What is the difference between ssh -Y (trusted X11 forwarding) and ssh -X (untrusted X11 forwarding)? As far as I have understood it, it has something to do with security, but I did not grasp the difference and when to use which.
Ubuntu – the difference between `ssh -Y` (trusted X11 forwarding) and `ssh -X` (untrusted X11 forwarding)
sshx11-forwardingxorg
Related Solutions
In case we connect to a remote X-Server via VNC we have the advantage that the graphical application will stay running even when the SSH connection to the remote is down. We can then reconnect to resume the graphical application. See also:
To speed up reconnection we may combine the connection to the remote with an SSH session by using vncviewer from tightvncviewer with the option
-via. By this we can run on the remote server:
vncserver:0 ## or any other display number e.g. :1
to establish a connection on the viewer via an SSH tunnel:
vncviewer -via user@remote localhost:0
Doing so will need considerably more bandwith because the whole desktop will have to be transmitted from the VNC server. Therefore it may not really be a good idea for low bandwith connections but it may give you a somewhat better experience on high bandwith but unstable connections as compared with X-forwarding.
The NoMachine NX library is basically a derivative of DXPC. It is stated in wikipedia http://en.wikipedia.org/wiki/NX_technology "The NX scheme was derived from that of DXPC – the Differential X Protocol Compressor project".
So while ssh -C -X simply compresses whatever you feed it with (in your case, an X session), NX goes the extra mile to NOT send the 'unchanged' bits of information that it has already sent, thus the 'differential' term. Once what needs to be sent has been decided, nx will actually use ssh (or rather an nx derivative of ssh, nxssh to transmit session information).
So there is no way that the ssh -X -C will be as efficient as setting up an nx session. (nxclient is only one end of the deal btw, you will need the corresponding nxserver - i.e you cannot just replace the nxclient with ssh -X).
EDIT (as per requested):
As far as speeding up the ssh, I can only go as far as saying that using compressiong -C generally helps. This is backed up in this question.
Perhaps one can also consider switching to very lightweight desktop environments, such as xfce or even simpler like fluxbox. Of course this will only help with window drawing operations rather than with speeding up the content in the windows but still.
Related Question
- Ubuntu – using x11 forwarding with ssh and vnc
- Ubuntu – X11 forwarding via “ssh -X username@hostname” is slow, but fast using “nxclient”
- Ubuntu – Is X11 forwarding over SSH possible in Ubuntu 15.10
- Ubuntu – How to X11 forwarding through ssh in 15.10
- Ubuntu – the most simple example to check if X11 forwarding is working
- Ubuntu – Cannot start firefox on X11 forwarding SSH session
Best Answer
Both options have something to do with X11 forwarding. This means if you enable this, you can use a graphical client through your SSH session (e.g., use Firefox or something else).
If you use
ssh -X remotemachinethe remote machine is treated as an untrusted client. So your local client sends a command to the remote machine and receives the graphical output. If your command violates some security settings you'll receive an error instead.But if you use
ssh -Y remotemachinethe remote machine is treated as a trusted client. This last option can open security problems. Because other graphical (X11) clients could sniff data from the remote machine (make screenshots, do keylogging and other nasty stuff) and it is even possible to alter those data.If you want to know more about those things, I suggest reading the Xsecurity manpage or the X Security extension spec. Furthermore, you can check the options
ForwardX11andForwardX11Trustedin your/etc/ssh/ssh_config.