From owner-freebsd-hackers  Tue Apr 23  3:21:15 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from taupo.cs.waikato.ac.nz (taupo.cs.waikato.ac.nz [130.217.250.12])
	by hub.freebsd.org (Postfix) with ESMTP
	id BC55537B417; Tue, 23 Apr 2002 03:21:10 -0700 (PDT)
Received: (from joerg@localhost)
	by taupo.cs.waikato.ac.nz (8.11.3/8.11.1) id g3NAKx560183;
	Tue, 23 Apr 2002 22:20:59 +1200 (NZST)
	(envelope-from joerg)
Date: Tue, 23 Apr 2002 22:20:58 +1200
From: Joerg Micheel <joerg@cs.waikato.ac.nz>
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc: "Greg 'groggy' Lehey" <grog@freebsd.org>,
	Jochem Kossen <j.kossen@home.nl>, hackers@freebsd.org
Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?)
Message-ID: <20020423222058.B57646@cs.waikato.ac.nz>
References: <rwatson@FreeBSD.ORG> <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <20020423211359.D48271@cs.waikato.ac.nz> <20020423093826.GA58411@mithrandr.moria.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020423093826.GA58411@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Tue, Apr 23, 2002 at 11:38:26AM +0200
Operating-System: ... powered by FreeBSD
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Tue, Apr 23, 2002 at 11:38:26AM +0200, Neil Blakey-Milner wrote:
> There are people who will tell people that still use X11 tcp sockets to
> start living in the 21st century.  ssh X11 forwarding still works, it's
> only the (often much lower security) tcp sockets that are disabled by
> default.  (And if the "none" cipher is available, the overhead would be
> minimal for even the most underpowered machine.)

I may not understand all the issues here, but can the situation be
helped by improving the reporting. I.e. if the firewalling prohibits
access to the X11 TCP socket, why would the firewall not report this
instantly at the first attempt to connect, to be visible at the console
and in /var/log/messages. I am sure Greg would have caught that first
time around, and it would have safed him from a few hours of useless
debugging time.

	Joerg
-- 
Joerg B. Micheel			Email: <joerg@cs.waikato.ac.nz>
WAND and NLANR MOAT			Email: <joerg@nlanr.net>
The University of Waikato, CompScience	Phone: +64 7 8384794
Private Bag 3105			Fax:   +64 7 8585095
Hamilton, New Zealand			Plan:  PMA, TINE and the DAG's

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message