FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-08-2008, 02:47 PM
"Douglas A. Tutty"
 
Default ssh X11Forward safety

Since I have nothing better to do, I often ponder how to improve safety
and security in my home setup. I have two conflicting needs: security
of my data and a need to use a browser with javascript and sometimes
flash; some sites only work with Iceweasel.

Let me set up my thinking on this, and then at the end I ask one
question. Could anybody who know the ins-and-outs of ssh comment?

I note that Iceweasel gets lots of security updates (though, fewer in
the past month or two than I remember) which suggests that there are
lots more security issues that haven't been discovered yet. I know that
javascript runs in a sandbox and shouldn't be able to get at anything in
my home directory or run anything under my UID. However, if ever it
did, it could be disasterous.

So I look at ways to isolate the two needs. Right now I run Etch amd64
which means that Iceweasel with flash runs under an i386 chroot.
However for me, ordinary user, to run in the chroot I use schroot which
bind mounts my home directory over which presents it on the proverbial
platter for Iceweasel. Also, chroots are the greatest security
isolation.

I then consider putting them on separate boxes. If they are truely
separate, with two displays/keyboards, then that is more secure. I
could have my Athlon64 as my "entertainment" system (Iceweasel, VLC) an
another box for everything else. I could use a KVM switch to alternate
between the two boxes.

However, if I look at ssh-ing between the two, there are two scenarios:

1. Screen and keyboard on the "entertainment" box and I ssh through
to the secure box to do work. That "entertainment" box could at any
time become compromised via an undiscovered security breach in Iceweasel
and then grab whatever I do via ssh. If I edit a file with vi on the
"secure" box from a VT on the "entertainment" box, then anthing there is
open to view.

2. Screen and keyboard on the "secure" box and ssh through to the
"entertainment" box to run Iceweasel. For this I need in ssh_config
both ForwardX11 and ForwardX11Trusted. Note that Konqueror doesn't
require ForwardX11Trusted. However, then a compromised "entertainment"
box could, per the ssh_config man page, "perform activities such as
keystroke monitoring".

So is the moral of the story that there is no way to access a
compromised box from a "secure" box via ssh without risking the security
of the "secure" box?

Doug.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-09-2008, 04:20 AM
"Todd A. Jacobs"
 
Default ssh X11Forward safety

On Tue, Jan 08, 2008 at 10:47:16AM -0500, Douglas A. Tutty wrote:

> security of my data and a need to use a browser with javascript and
> sometimes flash; some sites only work with Iceweasel.

You're over-complicating this. You can use X without forwarding X11 by
tunneling VNC or using nxclient. Both methods display the remote X11
sessions without giving the remote system access to your local X server.

For SSH, just start vncserver with the -localhost flag, and forward port
59xx as follows:

ssh -L5900:localhost:5900 vncserver.example.com

If you're using tightvnc (or the Debianizd vnc4 packages) you can do the
same thing with the -via flag to vncviewer. Then just connect to
localhost:0 with VNC, and voila!

--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-09-2008, 12:50 PM
"Douglas A. Tutty"
 
Default ssh X11Forward safety

On Tue, Jan 08, 2008 at 09:20:12PM -0800, Todd A. Jacobs wrote:
> On Tue, Jan 08, 2008 at 10:47:16AM -0500, Douglas A. Tutty wrote:
>
> > security of my data and a need to use a browser with javascript and
> > sometimes flash; some sites only work with Iceweasel.
>
> You're over-complicating this. You can use X without forwarding X11 by
> tunneling VNC or using nxclient. Both methods display the remote X11
> sessions without giving the remote system access to your local X server.
>
> For SSH, just start vncserver with the -localhost flag, and forward port
> 59xx as follows:
>
> ssh -L5900:localhost:5900 vncserver.example.com
>
> If you're using tightvnc (or the Debianizd vnc4 packages) you can do the
> same thing with the -via flag to vncviewer. Then just connect to
> localhost:0 with VNC, and voila!

Thanks.

I think I still need to get my data off the same box as that from which
I browse with javascript and flash. Once that's done, I don't need use
X remotely anyway (at least not between a secure and unsecure box).

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 08:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org