[ale] Trojan mpg123 alert

Dow Hurst dhurst at kennesaw.edu
Tue Jan 21 12:25:53 EST 2003


Many distros come with X configured to use xauth instead of xhost for 
user level authentication instead of host based authentication.  SSH 
manages the xauth stuff so you don't have to do any work manually.  If 
you only have xhost authentication then the throwaway user running on 
the same machine side by side with your normal user identity could read 
your keystrokes from any xterm your running.  The authentication scheme 
for xhost assumes that if your logged in on the same machine that you 
are "trusted" while  xauth does not.

To use SSH without encryption, you can set the type of cipher to AnyStd 
in the sshd2_config file for the ssh.com distribution.  This include the 
None cipher or "no cipher" making your login and password plus all 
traffic not encrypted.  Not sure how this would work on OpenSSH 
configurations or how this would affect what the throwaway user could do 
to circumvent your normal user's security.  I've played with this one 
time to increase throughput within a local firewalled LAN for running 
gnumeric from a Linux workstation on an SGI workstation.  Worked well on 
increasing throughput but I worry about having an sshd server configured 
that way.  With AnyStd you can pick the cipher with a command line 
option for ssh or scp.  I would not run this on an externally exposed 
sshd server.  Run a second server on a different port that isn't allowed 
connections from the Internet so you won't make a mistake down the line 
and expose your login and passwd.
Dow


Michael D. Hirsch wrote:

>On Tuesday 21 January 2003 11:20 am, Dow Hurst wrote:
>  
>
>>Yes, exactly.  Have the separate throwaway user ready so you can use it
>>as a disposable "point man" when in enemy territory, ie. The Internet.
>>I am reading the discussions on separate instances of X on different
>>terminals with interest since this is an alternate method of "hot
>>switching" between users.  As long as I have a separate instance of a
>>browser or email client window on a separate paged desktop it doesn't
>>really seem necessary to have separate X servers running.  However, the
>>speed of SSH can slow stuff down on a slow box unless you don't use a
>>cipher.
>>Dow
>>    
>>
>
>Why do you need ssh?  This is maybe the third time it's been mentioned in 
>this context and it confuses me.  Why ssh to localhost as an untrusted 
>user?  Just "su - untrusted user" and export your DISPLAY variable (or use 
>su without the - and you don't even need that last step).  And of course, 
>"xhost localhost" on your desktop.  What does ssh gain you?
>
>--Michael
>
>  
>
>>Jason Day wrote:
>>    
>>
>>>On Wed, Jan 15, 2003 at 11:03:06PM -0500, Stephen F Nicholas wrote:
>>>      
>>>
>>>>Slap me if I read this incorrectly.  People surf the web under their
>>>>root account ?? :-(
>>>>        
>>>>
>>>I haven't read Bob's book (yet :)), but when I read Dow's message I
>>>thought Bob was recommending creating a special user account just for
>>>browsing the web.  In other words, run X as your normal user (not
>>>root). But when you want to run a browser, ssh to localhost and login
>>>as the browser user, then start the browser as that user.  That way,
>>>you can minimize the damage if your browser process gets compromised.
>>>
>>>      
>>>
>>>>On Wed, 15 Jan 2003, Dow Hurst wrote:
>>>>        
>>>>
>>>[...]
>>>
>>>      
>>>
>>>>>Bob recommends web browsing as a separate user.  Especially if you
>>>>>are using plugins, java, or javascript enabled.  I think ssh'ing to
>>>>>your machine as the untrusted user to run the apps would work okay. 
>>>>>Or, for the dual screen people, instead of running Xinerama, use two
>>>>>separate Xservers and log in as separate users.
>>>>>          
>>>>>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>  
>

-- 
__________________________________________________________
Dow Hurst                  Office: 770-499-3428
Systems Support Specialist    Fax: 770-423-6744
1000 Chastain Rd., Bldg. 12
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list