[FreeNX-kNX] FreeNX Security Model Challenge

Kurt Pfeifle k1pfeifle at gmx.net
Tue Jul 12 14:13:02 UTC 2005 

On Tuesday 12 July 2005 12:36, Paul van der Vlis wrote:
> Fabian Franz schreef:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Am Mittwoch, 15. Juni 2005 11:08 schrieb Paul van der Vlis:
> > 
> >>>This key is used to establish an initial secure tunnel, over which in
> >>>the next stage the real login of the user, with his real (and hopefully
> >>>kept secret by him!) credentials happens.
> >>
> >>By FreeNX, not by SSH. As a "stupid user", you maybe think you have SSH
> >>security because only port 22 is open.
> > 
> > 
> > This is correct.
> > 
> > 
> >>>So it is a gross missrepresentation to paint the "--setup-nomachine-key"
> >>>option as a "not really secure" one. It *IS* secure.
> >>
> >>It opens a door with a very secure lock (SSH) to a door with a less
> >>tested lock (FreeNX).
> > 
> > 
> > Yes, but the alternative would be to do it the Microsoft way:
> > 
> > Let FreeNX run as root.
> > 
> > ... Wait thats a bit more insecure, isn't it?
> >
> > Ok,
> > 
> > here is a challenge for you.
> > 
> > Make a concept, which is:
> > 
> > - - As secure as SSH
> > 	* In FreeNX _almost_ reached.
> > 	* Key is protected from using port-forwarding / ...
> > 	* nxserver shell was audited by SuSE Security Team.
> > 
> > - - Allows central secure session management
> > 	* Possible in FreeNX since day 0,5.
> > 
> > - - Allows load balancing
> > 	* Possible in FreeNX 0.5.0.
> > 
> > - - Allows NX sessions only (possibly via KDE KIOSK, where you never see a 
> > shell)
> > 	* Possible In FreeNX since day 0,5.
> > 
> > - - Allows usage of public keys / smart cards / ... 
> > 	* I've recently proven that its possible with the current model.
> > 
> > - - Is easy to setup
> > 	* This means no Kerberos infrastructure as dependancy for example.
> > 	* FreeNX is _almost_ easy to setup once you've understood the key/SSH 
> > hassles.
> > 
> > If you provide me with such an architecture, I'll upgrade FreeNX to support it 
> > asap.
> 
> When you use your own keypair and not the default nomachine-key I do not
> see a security-point. Or do I miss something?

No.

But you are discussing the same point all over. It is clear what you 
want. 

And you are free to do it the way you want. 

It was so in the past, it is so now and and it will be in future. 

So where is the problem again?

(*My* problem with your reasoning was that you said the option to use
"--setup-nomachine-key" is inherently unsafe. Which it is not. I agree
to you, that using your custom keypair is a bit *more* safe.... And I
also ask you to give support, here and on the #nx IRC channel to all
those users whom you make create their own keypair, and who then do 
not know how to proceed from there. [This could include help writing 
the needed FreeNX documentation, btw.] )
 
> I think it's important to look at the weak and the strong points of an
> implementation. The strong point of using the nomachine-key is that it's
> easy to install.

And the weak point, that "it is unsecure" is just not true!

> Here in Holland we say: "every advantage has it's disadvantage".

We have a similar saying here.  ;-)

We also have a saying to the effect that it dis-encourages you to
continue fustigating a dead horse, since it will not spring back to
life and run fast, no matter how big your stick is.   ;-P

Executive summary: 

 * do as you please, and do not use "--setup-nomachine-key", if
   you do not like it.

 * take note of the fact that "--setup-nomachine-key" is *not* the
   default in FreeNX.

 * stop calling "--setup-nomachine-key" to be inherently unsafe, 
   or be prepared to be taken up on it.

> With regards,
> Paul van der Vlis.

Cheers,
Kurt

More information about the FreeNX-kNX mailing list