[20943] in bugtraq
Re: SSH / X11 auth: needless complexity -> security problems?
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Sun Jun 10 17:43:37 2001
Message-Id: <200106082033.f58KXov12485@cvs.openbsd.org>
To: Markus Friedl <mfriedl@genua.de>
Cc: Peter W <peterw@usa.net>, sarnold@wirex.com, bugtraq@securityfocus.com,
peterw@tux.org
In-reply-to: Your message of "Wed, 06 Jun 2001 10:11:18 +0200."
<20010606101118.B18811@faui02.informatik.uni-erlangen.de>
Date: Fri, 08 Jun 2001 14:33:49 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
> this feature was inherited from ossh and the reason was:
> 1) if $HOME is on NFS, then the cookie travels unencrypted
> over the network, this defeats the purpose of X11-fwding
> 2) $HOME/.Xauthority gets polluted with temorary cookies.
> however, i'm not sure whether the benefit justifies the complexity,
> so this feature could be removed from future OpenSSH versions.
I cannot tell which is more important. No wait, I can.
OK, let's do the home dir thing then.
In the NFS case, if someone is sniffing your NFS traffic you are
fucked from here to hell.
