|
Subject: |
Re: ssh proxy for fwtk |
|
From: |
girsch @
marben .
com (Arnaud Girsch) |
|
Date: |
Thu, 5 Jun 1997 18:34:53 -0700 (PDT) |
|
To: |
benedikt @
devnull .
ruhr .
de (Benedikt Stockebrand) |
|
Cc: |
girsch @
marben .
com, pnash @
hanshan .
bbnplanet .
com, don @
genroco .
com, jpm @
marben .
be, ark @
paranoid .
convey .
ru, tobotras @
jet .
msk .
su, fwtk-users @
tis .
com, firewalls @
GreatCircle .
COM, ylo @
cs .
hut .
fi |
|
In-reply-to: |
<87k9kbfz28 .
fsf @
devnull .
ruhr .
de> from "Benedikt Stockebrand" at Jun 3, 97 06:09:35 pm |
> girsch @
marben .
com (Arnaud Girsch) writes:
>
>> For example, you probably restrict X because you think that X is never secure
>> and can be abused, etc ... Giving access to X within a ssh tunnel protects
>> against most of the X problems, so why not giving X access then ?
>
> I'm not sure, but what about this one: If the remote machine has been
> hacked, then X forwarding can be more of a problem than help. If the
> remote sshd (or /bin/*sh or whatever) has been modified to use that X
> forwarding they're just about right in your local machine. And you
> can't even tell because you'd need your local users private key to
> decrypt things to analyze them.
>
> Anyone know more about this?
>
In any case, SSH is based on a double trust of both hosts. If one of the hosts
is compromised, you might be exposed to brakeins.
Arnaud.
--
Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA
agirsch @
marben .
com -+- http://www.marben.com/ -+- http://www.dset.com/
Follow-Ups:
References:
|
|
