X11 cookies and forwarding (fwd)
Sturle Sunde
sturle.sunde at usit.uio.no
Mon Nov 19 14:26:59 EST 2001
Dan Astoorian <djast at cs.toronto.edu> writes:
> If the NFS traffic for $HOME can be sniffed, it can probably be spoofed,
> and an attacker can simply write his own keys into
> $HOME/.ssh/authorized_keys, $HOME/.shosts, or a similar sensitive
> location, or to steal the (_hopefully_ password-protected) private key
> file and attack the passphrase with brute force. It was not
> unreasonable for OpenSSH to make the simplifying assumption that
> $HOME/.ssh can be trusted.
I agree on the assumption that $HOME must be trusted. I also agree
that NFS should _not_ be trusted. But there are lots of hosts out
there which I trust, that don't mount user $HOMEs. Either because I
don't trust the network path between them enough to use NFS, or
because the machine isn't intended for general use. Is there an easy
way to get secure X11-Forwarding between a workstation and a host
without a writeable $HOME?
Idealy this should be simpler than "xhost +", because a very common
kind of users (one born every minute) always choose the easiest
solution.
--
Sturle All eyes were on Ford Prefect. Some of them were on stalks.
~~~~~~ -- Douglas Adams, So long, and thanks for all the fish
More information about the openssh-unix-dev
mailing list