From owner-freebsd-hackers  Fri Oct 25  9:58:11 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8713B37B401; Fri, 25 Oct 2002 09:58:10 -0700 (PDT)
Received: from structbio.vanderbilt.edu (reef.structbio.Vanderbilt.Edu [160.129.138.217])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id DD82843E4A; Fri, 25 Oct 2002 09:58:03 -0700 (PDT)
	(envelope-from bandix@geekpunk.net)
Received: from taran.dhcp.mc.vanderbilt.edu ([160.129.135.97])
	by structbio.vanderbilt.edu (8.12.3/8.12.3/Debian -4) with ESMTP id g9PGwBGI009458;
	Fri, 25 Oct 2002 11:58:11 -0500
Date: Fri, 25 Oct 2002 11:57:59 -0500 (CDT)
From: "Brandon D. Valentine" <bandix@geekpunk.net>
X-X-Sender: bandix@taran.dhcp.mc.vanderbilt.edu
To: John Baldwin <jhb@FreeBSD.org>
Cc: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	FreeBSD Hackers List <freebsd-hackers@FreeBSD.org>
Subject: Re: X11 display problem
In-Reply-To: <XFMail.20021025104252.jhb@FreeBSD.org>
Message-ID: <20021025114346.P277-100000@taran.dhcp.mc.vanderbilt.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Fri, 25 Oct 2002, John Baldwin wrote:

> Would be nice if there could be a 'WITH_TCP' or some such option for
> the port to enable normal behavior for those people who aren't super
> paranoid.  Having an uber-secure box doesn't do you any good if you
> can't use it to get actual work done.

Word.

I'm not near my FreeBSD machines at this moment but this weekend I'll
hack up the necessary patch if nobody else bothers.  Probably better to
call it something less ambigious like X11_LISTEN_TCP or similar so those
who want to put it in make.conf don't incur namespace ambiguity and
possible collision with other ports that might use similar make
variables with different semantic meaning.  WITH_TCP doesn't have the
same sort of global meaning that WITH_GNOME does.

The other option is to do away with the insecurity of listen_tcp by
teaching OpenSSH how to setup X11 forwarding using unix domain sockets.
See this message for details:

http://lists.debian.org/debian-user/2000/debian-user-200002/msg00109.html

This is probably the most worthwhile and secure avenue.  To be perfectly
honest I'm wondering why I still have yet to notice support for it in
OpenSSH.

Brandon D. Valentine
-- 
http://www.geekpunk.net                         bandix@geekpunk.net
++[>++++++<-]>[<++++++>-]<.>++++[>+++++<-]>[<+++++>-]<+.+++++++..++
+.>>+++++[<++++++>-]<++.<<+++++++++++++++.>.+++.------.--------.>+.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message