[3664] in testers
sun4 8.2.4: sshd
daemon@ATHENA.MIT.EDU (Kevin L. Mitchell)
Thu Jun 25 00:51:39 1998
To: testers@MIT.EDU
Date: Thu, 25 Jun 1998 00:51:28 EDT
From: "Kevin L. Mitchell <klmitch@MIT.EDU>" <klmitch@MIT.EDU>
System name: x15-cruise-basselope.mit.edu
Type and version: Ultra-1 8.2.4 (with mkserv)
Display type: ffb
What were you trying to do?
ssh to an 8.2 machine
What's wrong:
sshd runs xauth without setting an XAUTHORITY environmental
variable. The result is that ~/.Xauthority is created in my home
directory. Given that 1) my home directory is world-readable and
2) that AFS traffic is not encrypted from 8.2 machines (AFAIK), this
seems like a bad idea.
What should have happened:
I had added a short segment of code which explicitly sets the
XAUTHORITY environmental variable in the same fashion as that which sets
the KRB5CCNAME environmental variable, so that when xauthority was run,
it would create the file /tmp/Xauthority.<random>; this would be much
more secure than putting it in my AFS home directory, thus causing the
key added to the file to go across the network, in the clear, to my
AFS server. I would prefer if people were _not_ able to grab my key-
strokes while I renew my tickets.
Please describe any relevant documentation references:
bar
