[ On Monday, July 30, 2001 at 07:17:55 (-0500), Tony Mantler wrote: ]
> Subject: Re: I hate xauth
>
> I rarely if ever connect to systems that are either A: multi-user or B:
> even remotely untrusted,
Do you understand how trust propogates implicitly by your act of
trusting a remote host, especially when you're running the likes of X11?
Even with plain old SSH with all forwarding disabled on both ends, you
must still trust both the client and server hosts, and the server admin
must trust not just you, but also your ability to run a secure client
host since if you can't then there's literally no way for the server
admin to trust you since you might not be the one in direct control of
the data stream SSH is sending to the server, and you might not see
everything the server is sending back to you.
Use of SSH does not itself imply everything's secure -- SSH just offers
a way of protecting the data crossing a public or semi-public network
between two more or less equally trusted hosts. You must still ensure
that all your hosts, clients and servers, are as secure as you need them
to be. (In general I'd guess that the SSH-2 protocol provides at least
an order of magnitude more network security than any host it's commonly
used with. :-)
If you trust your local client system then you must not ever connect it
with SSH to any remote host that's even vaguely less trusted than your
local client. You must certainly never allow any less trusted client to
connect to it as a server either!
Note that this all means if either host is not multi-user (i.e. does not
have a deeply embedded core mechanism in the OS to maintain the identity
of user actions and data, as well as offering protection mechanisms for
the user processes and data), then you have to be very very very careful
about what uses you make of that system to ensure that it is kept as
secure as any other system it is connected to.
> so xauth authentication really just gets in my way
> for me, and I'd like to be able to turn it off.
I've never had any problems with SSH setting up xauth authentication for
my remote X11 clients. It just works. It's so clean and simple and
automatic that I can't even quite imagine doing it any other way any more!
> --
> Tony "Nicoya" Mantler - Renaissance Nerd Extraordinaire - [EMAIL PROTECTED]
> Winnipeg, Manitoba, Canada -- http://nicoya.feline.pp.se/
Now those three places are really a long way appart from each other! ;-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
