Re: How to reduce sid security

To: debian-security@lists.debian.org
Subject: Re: How to reduce sid security
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Tue, 12 Aug 2003 13:39:49 -0300
Message-id: <[🔎] 20030812163948.GC27964@llama.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 220f0087.0308070705.641fa32e@posting.google.com>
References: <220f0087.0307311317.4892f08f@posting.google.com> <20030801021034.GA9767@llama.nslug.ns.ca> <[🔎] 220f0087.0308010141.24b9cc98@posting.google.com> <[🔎] 220f0087.0308070705.641fa32e@posting.google.com>

On Thu, Aug 07, 2003 at 08:05:05AM -0700, Boyd Moore wrote:
> 
> Well I did have rlogin, that is it points to netkit-rlogin.  I finally
> got rsh to work by commenting out the ALL: PARANOID line in
> hosts.deny.

 You should put ALL: ALL in hosts.deny, and fix hosts.allow to allow what
you want instead.  Be very careful with rsh.  You CANNOT use it over a
network that people you don't absolutely trust have access to.  People on
the same physical network can spoof your IP address and rsh into your
computer (since all it uses for authentication is source IP).  These days,
rsh/rlogin are only good for Beowulf clusters or something like that, where
the network really is private (and/or there is a ton of other weakly
authenticated insecure traffic, such as openmosix or NFS), and the overhead
of ssh's authentication encryption is too high.

> I thought that the  hosts.allow overrode the hosts.deny,
> but apparently they have reversed the priority.  Now rsh, rlogin, etc.
> works, but still not remote X windows.

 You know you can forward X11 over SSH by running ssh -X, right?  That's the
secure way to do things, and you don't have to change the  X -nolisten tcp
configuration, which is good, because given X's security record, it's better
not to have it listening to the network.  (You can edit your ssh config file
to make ssh always forward X11 connections when connecting to certain hosts.)

> I have gone through the xauth routine to make sure the .Xauthority
> files are the same for the same user on both hosts.  And I have set
> the xhost + on both machines, but I always get the "Can't open display
> ..." message.

 IIRC, "can't open display" means the tcp connection couldn't be made, so it
didn't even get to the point of trying to authenticate with xauth.
BTW, ssh -X sets up xauth correctly. 

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@cor , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Attachment: pgptK1JS2uNeu.pgp
Description: PGP signature

Reply to:

References:
- Re: How to reduce sid security
  - From: tbmoore@bealenet.com (Boyd Moore)
- Re: How to reduce sid security
  - From: tbmoore@bealenet.com (Boyd Moore)

Prev by Date: Re: Passwordless Authentication (was Re: How to reduce sid security)
Next by Date: Re: Passwordless Authentication (was Re: How to reduce sid security)
Previous by thread: Re: How to reduce sid security
Next by thread: Re: How to reduce sid security
Index(es):
- Date
- Thread