osukup wrote:
Compression has no any added value for this test
I agree. X forwarding and compression are two different things. Test one thing at a time. If you would like to test compression, create a second testcase.
and SSH X forwarding is more secure and recommended with '-Y' - Trusted X forwarding.
Recommended yes. More secure, not. If you use -X
the remote machine is considered as untrusted. As a result -X
is using the [X Security Extension] of 1990's, which means that if your command violates some security settings, you will receive an error. The problem is that this is old and inflexible and causes random problems (crashes) with some programs. Simply put, -X
tries to restrict remote programs to accessing only their own windows, and to using only those parts of X which are relatively secure. Which sounds good, but currently doesn't work well in practice.As a result, in other distributions (e.g. Ubuntu and Debian) they have disabled -X
. This can be done via the ForwardX11Trusted
which can be found at/etc/ssh/ssh_config
.
For example, if ForwardX11Trusted yes
then there's no difference between -X
and -Y
.
From Ubuntu man page:
(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, because too many programs currently crash in this mode.
Set the ForwardX11Trusted option to “no” to restore the upstream behavior.
This may change in future depending on client-side improvements.)
We, in SUSE, we also suse ForwardX11Trusted yes
, so there's no difference between X
and Y
.
In case you google around for this error (fatal: buffer_uncompress: inflate returned -3)
is sort of known but still investigated issue that comes with compression. Or if you still want to use the X Security extension, then make 3 tests:
- Compression
- X Forwarding
- X Forwarding using X Security Extension (modify the configuration first)
Or, because this error might occur only when the combination of these 3 is triggered, then use these three isolated tests only if the -CX
fails. In any case, the point is that it should pass, and since it's not passing and we are supporting both -CX
we have to investigate further.