[Fwd: Re: X-windows security in Gnome]

Nicolas.Williams at ubsw.com Nicolas.Williams at ubsw.com
Sat May 18 07:41:51 EST 2002

What else can possibly be done to integrate SSH and apps? I mean, it works, doesn't it?

Jim's message was unclear - I was left with the impression that Jim was not aware of the existing X11 forwarding in SSH.



> -----Original Message-----
> From: Gregory Leblanc [mailto:gleblanc at linuxweasel.com]
> Sent: Friday, May 17, 2002 5:33 PM
> To: OpenSSH Devel List
> Subject: RE: [Fwd: Re: X-windows security in Gnome]
> On Fri, 2002-05-17 at 14:13, Nicolas.Williams at ubsw.com wrote:
> > The "integration" of SSH with apps is already there.
> I'm fully aware of the ability of OpenSSH to tunnel X11 
> connections, as
> is Jim (per his message).  Jim was saying that there was a 
> potential to
> do more, or cleaner, integration between X applications and SSH.  I'm
> not familiar enough with either SSH or the X Window System to know
> exactly where that integration could be done, or how the existing
> integration could be "cleaner".
> 	Greg
> P.S.  Is my signature not explicit enough?  I don't need to receive
> multiple copies, one to the list is plenty, thanks.
> > Read the OpenSSH [or other SSH implementation's] man pages 
> and the SSHv2 specs. RTFM!
> > 
> > Essentially SSH supports tunneling of X11 traffic. The SSH 
> daemon is responsible for creating a local X11 display 
> endpoint and setting the DISPLAY environment variable 
> appropriately, then the apps you run in SSH sessions with X11 
> forwarding do the right thing and open a display which is 
> really the SSH daemon and which proxies back-and-forth to the 
> SSH client, which then proxies back and forth to its DISPLAY.
> > 
> > Oh, and, yes, there are patches for doing Kerberos 
> authentication in SSHv2 with OpenSSH. So yes, SSHv2 w/ X11 
> forwarding and w/ GSS (w/ Kerberos) key exchange / userauth 
> is a decent approximation of kerberized X11 - it's better 
> even, since one need not forward or proxy any tickets to make 
> the SSH approach work, but one does have to forward or proxy 
> tickets to make the kerberized X11 approach work. And SSH can 
> compress SSH traffic too.
> > 
> > Cheers,
> > 
> > Nico
> > --  
> > 
> > > -----Original Message-----
> > > From: Gregory Leblanc [mailto:gleblanc at linuxweasel.com]
> > > Sent: Friday, May 17, 2002 4:59 PM
> > > To: OpenSSH Devel List
> > > Subject: [Fwd: Re: X-windows security in Gnome]
> > > 
> > > 
> > > This is from a security discussion on one of the GNOME 
> lists.  Jim is
> > > one of the original X11 people, for what that's worth.  I 
> just thought
> > > I'd try to tempt some folks here into looking at doing ssh and X
> > > integration "right".  
> > > 	Greg
> > > 
> > > -- 
> > > Portland, Oregon, USA.
> > > Please don't copy me on replies to the list.
> > > 
> -- 
> Portland, Oregon, USA.
> Please don't copy me on replies to the list.
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the openssh-unix-dev mailing list