[Fwd: Re: X-windows security in Gnome]

Nicolas.Williams at ubsw.com Nicolas.Williams at ubsw.com
Sat May 18 07:13:25 EST 2002


The "integration" of SSH with apps is already there.

Read the OpenSSH [or other SSH implementation's] man pages and the SSHv2 specs. RTFM!

Essentially SSH supports tunneling of X11 traffic. The SSH daemon is responsible for creating a local X11 display endpoint and setting the DISPLAY environment variable appropriately, then the apps you run in SSH sessions with X11 forwarding do the right thing and open a display which is really the SSH daemon and which proxies back-and-forth to the SSH client, which then proxies back and forth to its DISPLAY.

Oh, and, yes, there are patches for doing Kerberos authentication in SSHv2 with OpenSSH. So yes, SSHv2 w/ X11 forwarding and w/ GSS (w/ Kerberos) key exchange / userauth is a decent approximation of kerberized X11 - it's better even, since one need not forward or proxy any tickets to make the SSH approach work, but one does have to forward or proxy tickets to make the kerberized X11 approach work. And SSH can compress SSH traffic too.

Cheers,

Nico
--  

> -----Original Message-----
> From: Gregory Leblanc [mailto:gleblanc at linuxweasel.com]
> Sent: Friday, May 17, 2002 4:59 PM
> To: OpenSSH Devel List
> Subject: [Fwd: Re: X-windows security in Gnome]
> 
> 
> This is from a security discussion on one of the GNOME lists.  Jim is
> one of the original X11 people, for what that's worth.  I just thought
> I'd try to tempt some folks here into looking at doing ssh and X
> integration "right".  
> 	Greg
> 
> -- 
> Portland, Oregon, USA.
> Please don't copy me on replies to the list.
> 

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the openssh-unix-dev mailing list