On Sun, 14 Jul 2002, Andreas Ehliar wrote:
> I don't know exactly how the Security-extension works, but it would be > nice if you could tunnel X over ssh without worrying about wether the > security of the remote machine has been compromised. Right now such a > tunnel could easily be used to eavesdrop on your keyboard for example. Sorry for the delay... About two months ago I started working on an X extension to handle ssh tunneled connections in a "better" (safer) way. <ot> BTW, I'm *not* an XFree86 hacker and don't know XFree86 internals in a great detail. Just some random guy that happens to write some code once in a while. </ot> I have a somewhat working prototype on my HD. I'll probably release it around September / October, unless someone is really *really* interested and can't wait. The current XFree (with the Security extension) and ssh are affected by the following problems: - In ssh you have to set ForwardX11 to 'yes' or 'no'. It's all-or-nothing. - To reduce the powers of remote clients, using the Security extension you can create an untrusted MIT-MAGIC-COOKIE: see xauth and the 'untrusted' option. It is possible, with some trick, to make ssh use that cookie. In that case remote clients have a restricted access to the X server. The access policy is quite fixed by the server: the only aspect that can be configured (AFAIK) is the access to window properties via the SecurityPolicy file. Moreover, if you use the 'untrusted' cookie, expect most current applications to die with BadAccess errors sooner or later. > Could the Security-extension be used to improve this? The point above is actually an improvement from the point of view of security: i.e., misbehaving clients are stopped with BadAccess errors. However, the bad news is that most clients are misbehaving. In my current prototype, misbehaving clients are not sent a BadAccess error. Instead, the clients are put on hold and a special client (the "supervisor" client) is notified. The supervisor can judge whether the client request is ok or not (currently it simply prompts the user with a yes/no dialog). On approval, the request is executed and the client proceeds smoothly. On rejection, the client is sent a BadAccess error. The performance loss is negligible (IMHO) since only suspicious requests from 'untrusted' clients (i.e. those which currently would generate BadAccess errors) cause the "hold / notify the supervisor / handle judgement" process. I also have a small patch to openSSH that permits to choose between X11Forward = yes, trusted / yes, untrusted / no . If anyone is interested in this small project, please contact me. I don't think, however, that it will ever be integrated in XFree86. That is, unless someone involved with the project wants it. I'll probably distribute the extension as a patch to XFree86. Bye, Zun. _______________________________________________ Xpert mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/xpert
