[CentOS] freenx
Maciej Żenczykowski
maze at cela.pl
Wed Jan 25 00:40:55 UTC 2006
>>> I think the idea was to have a minimally-privileged program that
>>> can't do anything but provide a tunnel.
>>
>> I'm not sure I understand you there - isn't ssh already an encrypted
>> tunnel provider with authorization? What more do we need?
>
> It is, but you may not want to let real users log in directly on
> an exposed interface. Even if the nx user managed to break out
> of the shell program that isn't supposed to do anything else,
> it would be as a user that didn't own anything useful.
You've lost me here. If I can log in as nx via ssh then I can log in as a
normal user anyway on that exposed interface. I haven't gained anything
except added complexity by adding the extra 'nx' user.
> You are talking to the stock sshd here, not something that came with
> freenx. If you want port forwarding turned off, you can turn it off.
Of course, but the only reason we have this problem is because of the
two-stage authentication - if we used ssh to authenticate as the user and
not as nx than this wouldn't happen.
>> Where does the problem come from? It comes from reinventing the wheel...
>
> It doesn't reinvent anything - it just uses an extra login.
It's reinventing authorization, for no fathomable reason - that's all I'm
claiming.
Cheers,
MaZe.
More information about the CentOS
mailing list