In message <42198A4A.40801@laas.fr>, Matthieu Herrb writes:

>This is caused by a new feature in OpenSSH 3.8 and above that makes 
>clients using the ssh tunnel 'untrusted' for the X Security extension. 
>This denies them access to some resources in the X server.
>
>Until clients are fixed to work correctly in untrusted mode, a 
>workaround is to use the -Y ssh option instead of -X, or use 
>'ForwardX11Trusted yes' in ssh_config.
>

This is going to require a prominent warning somewhere in the release 
notes, because the odds of all those pkgsrc programs being updated to 
fit this oddball case are extremely low.

I don't know what the Security Extension permits, but given the evil 
things one can do to an X server in general -- such as reading the 
screen -- I'm skeptical that this is much of an improvement.

Oh yes -- -Y alone works, but if you use ForwardX11Trusted you still 
need ForwardX11, it seems....

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb