding is risky and should generally be turned on only when you need it, and only for hosts you trust. There is a security extension to the X Windows protocol that allows at least some further granularity, partitioning X clients into “trusted” and “untrusted” groups. Programs like the X Window Manager must be trusted, since they have to manipulate the windows of other applications and perform other global operations on the display. Other programs may be left untrusted, though, with more limited access to the display and less opportunity for mischief. OpenSSH supports this trust distinction in X forwarding with the ForwardX11Trusted client option or the -Y flag. Set to yes or no, it controls whether remote X clients accessing the local display via SSH X forwarding will be considered trusted or untrusted by the X server. Technically, for trusted forwarding, the client uses the existing xauth key to access the display: that is, it inherits whatever trust is already in effect. For untrusted forwarding it generates a new, specifically untrusted key using the command "xauth generated <...> untrusted", and uses the new key with forwarded X connections. In either case, the local key never goes to the remote host; that is always a throwaway key used only for authenticating the connection within SSH. [The book follows this with 6 pages of deeper explanation.] Dan _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
