Re: Security in a shell that starts ssh
On Thu, Jun 14, 2001 at 09:30:59PM +0200, Miquel Mart?n L?pez wrote:
> Hi David!
> Well, in my case the terminal is an VT-100, so it's connected directly to
> the one of the serial ports of the server, so nothing's going wildly to the
> network in cleartext.
> I don't know about Xterminals, though... I guess they are networked, but I
> really don't know much about the protocol :(
They talk X11 over TCP/IP over ethernet. They are exactly as insecure as
doing remote X11 with a normal Unix machine running the X server. I.e.
don't type any passwords that shouldn't be seen by someone who can get at
the network cables. Everything goes in the clear, and is totally sniffable.
Access control is provided by IP addr-based xhosts (which obviously sucks
because it uses IP addrs for auth purposes), or with MIT-MAGIC-COOKIE-1, or
XDM-AUTHORIZATION xauth stuff. (The NCD x terminal I salvaged supports those,
so that's what I'm basing this on...).
An X terminal is ok, as long as you use it on a private network that only
connects it to a server. You can use ssh to tunnel connections from places
farther away than the server _to_ the server, and have them go in the clear
between the server and the X terminal.
How secure is MIT-MAGIC-COOKE-1, anyway?
#define X(x,y) x##y
Peter Cordes ; e-mail: X(email@example.com. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE