The "integration" of SSH with apps is already there. Read the OpenSSH [or other SSH implementation's] man pages and the SSHv2 specs. RTFM! Essentially SSH supports tunneling of X11 traffic. The SSH daemon is responsible for creating a local X11 display endpoint and setting the DISPLAY environment variable appropriately, then the apps you run in SSH sessions with X11 forwarding do the right thing and open a display which is really the SSH daemon and which proxies back-and-forth to the SSH client, which then proxies back and forth to its DISPLAY. Oh, and, yes, there are patches for doing Kerberos authentication in SSHv2 with OpenSSH. So yes, SSHv2 w/ X11 forwarding and w/ GSS (w/ Kerberos) key exchange / userauth is a decent approximation of kerberized X11 - it's better even, since one need not forward or proxy any tickets to make the SSH approach work, but one does have to forward or proxy tickets to make the kerberized X11 approach work. And SSH can compress SSH traffic too. Cheers, Nico --> -----Original Message----- > From: Gregory Leblanc [mailto:gleblanc at linuxweasel.com] > Sent: Friday, May 17, 2002 4:59 PM > To: OpenSSH Devel List > Subject: [Fwd: Re: X-windows security in Gnome] > > > This is from a security discussion on one of the GNOME lists. Jim is > one of the original X11 people, for what that's worth. I just thought > I'd try to tempt some folks here into looking at doing ssh and X > integration "right". > Greg > > -- > Portland, Oregon, USA. > Please don't copy me on replies to the list. >Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
On Fri, 2002-05-17 at 14:13, Nicolas.Williams at ubsw.com wrote:> The "integration" of SSH with apps is already there.I'm fully aware of the ability of OpenSSH to tunnel X11 connections, as is Jim (per his message). Jim was saying that there was a potential to do more, or cleaner, integration between X applications and SSH. I'm not familiar enough with either SSH or the X Window System to know exactly where that integration could be done, or how the existing integration could be "cleaner". Greg P.S. Is my signature not explicit enough? I don't need to receive multiple copies, one to the list is plenty, thanks.> Read the OpenSSH [or other SSH implementation's] man pages and the SSHv2 specs. RTFM! > > Essentially SSH supports tunneling of X11 traffic. The SSH daemon is responsible for creating a local X11 display endpoint and setting the DISPLAY environment variable appropriately, then the apps you run in SSH sessions with X11 forwarding do the right thing and open a display which is really the SSH daemon and which proxies back-and-forth to the SSH client, which then proxies back and forth to its DISPLAY. > > Oh, and, yes, there are patches for doing Kerberos authentication in SSHv2 with OpenSSH. So yes, SSHv2 w/ X11 forwarding and w/ GSS (w/ Kerberos) key exchange / userauth is a decent approximation of kerberized X11 - it's better even, since one need not forward or proxy any tickets to make the SSH approach work, but one does have to forward or proxy tickets to make the kerberized X11 approach work. And SSH can compress SSH traffic too. > > Cheers, > > Nico > -- > > > -----Original Message----- > > From: Gregory Leblanc [mailto:gleblanc at linuxweasel.com] > > Sent: Friday, May 17, 2002 4:59 PM > > To: OpenSSH Devel List > > Subject: [Fwd: Re: X-windows security in Gnome] > > > > > > This is from a security discussion on one of the GNOME lists. Jim is > > one of the original X11 people, for what that's worth. I just thought > > I'd try to tempt some folks here into looking at doing ssh and X > > integration "right". > > Greg > > > > -- > > Portland, Oregon, USA. > > Please don't copy me on replies to the list. > >-- Portland, Oregon, USA. Please don't copy me on replies to the list.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 17 May 2002 05:13 pm, Nicolas.Williams at ubsw.com wrote:> The "integration" of SSH with apps is already there. > > Read the OpenSSH [or other SSH implementation's] man pages and the SSHv2 > specs. RTFM! > > Essentially SSH supports tunneling of X11 traffic. The SSH daemon is > responsible for creating a local X11 display endpoint and setting the > DISPLAY environment variable appropriately, then the apps you run in SSH > sessions with X11 forwarding do the right thing and open a display which is > really the SSH daemon and which proxies back-and-forth to the SSH client, > which then proxies back and forth to its DISPLAY. >[snip] IMHO, I wouldn't call that "integrated". ssh is an external tool which provides a tunnel for the X traffic. I would consider it integrated if the X server itself talked SSH as well as the core X libraries. X clients would connect to <someotherhost>:0 instead of <localhost:10> and the X libraries would transparently use the SSH protocol if available. This would be analogous to a non-SSL aware mail client using stunnel to access an SSL imap mailbox. If the mail client to talk SSL natively to the server without anything in between then you could call it integrated. - -Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iD8DBQE85Xlxu3B/p4jCw/IRAtNwAKCIYKLbmiT0lY6Q27L1kHFQldSQ3QCfRDm+ Wam0KRzwdx+W1GSmOQqodg4=KUkw -----END PGP SIGNATURE-----