From owner-freebsd-security  Wed Sep 16 06:32:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA10391
          for freebsd-security-outgoing; Wed, 16 Sep 1998 06:32:21 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA10384
          for <freebsd-security@FreeBSD.ORG>; Wed, 16 Sep 1998 06:32:19 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA28148;
	Wed, 16 Sep 1998 09:31:52 -0400 (EDT)
Date: Wed, 16 Sep 1998 09:31:52 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Niall Smart <rotel@indigo.ie>
cc: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>,
        freebsd-security@FreeBSD.ORG
Subject: Re: X-security
In-Reply-To: <199809152127.WAA01237@indigo.ie>
Message-ID: <Pine.BSF.3.96.980916092842.28127A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 15 Sep 1998, Niall Smart wrote:

> > Note that the authentication tokens are not encrypted on the network.
> > Anyone who can sniff the network will also be able to connect to your
> > X-server.
> > 
> > If you're worried about someone stealing your authentication token,
> > you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**)
> > or ssh.
> 
> After you've authenticated you're still vulnerable to snooping or
> active attacks though, someone could still steal your authentication
> data by desynchronising your TCP stream and injecting the right
> commands.  Better to use port forwarding with ssh if possible.

I personally like this arrangement:

Xnest :1 -auth /xauth/randomauthfile
xterm -display :1 -e slogin -l username hostname 

This restricts X programs coming from a remote untrusted host to a
particular Xnest.  No doubt there are some problems with this (due to the
flakiness of Xnest, etc), but this can be fairly effective against
observers from untrusted hosts.  With ssh going, you prevent on-the-wire
and joe-user-on-the-remote-host attacks (as ssh maintains the encryption
and .Xauthority key).  With Xnest you limit the scope of someone who has
managed to get access to your tunnel or the display key (like root on the
remote system).

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message