[CentOS] freenx

Maciej Żenczykowski maze at cela.pl
Wed Jan 25 00:40:55 UTC 2006


>>> I think the idea was to have a minimally-privileged program that
>>> can't do anything but provide a tunnel.
>>
>> I'm not sure I understand you there - isn't ssh already an encrypted
>> tunnel provider with authorization?  What more do we need?
>
> It is, but you may not want to let real users log in directly on
> an exposed interface. Even if the nx user managed to break out
> of the shell program that isn't supposed to do anything else,
> it would be as a user that didn't own anything useful.

You've lost me here.  If I can log in as nx via ssh then I can log in as a 
normal user anyway on that exposed interface.  I haven't gained anything 
except added complexity by adding the extra 'nx' user.

> You are talking to the stock sshd here, not something that came with
> freenx. If you want port forwarding turned off, you can turn it off.

Of course, but the only reason we have this problem is because of the 
two-stage authentication - if we used ssh to authenticate as the user and 
not as nx than this wouldn't happen.

>> Where does the problem come from?  It comes from reinventing the wheel...
>
> It doesn't reinvent anything - it just uses an extra login.

It's reinventing authorization, for no fathomable reason - that's all I'm 
claiming.

Cheers,
MaZe.



More information about the CentOS mailing list