All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session. This is
accomplished by running xauth upon logging in.
I'm really suprised this is still the default. I've heard mention of
this at least 4 years ago, and have seen trojaned SSH servers around
_since then_ that do logging of client X11 keystrokes - probably the
best place to accomplish this. The problem seems to be that the
authors have not figured out that this isn't a good default, perhaps
for convenience's sake. This suprises me, since people DO know about
this. I think the argument is really convenience vs. security (well,
thats always the argument isn't it?).
alias ssh="ssh -x"