[FreeNX-kNX] FreeNX Security Model Challenge
Benjamin Podszun
ben at galactic-tales.de
Tue Jul 12 11:56:11 UTC 2005
Paul van der Vlis wrote:
> Fabian Franz schreef:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Am Mittwoch, 15. Juni 2005 11:08 schrieb Paul van der Vlis:
>>
>>
>>>>This key is used to establish an initial secure tunnel, over which in
>>>>the next stage the real login of the user, with his real (and hopefully
>>>>kept secret by him!) credentials happens.
>>>
>>>By FreeNX, not by SSH. As a "stupid user", you maybe think you have SSH
>>>security because only port 22 is open.
>>
>>
>>This is correct.
>>
>>
>>
>>>>So it is a gross missrepresentation to paint the "--setup-nomachine-key"
>>>>option as a "not really secure" one. It *IS* secure.
>>>
>>>It opens a door with a very secure lock (SSH) to a door with a less
>>>tested lock (FreeNX).
*snip*
> When you use your own keypair and not the default nomachine-key I do not
> see a security-point. Or do I miss something?
I only kept the relevant parts.. The _problem_ with the nomachine key
is: Everyone has access to them, they are part of the NX distribution.
So if you use your private keypair it's _not_ the same, because to hack
away on your NX server I'd first need to steal your keys, right?
If you use the one distributed for all interested people that download
any NX package, SSH's security is disabled in regard of access control.
I can start an SSH connection to your NX server right away and play with
the NX protocol. You generously give open the front door and trust, that
I won't be able to open the door to your freezer.. ;-)
Regards,
Ben
More information about the FreeNX-kNX
mailing list