X2Go Bug report logs - #34
Support for proxy server

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: "glpk xypron" <xypron.glpk@gmx.de>

Date: Fri, 21 Sep 2012 06:18:01 UTC

Severity: wishlist

Tags: pending

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

Message #128 received at 34@bugs.x2go.org (full text, mbox, reply):

Received: (at 34) by bugs.x2go.org; 25 Sep 2012 14:40:58 +0000
From jsullivan@opensourcedevel.com  Tue Sep 25 16:40:58 2012
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194])
	by ymir (Postfix) with ESMTP id 585265DB15
	for <34@bugs.x2go.org>; Tue, 25 Sep 2012 16:40:58 +0200 (CEST)
Received: from [192.168.223.100] (cpe-24-93-151-120.maine.res.rr.com [24.93.151.120])
	by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis)
	id 0Lrvza-1TT0aS0rfi-013r0B; Tue, 25 Sep 2012 10:40:54 -0400
Subject: Re: [X2Go-Dev] Bug#34: SSH_OPTIONS_FD
From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de>, 
 34@bugs.x2go.org, x2go-dev@lists.berlios.de
Cc: Moritz Struebe <Moritz.Struebe@informatik.uni-erlangen.de>
In-Reply-To: <506175AC.8000209@obviously-nice.de>
References: <505CC771.20300@gmx.de>
	 <handler.34.B34.13482576789462.ackinfo@bugs.x2go.org>
	 <505D9F99.10808@gmx.de> <505DA7B4.3030909@informatik.uni-erlangen.de>
	 <505F6DDB.1070304@gmx.de> <5060251D.90202@informatik.uni-erlangen.de>
	 <20120924132602.316510@gmx.net>
	 <50607239.5090308@informatik.uni-erlangen.de> <5060CF1E.20700@gmx.de>
	 <5060EA24.7070600@obviously-nice.de> <20120925030819.309160@gmx.net>
	 <20120925102525.15264n2buhtuy73p@mail.das-netzwerkteam.de>
	 <50616F8C.2020600@obviously-nice.de>
	 <506172DF.9070902@informatik.uni-erlangen.de>
	 <506175AC.8000209@obviously-nice.de>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 25 Sep 2012 10:40:49 -0400
Message-ID: <1348584049.21992.138.camel@denise.theartistscloset.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:xZnNKpDDcfmlmFsg6J12BsjEK6YtAUUa1yNQp9MQPj3
 kbSuYOMt/rZJxpuZ+B3ZzBkgdPuda7Cwvi/eKAyUBT3X+yEmWp
 eOcpJjIirvhl8LyMVDRCYLfDBoN7XhklYBSh9BkQDoAl+HEOsT
 lHaVl+YqELW76sklQjoEZGyOSPzj4exkBaa8qBob8uUMGmZlVT
 gE8RJedLPv5q5rP6seZD1sbrYbXg0hUxB5Nqomu2HO7oU7FJT0
 EaZmYiheNHEmOavbWNKLFcKHF/pwXGsH+X0hN1N6EBmvNKuD9y
 6Xjyki6wPDtFKtgmu5cv7S941BH0kqHVXMGw4+KbVrObFTxdLy
 7TQstBH/hNTrIt5nLDARedKXaW6Qz+7Te40Ec2tk2gTvi7INh7
 2vECzbJunpblfU53bEpiyi0oqZLcIW8J1M=

On Tue, 2012-09-25 at 11:13 +0200, Oleksandr Shneyder wrote:
> Am 25.09.2012 11:01, schrieb Moritz Struebe:
> > On 2012-09-25 10:47, Oleksandr Shneyder wrote:
> >>  Sure, it is a
> >> fail of system administrator, if he allow such unecrypted authentication
> >> over Internet. But I don't even give them a possibility to make such
> >> mistake...
> Sorry, here should be "I don't want to give" instead of "I don't give"
> 
> > 
> > I don't really get your point. The credentials are used by the browser
> > anyway - because otherwise there would be no need for a proxy. I don't
> > think it's our job to disable features because of incompetent system
> > administrators. After all proxy authentication is normally used within LANs.
> 
> I don't want to disable any features. I only say, it is nice to have a
> possibility to send authentication data to server encrypted. In LAN it
> is not a such big problem to send it in clear text. But in case of
> SSH-Proxy it is an Internet connection. And I want, that every one, who
> use this feature with X2Go know, that sending unecrypted data over
> Internet is not safe. And that should not be the same authentication
> data as used on other servers.
<snip>
I very much agree with Alex here.  Although we can absolve ourselves of
the responsibility, it is wiser to do as much as we can to prevent both
admins and users from shooting themselves the stupid things they may do.
For example, it is not just a matter of a sloppy admin not realizing
they should use a separate authentication domain for the proxy; even if
they do, we have the social engineering problem of users using the same
password for the proxy as for anything else.  Once one intercepts that
password, a cracker will try it everywhere they can for that user.
Thus, I would strongly advocate all authentication even to the proxy be
protected by encryption.  Thanks - John

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue May 21 23:13:02 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.