From owner-freebsd-hackers Tue Apr 23 1:15:22 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by hub.freebsd.org (Postfix) with ESMTP id 395E837B405; Tue, 23 Apr 2002 01:15:09 -0700 (PDT) Received: from lisa.CC40670-a.groni1.gr.nl.home.com ([217.123.110.189]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20020423080953.MIVZ1365.mail1.home.nl@lisa.CC40670-a.groni1.gr.nl.home.com>; Tue, 23 Apr 2002 10:09:53 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Jochem Kossen To: "Greg 'groggy' Lehey" Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Date: Tue, 23 Apr 2002 10:09:51 +0200 X-Mailer: KMail [version 1.4] References: <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> In-Reply-To: <20020423131646.I6425@wantadilla.lemis.com> Cc: hackers@FreeBSD.ORG MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200204231009.51297.j.kossen@home.nl> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 23 April 2002 05:46, Greg 'groggy' Lehey wrote: > On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote: > >> That fix relies on the extensive PAM updates in -CURRENT however; > >> in -STABLE it can probably be similarly replicated via appropriate > >> tweaking of sshd (?). > > > > Why not fix it in stable by the very simple tweaking of the > > ChallengeResponseAuthentication to no in the sshd config file we > > ship Trust me, this question is going to come up a _lot_ for us > > otherwise. :( > > I've been noticing a continuing trend for more and more "safe" > configurations the default. I spent half a day recently trying to > find why I could no longer open windows on my X display, only to > discover that somebody had turned off tcp connections by default. *shrug* I was the one who sent in the patch. It was added some time=20 around 2001/10/26 to the XFree86-4 megaport. When the metaport was=20 created, the patch was incorporated too.=20 A simple 'man startx' should have cleared your mind: Except for the '-listen_tcp' option, arguments immediately following the startx command are used to start a client in the same manner as xinit(1). The '-listen_tcp' option of startx enables the TCP/IP transport type which is needed for remote X displays. This is disabled by default for security reasons. > I have a problem with this, and as you imply, so will a lot of other > people. As a result of this sort of thing, people trying to migrate > from other systems will probably just give up. I certainly would > have. While it's a laudable aim to have a secure system, you have to > be able to use it too. I'd suggest that we do the following: > > 1. Give the user the choice of these additional features at > installation time. Recommend the procedures, but explain that > you need to understand the differences. > > 2. Document these things very well. Both this ssh change and the X > without TCP change are confusing. If three core team members > were surprised, it's going to surprise the end user a whole lot more. > We should at least have had a HEADS UP, and we probably need a > security policy document with the distributions. I'd agree with option 2. Except that people trying to use X with tcp=20 connections probably won't look in the security policy document for a=20 solution. In the case of the X patch, i'd add it to the release notes=20 AND the security policy document, since - i think - few people will=20 look in the security policy document for such a problem. I do have to say you're the first one I see who complains about this... Jochem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message