SSH Compression - Block Deduplication

Damien Miller djm at mindrot.org
Wed Sep 14 12:35:53 EST 2011


On Tue, 13 Sep 2011, Nico Kadel-Garcia wrote:

> Unfortunately, the default implementation of VNC has a truly horrible
> security model with manually generated passwords stored in
> $HOME/.vnc/, which share all the flaws of a publicly readable
> .htpasswd file. There's no way to ensure password quality nor
> expiration, and they're typically encrypted only with DES. Since far
> too many people use their personal user password as their VNC
> password, it creates a vulnerability for anyone who can access
> $HOME/.vnc to crack the password.

Since we are talking SSH here, it should be easy to hack a VNC client
to execute a server and talk to it on stdin/out*. At this point it is
easy to stuck a ssh invocation in the pipeline to eliminate the need
for listening ports or random passwords laying around on the server.

As for more compression methods. I suppose we could consider them
if they were a) post-auth only (like zlib at openssh.com); b) totally
compelling from the persepectives of compression ratio and speed; and
c) BSD/MIT licensed.

-d


More information about the openssh-unix-dev mailing list