Date: Wed, 16 Sep 1998 09:31:52 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Niall Smart <rotel@indigo.ie> Cc: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: X-security Message-ID: <Pine.BSF.3.96.980916092842.28127A-100000@fledge.watson.org> In-Reply-To: <199809152127.WAA01237@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 15 Sep 1998, Niall Smart wrote: > > Note that the authentication tokens are not encrypted on the network. > > Anyone who can sniff the network will also be able to connect to your > > X-server. > > > > If you're worried about someone stealing your authentication token, > > you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**) > > or ssh. > > After you've authenticated you're still vulnerable to snooping or > active attacks though, someone could still steal your authentication > data by desynchronising your TCP stream and injecting the right > commands. Better to use port forwarding with ssh if possible. I personally like this arrangement: Xnest :1 -auth /xauth/randomauthfile xterm -display :1 -e slogin -l username hostname This restricts X programs coming from a remote untrusted host to a particular Xnest. No doubt there are some problems with this (due to the flakiness of Xnest, etc), but this can be fairly effective against observers from untrusted hosts. With ssh going, you prevent on-the-wire and joe-user-on-the-remote-host attacks (as ssh maintains the encryption and .Xauthority key). With Xnest you limit the scope of someone who has managed to get access to your tunnel or the display key (like root on the remote system). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980916092842.28127A-100000>