NX Security (was [FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'")

Kurt Pfeifle k1pfeifle at gmx.net
Wed Oct 20 02:17:16 UTC 2004 

On Wednesday 20 October 2004 02:43, freenx at mikebell.org wrote:

> On Wed, Oct 20, 2004 at 02:02:00AM +0200, Kurt Pfeifle wrote:
> > Which "SSL forwarding features"??
> 
> Apologies, tunneling. The feature which does not use an unencrypted
> connection for the NX data,

If you dont use an unencrypted connection, you use an encrypted one.

If you use an encrypted one, everything goes through Port 22 (or which
ever you chose to let your sshd listen at). Note, that it is always the
system's builtin and configured sshd which NX and NX clients contact 
for connection. Note, that this sshd may or may not be configured to
allow port forwarding for any logged in user -- be there NX installed 
or be there NX banned from it.

> the exact details of whose operation I have 
> been trying to ascertain.

[....]

> Finally, I'd like to point out that while that news post you pointed out
> does say the problem with ssh forwarding has been fixed as of about 2
> months ago, that necessarily implies that everyone running the software
> BEFORE that point was open to be used as an anonymous relay for any TCP
> traffic someone with their host key might desire.

Please stop this now. 

What you now turn to is mere uninformed trolling. 

Come back after you learned more, or draw the conclusion that "NX is not 
for me".

When you say that the previously quoted NX release notes "necessarily 
imply" that "the host key" allowed "everyone" to use an NX server as
an anonymous relay for "any TCP traffic" then this is an outright lie,
and you are the liar. I'll retract that statement only after you have
proofed me how "everyone" could, under the previous NX versions, abuse
a publically accessible NX server as such a relay, with just the "nx"
key and no real user NX account at his disposal.

So you are a very cautious guy, huh? Good. 

So you ask 3 times, think 4 times loud, speculate about dangers 5 times 
aloud and ask 6 times, before you let a new "server" software come near 
your darn hardware (even if it where in an isolated-from-the-internet-LAN 
environment). Also good. 

So you would trust *me* if I came up with a well-written document that
answered your items blow-for-blow? Bad.

Who am I that you would trust me and my judgement??

If you can't take a few steps yourself now and look at things as where 
proposed to you, you are in a dilemma. Better stay away from that 
suspicious thing then.

> Maybe that was the 
> only such problem with NX, but one should never need more reason than this
> to be at least a little suspicious! And it most assuredly proves without
> a shadow of a doubt that NX does /not/ simply have the security of ssh!
> Since merely running ssh only my system does not leave my vulnerable to
> such exploitation, NX has introduced a new vector of attack on my
> system, at least for anyone possessing the host key in question.

Again not true. You admittedly haven't installed it on your system 
currently, nor you ever had it. And you are free to keep it that way. 

You are also free to continue thinking, talking and speculating about 
something you admittedly don't know enough about nor you have ever seen 
with your own eyes. Bot do this somewhere else please.

You know what? NoMachine have, since 18 months, a publically accessible
"testdrive" NX server exposed to the Internet. They invite everyone to 
get themselves an account there, and they hand it out very generously, 
without asking for your passport or ID or CV. Chances are, that you'll 
get assigned username test9999 soonish, if you apply now. So several 
thousand of different people have accessed this host already....

You can ask the !M folks how many DoS attacks or take-over attempts
they have watched already, and are continuing to watch. You can ask 
them if there is a frequency for trying to break in there on an 

 a) hourly, 
 b) daily, 
 c) weekly, 
 d) monthly or 
 e) rather an annual basis...

You are also free to not ask, but just guess (again). My advice: go 
with your guesses for the more frequent figures! But stop lying. 

And start again asking here, or arguing, *after* you are tainted with 
some atoms of actual NX testruns. Or stay out of here. But in any
case, stop wasting other people's time.

More information about the FreeNX-kNX mailing list