[FreeNX-kNX] FreeNX Security Model Challenge

Tue Jul 12 14:12:04 UTC 2005

Kurt Pfeifle wrote:
> On Tuesday 12 July 2005 12:56, Benjamin Podszun wrote:
> 
>>Paul van der Vlis wrote:
>>
>>>Fabian Franz schreef:
>>>
>>>
>>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>>Hash: SHA1
>>>>
>>>>Am Mittwoch, 15. Juni 2005 11:08 schrieb Paul van der Vlis:
>>>>
>>>>
>>>>
>>>>>>This key is used to establish an initial secure tunnel, over which in
>>>>>>the next stage the real login of the user, with his real (and hopefully
>>>>>>kept secret by him!) credentials happens.
>>>>>
>>>>>By FreeNX, not by SSH. As a "stupid user", you maybe think you have SSH
>>>>>security because only port 22 is open.
>>>>
>>>>
>>>>This is correct.
>>>>
>>>>
>>>>
>>>>
>>>>>>So it is a gross missrepresentation to paint the "--setup-nomachine-key"
>>>>>>option as a "not really secure" one. It *IS* secure.
>>>>>
>>>>>It opens a door with a very secure lock (SSH) to a door with a less
>>>>>tested lock (FreeNX).
>>
>>*snip*
>>
>>
>>>When you use your own keypair and not the default nomachine-key I do not
>>>see a security-point. Or do I miss something?
>>
>>I only kept the relevant parts..
> 
> 
> No, you didnt. 
> 
> Whoever hasnt read the previous mails in the thread is strongly 
> encouraged to do so now, and make up his own mind.

This discussion seems to get a little bit emotional, reading your last 
two mails on the subject. Therefor I just try to clarify what I meant 
and point out what I still don't see/get and then leave this discussion.

>>The _problem_ with the nomachine key  
>>is: Everyone has access to them, they are part of the NX distribution. 
>>So if you use your private keypair it's _not_ the same, because to hack 
>>away on your NX server I'd first need to steal your keys, right?
> 
> 
> Right here.
> 
> 
>>If you use the one distributed for all interested people that download 
>>any NX package, SSH's security is disabled in regard of access control. 
> 
> 
> Wrong here.

Maybe you can enlighten me here.. If you agree with the next point, that 
every one can use the public key to connect to the NX shell, what 
exactly is your "wrong here" point? I mean - I could answer with "No, 
right here", but that would be quite unlikely to help. What I meant to 
say was: SSH won't help against anyone accessing the NX shell - the 
words might give room for misinterpretation and I apologize for that. I 
tried to say that it's not useless (you still have a basic kind of 
encryption for example, you can tunnel etc.), but it's not stopping 
anyone from connecting to the server anymore, therefor it's access 
control _here_ is disabled. Since anyone is free to use the available key.

> 
>>I can start an SSH connection to your NX server right away and play with 
>>the NX protocol.
> 
> 
> Right here.
> 
> 
>>You generously give open the front door and trust, 
> 
> 
> Wrong here.
> 
> The "front door" it may be....

Well - this whole sentence was about the "front door"? I didn't want to 
say "you give up the trust as well", but that might be a problem with my 
non-native english as well.. It was a "You generously give open the 
front door" and a "you trust that" - and the latter is - well - not 
wrong. It's incomplete so far..

>>that   
>>I won't be able to open the door to your freezer.. ;-)
> 
> 
> ...but to compare the next door to get through, after the front garden
> door was opened, to a freezer door is a gross mis-representation of the 
> facts. If you think SSL challeng<-->response authentication is unsecure,
> please take the discussion to the OpenSSL-devel list, and stop it here.

This is the part where I think you really get emotional. First of all: I 
never said "(Free)NX is insecure" or "is insecure with NX keys". I 
merely stated that you lose security by using open/available keys. (Yes, 
you can argue that it's secure this way and you only _win_ security by 
having your own keys, but - really..)
If you have a problem with my front door/freezer door analogy that's 
fine, but please don't search personal offenses where I didn't want to 
annoy.. Read it as 2 safe doors, if that better suits you. The point 
stays the same: You left the first one open.

*removed comments about SSL here*

My conclusion: If you really want as much security as possible, if you 
are concerned about security: Use your own keys. No, I didn't say that 
the other way is way too unsafe.

Regards,
Ben