Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"

To: debian-knoppix@linuxtag.org
Subject: Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"
From: Gebhardt Thomas <gebhardt@hrz.uni-marburg.de>
Date: Mon, 17 May 2004 10:37:47 +0200
Message-id: <[🔎] 200405171037.49218.gebhardt@hrz.uni-marburg.de>
In-reply-to: <[🔎] 20040514135648.GN2400@linuxtag.org>
References: <[🔎] Pine.LNX.4.58.0405031218280.31871@rolinck> <[🔎] 200405101713.19673.gebhardt@hrz.uni-marburg.de> <[🔎] 20040514135648.GN2400@linuxtag.org>

On Friday 14 May 2004 15:56, Klaus Knopper wrote:

Hi,

> So, I do object in restricting X11-forwarding as default. For me, the
> most common (and therefore should be default) case of using ssh
> interactively, is working from one trusted system, logging into another
> trusted system, including remote X access.
>
> If you don't trust the remote system, you should not log in at all.  If

We often have to log into systems in that we trust less than in our own host,
say a shared webserver or a virtual root server at an ISP. Opening a
back channel by default (through which the remote admin can read
my keystrokes and grab my screen) is questionable at best. Even
between systems of equal trust some bulkheads may help to minimize
the damage in case of a compromise.

> A "reasonable and secure default" does not automatically lead to a
> "reasonably secure system". Note these cases that I have observed in
> real life:
>
> - User A used ssh to start OpenOffice from a remote machine via an
...
> Too restrictive firewalls also often lead to security breeches because
> users generate their own tunnels - via software or physical (by
> attaching Modems to computers inside a secure LAN).

Having said that, I agree with you that there is a tradeoff between too
restrictive security configs that will seduce users to dangerous behaviour
and a too lax configuration that is dangerous by itself. So there is no easy
answer about the correct default ssh X11-forwarding configuration.

We are in the lucky situation that the "outside security pressure" for
linux systems is far less than the pressure on the users of that other OS.
So, personallly, I can live with " X11-forwarding yes" for now. But times
may change and in the meantime we should give the unexperienced user
the chance to educate, i.e., if we start ssh from a menu, then there should
be an item "ssh text only" and a second item "ssh (+X11) to trusted host".
Or there should be a dialog window (with opt-out button) that shortly explains
the security implications.

Cheers, Thomas

_______________________________________________
debian-knoppix mailing list
debian-knoppix@linuxtag.org
http://mailman.linuxtag.org/mailman/listinfo/debian-knoppix

Reply to:

References:
- [debian-knoppix] Default configuration ssh-client "X11 Forwarding"
  - From: Holger van Lengerich <gimli@snakeoil.de>
- Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"
  - From: Gebhardt Thomas <gebhardt@hrz.uni-marburg.de>
- Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"
  - From: Klaus Knopper <knopper@linuxtag.org>

Prev by Date: [debian-knoppix] Help for Knoppix 3.1
Next by Date: [debian-knoppix] knoppix-autoconfig: slovenian/slovakian timezone, iso8859-2 console font
Previous by thread: Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"
Next by thread: Re: [debian-knoppix] Default configuration ssh-client "X11 Forwarding"
Index(es):
- Date
- Thread