--===============2132415769==
Content-Type: multipart/signed;
boundary="nextPart5028224.eADc4qVRto";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart5028224.eADc4qVRto
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Dne ned=C4=9Ble 12 =C3=BAnor 2006 12:02 Ivor Hewitt napsal(a):
> Ok well apart from the fact that this is about an article from 2004 about
> something that isn't enabled by default and is nothing to do with KDE
> dev...
>
> > > 1. You've given permission by explicitly enabling the "-X" option.

> >
> > I may have given him permission by the "-X" but that's not what
> > I intended to do. I just wanted to have windows open locally.

>
> No you've explicitly made a machine to machine tunnel through all these
> firewalls you're talking about AND then said and now please forward X
> traffiic between these machines too.
> You shouldn't be doing either of those steps against a machine you don't
> trust.
>
> > People should be informed that they shouldn't do that.
> > I didn't at some point. The way it works is all very logical if you
> > think about it, but what about those who don't ... it's not that
> > obvious.

>
> It's off by default. You have to explicitly turn it on. The idea that
> people will be ssh'd into a remote box with X forwarding and doing their
> home banking is absurd.
>
> > Of course everything that happens on the remote machine is under his
> > control. Sniffing data and passwords that get to the remote machine in
> > clear text form.
> > But how would that compromise my local machine and
> > activities?
> > It's *my* version of the ssh client that's used and that one won't log
> > keystrokes and send them to Joe Hacker.

>
> No. If the remote machine is compromised then potentially the remote sshd
> is compromised too. That's not just *your* version of the ssh client that=

's
> used, anything your ssh client sends to the remote server is available
> unencrypted. Not only that but if you're ssh'd into the remote machine th=

en
> no doubt you're going to be running programs there too? after all, why el=

se
> would you be X forwarding? and any of those programs could be compromised.
> The X traffic is the least of your worries.


The problem here is, that if you have the compromised remote server, then y=
es,=20
everything that YOUR client sends gets to the bad guy. Sure. But with X11=20
forwarding, he can do more, he can activelly attack your computer, not just=
=20
passivelly hope you will send him something he may like. He can place a key=
=20
logger onto your local computer, he can take screenshots, he can do *A LOT*=
=20
more. The problem is, it is obvious to anyone that if he sends the password=
=20
there, then it is his will. But not many people would guess that if he=20
connects there and runs some programs, that the other programs on his local=
X=20
can be screenshoted, killed, whatever. It says that if the remote machine i=
s=20
compromised, then with X11 forwarding, the whole your machine is compromise=
d=20
as well.

> Regards,


=2D-=20

Ostatn=C4=9B soud=C3=ADm, =C5=BEe uzav=C5=99en=C3=A9 protokoly a form=C3=A1=
ty by m=C4=9Bly b=C3=BDt zni=C4=8Deny, stejn=C4=9B=20
jako Kart=C3=A1go.

--nextPart5028224.eADc4qVRto
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBD7x2D7/oWwynB3bIRAhDNAJ9KhOxdF5JQVJwp8vx3ZplRM5bQNACbB4as
FSgzwTXc1F25E217SlfZwRk=
=Kk2c
-----END PGP SIGNATURE-----

--nextPart5028224.eADc4qVRto--


--===============2132415769==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


--===============2132415769==--