Date: Tue, 23 Apr 2002 03:48:23 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Neil Blakey-Milner <nbm@mithrandr.moria.org> Cc: Joerg Micheel <joerg@cs.waikato.ac.nz>, Greg 'groggy' Lehey <grog@freebsd.org>, Jochem Kossen <j.kossen@home.nl>, hackers@freebsd.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <3CC53BF7.EC99574F@mindspring.com> References: <rwatson@FreeBSD.ORG> <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <20020423211359.D48271@cs.waikato.ac.nz> <20020423093826.GA58411@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Neil Blakey-Milner wrote:
> > The system has to work right away, when installed out of the box. Period.
> > No when's and if's. And don't tell me that X11 is an add-on and luxury.
> > We are living in the 21st century.
>
> There are people who will tell people that still use X11 tcp sockets to
> start living in the 21st century. ssh X11 forwarding still works, it's
> only the (often much lower security) tcp sockets that are disabled by
> default. (And if the "none" cipher is available, the overhead would be
> minimal for even the most underpowered machine.)
I agree that X11 isn't very forward looking; it'd be nice if
the displays were themselves CORBA objects, so you could
embed desktops to use any display technology you wanted, so
that you could build a desktop compute server for 1000 users
without eating 11G of RAM to do it.
Until someone writes that though...
It's be nice if the ssh X11 forwarding were not the prefered
method of remote access to X11. Particularly since I haven't
seen any fixes for the MIT shared memory extension going in to
stop the inevitable shared memory leaks by Netscape, etc., or
anything else that uses it for bitmaps, and is long running, so
the resources get used up and never reclaimed.
Disabling the workaround -- which is to use network connections,
instead of using the UNIX domain socket, thereby disabling the
libraries use of the shared memory extension -- isn't my idea of
a good approach. All it does is exacerbate the problem, for
questionable security ("not listening" is not the same thing as
having a firewall, so if TCP is vulnerable for X11, then it's
vulnerable for every other port that *is* listening).
Forget Debian, what does OpenBSD do? It's the gold standard
when it comes to anal default settings.
-- Terry
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CC53BF7.EC99574F>