[FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'"

Kurt Pfeifle k1pfeifle at gmx.net
Tue Oct 19 17:51:05 UTC 2004 

On Tuesday 19 October 2004 19:18, Rick Stout wrote:
> Kurt Pfeifle wrote:
> > On Tuesday 19 October 2004 17:49, Rick Stout wrote:

> >>Its never a good idea to use default  
> >>security settings, and a dsa key that gives you access to a server is 
> >>definetly not a good idea.
> > 
> > 
> > Please!! This isn't giving you access to a "server". That's how FUD 
> > is originating (even if you don't intend it, Rick!)-- It gives you 
> > access to a *login prompt* (where you still have to know the username
> > and password to get in).
> > 
> > 
> My thinking is this: (No FUD intended, Darl isn't around...)

Uhmmm... you never know!  ;-)   ;-)

> Exploit found (whether it be in (free)NX or SSH). Allows anyone to 
> connect to a machine running (free)NX as long as they have the key. That 
> would basically mean any computer with the nomachine key is compromised. 

Yes -- and it very likely would mean that a lot *more*
computers without the nomachine-key running (and even 
without NX running) are also compromised by the same 
exploit.

> Forcing users to create a key would help with that.

You force each NX server admin to create their uniq key
(and maybe apply one common key to each of the NX servers 
under their command) and force each user to install a key
(possibly for each NX server they want (or are forced) to
connect to, and you create an administrative overhead (and
troubleshooting) for this. You are trading a bit more 
security for a bit more work and worse usability...

That's fine (don't misunderstand me here, please) -- it
is *your* choice to do so. But please don't remove the 
options from others to choose differently (after they
have been made aware of the implications). Don't force
your personal choice (how you weigh security against
comfort and usability) onto the general public of current
NX users.

Regarding your other suggestion about improving the !M
NX and the kNX Client GUIs so that they make handling
of different key pairs easy to users: I believe this is
a very good idea -- and, in fact, this has already been 
discussed for the kNX client (no code yet). Also, if I 
am not mistaken, similar plans do also exist on the !M 
side of this project. So it might not be even very long 
before we see it materialize....

[....]

> > You've written some great documents about (Free)NX already, Rick.
> > Maybe you could be teased to go for another one?
> 
> Let me see what I can come up with. "Rick's Master guide to NX, SSH and 
> the key's that bind them"... hehehehe

;-)

Cheers,
Kurt

More information about the FreeNX-kNX mailing list