NX Security (was [FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'")

Tue Oct 19 22:02:00 UTC 2004

On Tue, Oct 19, 2004 at 06:59:17PM +0200, Kurt Pfeifle wrote:
> A considerable number of people think that the "--setup-nomachine-key"
> makes their NX server a tad bit less secure. OTOH, it also makes its
> use a bit more comfortable. Security and comfort are here, as always,
> two goals that are not easy to meet at the same time. It is up to you
> to decide what you want to do. The FreeNX default is to not use the 
> "--setup-nomachine-key" automatically, but only if you request it by
> explicitely typing it in.

> Please!! This isn't giving you access to a "server". That's how FUD 
> is originating (even if you don't intend it, Rick!)-- It gives you 
> access to a *login prompt* (where you still have to know the username
> and password to get in).

Correct me if I'm wrong, but I'd say a fair analysis of the security
situation is as follows:

The setup shares SSH's transport mechanism, therefore provided one
always uses "ssl encryption", and provided it functions as I've been
lead to believe it does, one is dealing with just SSH here.

However, it almost completely bypasses SSH's authentication mechanism.
This means that any exploit in nxserver/freenx is exploitable by anyone
with the NX user's key, a set of people which may range from effectively
everyone in the case where the nomachine key is used, to only trusted
users in the case where the key was tightly controlled and no one ever
used it from an untrusted machine and it never leaked in other ways.

A compromise of freenx in this fashion would give you a local,
restricted shell account. However in addition to being able to turn
around and apply a local root exploit, you also have the quite useful
capability to monitor all the cleartext passwords of people trying to
log in using nx sessions, as well as all their keystrokes (and hence
even more passwords), again without the need for a local root exploit.

Finally, one very important detail is that sshd allows things like
unrestricted port forwarding to anyone who can log in, a problem that
anonymous CVS over ssh and various other services deal with by disabling
it altogether. However, while no one replied to my email on the subject,
I would not be surprised if NX relies on this behaviour being enabled
for the nx user in order to function.

If that is the case then installing NX means that you're turning your
computer into an anonymous relay (spamming, covering one's tracks when
breaking into further systems, etc) for anyone with your nx key. No
exploit of freenx required.

All in all, this NX server stuff is far from the unmitigated security
disaster it seems to have been painted as by some, but I personally
would be disinclined to trust it until it has been documented in detail
and looked over by people more knowledgable than myself. Especially in
the case of freenx, since it's virtually impossible to safely handle
untrusted data in a shell script, as they try to do.