[FreeNX-kNX] FreeNX Security Model Challenge

Benjamin Podszun ben at galactic-tales.de
Tue Jul 12 11:56:11 UTC 2005


Paul van der Vlis wrote:
> Fabian Franz schreef:
> 
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Am Mittwoch, 15. Juni 2005 11:08 schrieb Paul van der Vlis:
>>
>>
>>>>This key is used to establish an initial secure tunnel, over which in
>>>>the next stage the real login of the user, with his real (and hopefully
>>>>kept secret by him!) credentials happens.
>>>
>>>By FreeNX, not by SSH. As a "stupid user", you maybe think you have SSH
>>>security because only port 22 is open.
>>
>>
>>This is correct.
>>
>>
>>
>>>>So it is a gross missrepresentation to paint the "--setup-nomachine-key"
>>>>option as a "not really secure" one. It *IS* secure.
>>>
>>>It opens a door with a very secure lock (SSH) to a door with a less
>>>tested lock (FreeNX).

*snip*

> When you use your own keypair and not the default nomachine-key I do not
> see a security-point. Or do I miss something?

I only kept the relevant parts.. The _problem_ with the nomachine key 
is: Everyone has access to them, they are part of the NX distribution. 
So if you use your private keypair it's _not_ the same, because to hack 
away on your NX server I'd first need to steal your keys, right?
If you use the one distributed for all interested people that download 
any NX package, SSH's security is disabled in regard of access control. 
I can start an SSH connection to your NX server right away and play with 
the NX protocol. You generously give open the front door and trust, that 
I won't be able to open the door to your freezer.. ;-)

Regards,
Ben



More information about the FreeNX-kNX mailing list