SSH Compression - Block Deduplication
Nico Kadel-Garcia
nkadel at gmail.com
Wed Sep 14 12:20:37 EST 2011
On Mon, Sep 12, 2011 at 6:53 PM, Morty Abzug <morty at frakir.org> wrote:
> On Mon, Sep 12, 2011 at 08:26:41AM -0700, Matt Olson wrote:
>
>> Nomachine, being a commercial product, is not likely to achieve ubiquity.
> [snip]
>> I may look around and see if I can find a library that does another
>> layer of tunneling or a Xorg addon to provide deduplication.
>
> Have you looked at VNC? Especially the x11vnc implementation, in
> service mode, with "Tight" encoding. IME, one gets amazingly good
> performance via that specific combination. Use it in service mode and
> you can do one master port redirection instead of per-user port
> redirection. This makes X11 useful even over slow WAN links.
I wrote the first published SunOS port of VNC, and more recently took
apart NX for RHEL usas, along with a number of the freeware
implementations. All the freeware uses are abandonware, and NX does
provide a *very* effective wrapper and integration of optimized and
stable X services for multiple platforms, much improved over raw X11
tunneling and with ligher and more stable behavior, without the
amazing expense of commercial products, especially the very expensive
and bloated 'eXodus' software for Windows users, which charges extra
for SSH integration.
Unfortunately, the default implementation of VNC has a truly horrible
security model with manually generated passwords stored in
$HOME/.vnc/, which share all the flaws of a publicly readable
.htpasswd file. There's no way to ensure password quality nor
expiration, and they're typically encrypted only with DES. Since far
too many people use their personal user password as their VNC
password, it creates a vulnerability for anyone who can access
$HOME/.vnc to crack the password.
NX's security model is much better, and you can review it. But all the
freeware versions of NX are abandonware, and many of them do rude
things to dead farm animals in the process. Do not get me *started* on
the Google code published "neatx" toolkit. And *all* of them rely on
the older GPL published NX from NoMachine.
I did have some concerns about their default NX private/public key
management for the original SSH connection as the "nx" user, to open
the session, but that can actually be replaced pretty easily if you're
concerned.
More information about the openssh-unix-dev
mailing list