ssh X11Forward safety
Since I have nothing better to do, I often ponder how to improve safety
and security in my home setup. I have two conflicting needs: security
of my data and a need to use a browser with javascript and sometimes
flash; some sites only work with Iceweasel.
Let me set up my thinking on this, and then at the end I ask one
question. Could anybody who know the ins-and-outs of ssh comment?
I note that Iceweasel gets lots of security updates (though, fewer in
the past month or two than I remember) which suggests that there are
lots more security issues that haven't been discovered yet. I know that
javascript runs in a sandbox and shouldn't be able to get at anything in
my home directory or run anything under my UID. However, if ever it
did, it could be disasterous.
So I look at ways to isolate the two needs. Right now I run Etch amd64
which means that Iceweasel with flash runs under an i386 chroot.
However for me, ordinary user, to run in the chroot I use schroot which
bind mounts my home directory over which presents it on the proverbial
platter for Iceweasel. Also, chroots are the greatest security
isolation.
I then consider putting them on separate boxes. If they are truely
separate, with two displays/keyboards, then that is more secure. I
could have my Athlon64 as my "entertainment" system (Iceweasel, VLC) an
another box for everything else. I could use a KVM switch to alternate
between the two boxes.
However, if I look at ssh-ing between the two, there are two scenarios:
1. Screen and keyboard on the "entertainment" box and I ssh through
to the secure box to do work. That "entertainment" box could at any
time become compromised via an undiscovered security breach in Iceweasel
and then grab whatever I do via ssh. If I edit a file with vi on the
"secure" box from a VT on the "entertainment" box, then anthing there is
open to view.
2. Screen and keyboard on the "secure" box and ssh through to the
"entertainment" box to run Iceweasel. For this I need in ssh_config
both ForwardX11 and ForwardX11Trusted. Note that Konqueror doesn't
require ForwardX11Trusted. However, then a compromised "entertainment"
box could, per the ssh_config man page, "perform activities such as
keystroke monitoring".
So is the moral of the story that there is no way to access a
compromised box from a "secure" box via ssh without risking the security
of the "secure" box?
Doug.
Reply to: