Since I have nothing better to do, I often ponder how to improve safety and security in my home setup. I have two conflicting needs: security of my data and a need to use a browser with javascript and sometimes flash; some sites only work with Iceweasel.
Let me set up my thinking on this, and then at the end I ask one question. Could anybody who know the ins-and-outs of ssh comment? I note that Iceweasel gets lots of security updates (though, fewer in the past month or two than I remember) which suggests that there are lots more security issues that haven't been discovered yet. I know that javascript runs in a sandbox and shouldn't be able to get at anything in my home directory or run anything under my UID. However, if ever it did, it could be disasterous. So I look at ways to isolate the two needs. Right now I run Etch amd64 which means that Iceweasel with flash runs under an i386 chroot. However for me, ordinary user, to run in the chroot I use schroot which bind mounts my home directory over which presents it on the proverbial platter for Iceweasel. Also, chroots are the greatest security isolation. I then consider putting them on separate boxes. If they are truely separate, with two displays/keyboards, then that is more secure. I could have my Athlon64 as my "entertainment" system (Iceweasel, VLC) an another box for everything else. I could use a KVM switch to alternate between the two boxes. However, if I look at ssh-ing between the two, there are two scenarios: 1. Screen and keyboard on the "entertainment" box and I ssh through to the secure box to do work. That "entertainment" box could at any time become compromised via an undiscovered security breach in Iceweasel and then grab whatever I do via ssh. If I edit a file with vi on the "secure" box from a VT on the "entertainment" box, then anthing there is open to view. 2. Screen and keyboard on the "secure" box and ssh through to the "entertainment" box to run Iceweasel. For this I need in ssh_config both ForwardX11 and ForwardX11Trusted. Note that Konqueror doesn't require ForwardX11Trusted. However, then a compromised "entertainment" box could, per the ssh_config man page, "perform activities such as keystroke monitoring". So is the moral of the story that there is no way to access a compromised box from a "secure" box via ssh without risking the security of the "secure" box? Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]