[FreeNX-kNX] FreeNX Security Model Challenge
Kurt Pfeifle
k1pfeifle at gmx.net
Tue Jul 12 14:36:06 UTC 2005
On Tuesday 12 July 2005 12:56, Benjamin Podszun wrote:
> Paul van der Vlis wrote:
> > Fabian Franz schreef:
> >
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>Am Mittwoch, 15. Juni 2005 11:08 schrieb Paul van der Vlis:
> >>
> >>
> >>>>This key is used to establish an initial secure tunnel, over which in
> >>>>the next stage the real login of the user, with his real (and hopefully
> >>>>kept secret by him!) credentials happens.
> >>>
> >>>By FreeNX, not by SSH. As a "stupid user", you maybe think you have SSH
> >>>security because only port 22 is open.
> >>
> >>
> >>This is correct.
> >>
> >>
> >>
> >>>>So it is a gross missrepresentation to paint the "--setup-nomachine-key"
> >>>>option as a "not really secure" one. It *IS* secure.
> >>>
> >>>It opens a door with a very secure lock (SSH) to a door with a less
> >>>tested lock (FreeNX).
>
> *snip*
>
> > When you use your own keypair and not the default nomachine-key I do not
> > see a security-point. Or do I miss something?
>
> I only kept the relevant parts..
No, you didnt.
Whoever hasnt read the previous mails in the thread is strongly
encouraged to do so now, and make up his own mind.
> The _problem_ with the nomachine key
> is: Everyone has access to them, they are part of the NX distribution.
> So if you use your private keypair it's _not_ the same, because to hack
> away on your NX server I'd first need to steal your keys, right?
Right here.
> If you use the one distributed for all interested people that download
> any NX package, SSH's security is disabled in regard of access control.
Wrong here.
> I can start an SSH connection to your NX server right away and play with
> the NX protocol.
Right here.
> You generously give open the front door and trust,
Wrong here.
The "front door" it may be....
> that
> I won't be able to open the door to your freezer.. ;-)
...but to compare the next door to get through, after the front garden
door was opened, to a freezer door is a gross mis-representation of the
facts. If you think SSL challeng<-->response authentication is unsecure,
please take the discussion to the OpenSSL-devel list, and stop it here.
[Every HTTPS-server on the net lets you come to its login dialog, no?
Does it mean HTTPS is inherently unsecure? Assume that the HTTPS server
was running as user "wwwrun" [sounds familiar, hmm?]. Are you calling
the HTTPS (SSL challenge<-->response) authentication unsecure? Assume
more, that I now introduce an additional stage of authentication: our
HTTPS clients need first to login as user "wwwrun" and they get
authenticated in this stage with pubkey SSH authentication; only after
that first stage is completed, they get access to the real user login
dialog and have, from now, in the 2nd stage of authentication, the same
challenge<-->response mechanism as before I introduced my change....
*I* would call this an additional security level, by all judgements.
You seem to take the questionable position to now call my setup an
inherent security flaw, if I decided to distribute the client pubkey
file and rely on SSL challenge<-->response for authentication --
while you do not say the same about the current HTTPS login scheme... ]
> Regards,
> Ben
Cheers,
Kurt
More information about the FreeNX-kNX
mailing list