From owner-freebsd-hackers Tue Apr 23 3:49:19 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 5BEB437B400; Tue, 23 Apr 2002 03:49:12 -0700 (PDT) Received: from pool0061.cvx21-bradley.dialup.earthlink.net ([209.179.192.61] helo=mindspring.com) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #2) id 16zxqu-0003Dp-00; Tue, 23 Apr 2002 03:48:52 -0700 Message-ID: <3CC53BF7.EC99574F@mindspring.com> Date: Tue, 23 Apr 2002 03:48:23 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Neil Blakey-Milner Cc: Joerg Micheel , Greg 'groggy' Lehey , Jochem Kossen , hackers@freebsd.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) References: <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <20020423211359.D48271@cs.waikato.ac.nz> <20020423093826.GA58411@mithrandr.moria.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Neil Blakey-Milner wrote: > > The system has to work right away, when installed out of the box. Period. > > No when's and if's. And don't tell me that X11 is an add-on and luxury. > > We are living in the 21st century. > > There are people who will tell people that still use X11 tcp sockets to > start living in the 21st century. ssh X11 forwarding still works, it's > only the (often much lower security) tcp sockets that are disabled by > default. (And if the "none" cipher is available, the overhead would be > minimal for even the most underpowered machine.) I agree that X11 isn't very forward looking; it'd be nice if the displays were themselves CORBA objects, so you could embed desktops to use any display technology you wanted, so that you could build a desktop compute server for 1000 users without eating 11G of RAM to do it. Until someone writes that though... It's be nice if the ssh X11 forwarding were not the prefered method of remote access to X11. Particularly since I haven't seen any fixes for the MIT shared memory extension going in to stop the inevitable shared memory leaks by Netscape, etc., or anything else that uses it for bitmaps, and is long running, so the resources get used up and never reclaimed. Disabling the workaround -- which is to use network connections, instead of using the UNIX domain socket, thereby disabling the libraries use of the shared memory extension -- isn't my idea of a good approach. All it does is exacerbate the problem, for questionable security ("not listening" is not the same thing as having a firewall, so if TCP is vulnerable for X11, then it's vulnerable for every other port that *is* listening). Forget Debian, what does OpenBSD do? It's the gold standard when it comes to anal default settings. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message