Date: Wed, 20 Mar 2002 14:00:38 -0500 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: cjohnson@palomine.net Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020320140038.B17139@cowbert.2y.net> In-Reply-To: <85adt3uwxn.fsf@stiegl.niksun.com>; from ath@niksun.com on Wed, Mar 20, 2002 at 09:37:56AM -0500 References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> <20020319152125.F43336@palomine.net> <85adt3uwxn.fsf@stiegl.niksun.com>
next in thread | previous in thread | raw e-mail | index | archive | help
When considering the use of the Java SSH Client on your ssh server, make sure that you use an unsigned applet. Unsigned applets are untrusted by the system, and so, when it is loaded, the JVM sandbox will: 1. prevent any cached copies of your host keys on the filesystem 2. prevent other applications from talking to your applet, and vice-versa 3. prevent the applet from connecting to any ssh server other than the one that served the applet (I dunno if this is a sandbox feature or one that is coded into MindTerm). I haven't seen a trojan for win32 JVMs in nutscrape and IE that defeats the sandboxes (yet), although as has been stated before, you're still screwed if you have a backdoor that takes control of the keyboard DLL and intercepts all keystrokes. -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020320140038.B17139>