Re: SSH / X11 auth: needless complexity -> security problems?

From: Theo de Raadt (deraadtat_private)
Date: Fri Jun 08 2001 - 13:33:49 PDT

Next message: David F. Skoll: "RE: SECURITY.NNOV: Outlook Express address book spoofing"

Previous message: Peter W: "Re: Webtrends HTTP Server %20 bug (UTF-8)"
In reply to: Markus Friedl: "Re: SSH / X11 auth: needless complexity -> security problems?"
Next in thread: Dale Southard: "Re: SSH / X11 auth: needless complexity -> security problems?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> this feature was inherited from ossh and the reason was:
> 	1) if $HOME is on NFS, then the cookie travels unencrypted
> 	   over the network, this defeats the purpose of X11-fwding
> 	2) $HOME/.Xauthority gets polluted with temorary cookies.
> however, i'm not sure whether the benefit justifies the complexity,
> so this feature could be removed from future OpenSSH versions.

I cannot tell which is more important.  No wait, I can.

OK, let's do the home dir thing then.

In the NFS case, if someone is sniffing your NFS traffic you are
fucked from here to hell.

Next message: David F. Skoll: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Previous message: Peter W: "Re: Webtrends HTTP Server %20 bug (UTF-8)"
In reply to: Markus Friedl: "Re: SSH / X11 auth: needless complexity -> security problems?"
Next in thread: Dale Southard: "Re: SSH / X11 auth: needless complexity -> security problems?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 14:44:17 PDT