Re: X forwarding

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: X forwarding
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Sun, 18 Apr 2004 03:24:31 -0400 (EDT)

>> There is no additional security gained from [passing X authorization
>> data from ssh client to ssh server] [...]
> The consensus at the time was that several people thought my idea was
> better than the existing method, some other people thought it was at
> least no worse, but everybody (including me :-) agreed that even back
> in early 2001 it was much too late to change it for the only marginal
> gain.

Only marginal gain?  I don't consider getting rid of assumptions on the
part of the client about what X authorization mechanisms are supported
on the server "only marginal gain". :-)

For my own purposes, I need an extra cookie, at least a small integer,
which forces me to use a new request in any case.  (I don't consider it
acceptable to hijack part of the authorization cookie to carry this
information.)

The existing X forwarding is also rather underspecified; for example,
it is clear that at least one end is expected to get its fingers into
the X protocol, but it is not clear whether the data flowing through
the X channel is pure X protocol or not (it might, for example, have
the authorization information stripped - after all, the authorization
information is the whole reason X forwarding is treated any differently
from vanilla TCP forwarding).

>> I'm implementing X forwarding as [...]
>> What security horrors am I risking thereby?
> Surely the main horror you're risking is that nobody else's server
> will support your private request and everybody else's clients will
> expect you to support the standard one?

That's hardly a security problem, and in text which I notice you cut I
quoted someone (our Swedish elf, I think it was) talking about
insecurities in one way as compared to the other, but without including
any specifics.

As for compatability, now that I have X forwarding working at all, I
will probably make it do something at least vaguely sensible with the X
requests from connect-18 (though of course they will be incompatible
with the connection sharing that I suspect will be one of the major
features my version will offer).

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: X forwarding
  - From: Simon Tatham

Prev by Date: Re: X forwarding
Next by Date: Re: X forwarding
Previous by Thread: Re: X forwarding
Next by Thread: Re: X forwarding
Indexes:

Home | Main Index | Thread Index | Old Index