[prev in list] [next in list] [prev in thread] [next in thread]
List: freenx-knx
Subject: Re: [FreeNX-kNX] One-time password authentication question
From: Fabian Franz <FabianFranz () gmx ! de>
Date: 2006-03-08 20:04:55
Message-ID: 200603082104.58204.FabianFranz () gmx ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Am Mittwoch, 8. März 2006 15:45 schrieb Nick Owen:
> Interesting suggestions. I'm not familiar with the -M option. Have to
> google it up ;). I got FreeNX working with one-time passcodes thanks to
> a script from Felix Shumacher. Here's his post:
>
> http://lists.kde.org/?l=freenx-knx&m=113766147904995&w=2
Yeah, thank you.
>
> and here is a how-to on our open source site:
>
> http://www.wikidsystems.net/howtos/2_factor_vnc
Yes, I've read it.
>
> This script would be a great addition to the code, IMHO.
I need to disagree:
The patch unfortunately has some problems:
It means that any user can login as any user and at least see which sessions
are running. This is a privacy problem.
I.e. I could check if my colleague is really connected during his work time or
not...
While I cannot suspend or resume any sessions of course, I could do the
commands and have the entries deleted from the session database
(there is a FIXME to check for successful execution in the code, but it was
never needed, so not yet fixed
Easy fix: put the two lines onto one line combined with &&.
).
Also everything in the client like "terminating a session one wants not to
resume" leads of course to the usage of the one-time-password and such to
the not-successful-start of session afterwards.
Google for "ControlMaster" to find a great blog post about the ssh -M
functionality.
Though having such a UNIX-Domain socket of course would give other nx
processes the possibility to use the ControlMaster too if there was a
security leak in that part of the code.
Making nxserver control nxnode is possible and not that difficult either,
_but_ in each case (ControlMaster or nxnode-persistent-connection) you have a
problem to _ever_ implement loadbalancing.
( The same applies to directly logging a user in. )
cu
Fabian
--
*** Consulting - Training - Workshops - Troubleshooting ***
@@@ LiveCDs (Knoppix), Debian, Remote Desktop Access (FreeNX) @@@
--- Fabian Franz --- www.fabian-franz.de --- consulting@fabian-franz.de
[Attachment #5 (application/pgp-signature)]
_______________________________________________
FreeNX-kNX mailing list
FreeNX-kNX@kde.org
https://mail.kde.org/mailman/listinfo/freenx-knx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic