GNOME.org
 

Re: X-windows security in Gnome

Attached is the conversation I had with Dan Kaminsky of the SSH
team in more detail.  I short, we need to start thinking more about 
network usage, particularly with mobile people and facilities.
			- Jim

> Sender: gnome-private-members-admin gnome org
> From: Gregory Leblanc <gleblanc linuxweasel com>
> Date: 20 May 2002 23:51:46 -0700
> To: gnome-hackers gnome org
> Subject: Re: X-windows security in Gnome
> -----
> On Fri, 2002-05-17 at 10:51, Jim Gettys hp com wrote:
> > >
> > > xhost + is generally dumb
> > > export DISPLAY=someotherbox:0 is generally dumb too
> > >
> >
> > Particularly dumb these days with SSH; one should generally use its
> > tunneling facilities to provide encryption (and potentially compression,
> > as well).
> >
> > It may be good to see if using this extension gets us easy (and transparent
> > to applications) support for Kerb5 when installed with fall back to
> > magic-cookie; as I said, I've never delved into it.  But the compartmented
> > mode security features always struck me as daft.
> >
> > What would also be really good would be to get a cleaner integration of
> > use of ssh with X applications...  Hmmm....  The potential is there
> > to really "do it right" if someone wants to take it on...
> 
> Well, nobody from the OpenSSH dev team has any idea what you're hinting
> at here (well, at least none of the three or four people who replied to
> this post).  They did express enough interest to reply and inquire.
>         Greg
> 
> --
> Portland, Oregon, USA.
> Please don't copy me on replies to the list.
> 
> _______________________________________________
> gnome-hackers mailing list
> gnome-hackers gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-hackers

--
Jim Gettys
Cambridge Research Laboratory
HP Labs, Hewlett-Packard Company
Jim Gettys hp com
--- Begin Message --- 
Heya Jim--

    I'm responsible for documenting/creating some of the more interesting
uses of SSH -- Dynamic Forwarding, some of the stranger ProxyCommand work --
and I'm curious what you think SSH could do with X apps.  Right now,

    ssh -X user host netscape

    works decently well.  But I'm sure you have some more interesting
ideas...

--Dan

--- End Message ---
--- Begin Message --- 
Rundamentally, I want to get away from having sessions have to be started
on the host with the display...

An X server should have an access control list of Kerberos principles,
and SSH keys, from which connections are allowed; with your wonderful
hack (which I hadn't noticed by the way, the docs could use help...),
you still go through a login sequence, get a shell, and startup ssh all
to serve the one command.  This seems pretty heavyweight.

Scenario for you to think about: You have displays all around you,
and you have a PDA running Linux in your hand.  At any time, you should
be able to start an app on the PDA, and connect to the "right" display to
use it.  And I'm not logged into the machine driving the display at all;
I'm just using it as a convenient display to use.

Similarly, users may belong to groups: I'd like to be able to say
"let anyone in my office use this display".
                                  - Jim

                                - Jim

--
Jim Gettys
Cambridge Research Laboratory
HP Labs, Hewlett-Packard Company
Jim Gettys hp com

> From: "Dan Kaminsky" <dan doxpara com>
> Date: Fri, 17 May 2002 15:01:17 -0700
> To: <Jim Gettys hp com>
> Subject: SSH Integration
> -----
> Heya Jim--
>
>     I'm responsible for documenting/creating some of the more interesting
> uses of SSH -- Dynamic Forwarding, some of the stranger ProxyCommand work --
> and I'm curious what you think SSH could do with X apps.  Right now,
>
>     ssh -X user host netscape
>
>     works decently well.  But I'm sure you have some more interesting
> ideas...
>
> --Dan

--- End Message ---
--- Begin Message --- 
Jim--

    What you describe is *exactly* what xvnc is used for...I've long felt
that it'd be ideal to have something inbetween the xvnc model and the x
model, by which a single display(or window process set) is logged into but
visibility is transmitted using x messages rather than vnc style compressed
bitmaps.

    SSH can handle the auth for this kind of technique reasonably nicely,
but the core work is X itself.

    As for the remote command execution I mentioned -- the only extra
process is the shell.  You'd still require an sshd invocation, and of course
the process invokation...we force the shell invoke to allow shell based
restrictions.  Still, there is the alternate model where the remote host
actively spews a window onto a client...but how common do you *want* random
windows popping up?  Hmm.

    There's alot SSH can do; any more ideas, lemme know.  It might already
be doable!

--Dan

--- End Message ---
--- Begin Message --- 
Here are the scenarios:

1) you have an iPAQ handheld; you want to start using it on a convenient
nearby workstation; you're already authenticated on the iPAQ.

2) You have a laptop or handheld, you want to use the projector system
in the conference room. You're already authenticated on the laptop or
handheld.

Either way, you want to easily be able to use a display without messing
around with logging in (and it may not be appropriate for you to log into
that machine, and have full access rights at all).

					- Jim


--
Jim Gettys
Cambridge Research Laboratory
HP Labs, Hewlett-Packard Company
Jim Gettys hp com

--- End Message ---
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]