In article <36F21504.2B1ECE31 at uni-duesseldorf.de>,
Hans-Peter Schmitz <schmitzh at uni-duesseldorf.de> wrote:
>Tim Cutts wrote:
>>>>> Most of these things I can live with except for the security issue.
>> Unfortunately this is not a problem limited to the makers of MI/X.
>> Both eXodus and MacX have a similarly lax attitude to security. Why
>> can't commercial software manufacturers take security seriously? Even
>> eXceed defaults to letting the entire Internet access your screen,
>> although at least in that case you can configure the program to be a
>> bit more sane.
>>You can make things more secure using SSH! I´m running Seqlab using MI/X
>and the free SSH Client from Cedomir Igaly which does X11 forwarding.
>Doing so you can get both - encryption and compression of the data.
>For the users in our lab which are all used to Windows Applications this
>seemed to be the easiest solution.
ssh does *not* solve the problem.
People can no longer snoop on the X connection itself, true, but they
can still connect to your main display and take snapshots of what's on
MI/X on machine A. SSH from machine A to machine B, where you run
Machine B has a DISPLAY variable of B:10.0, or something like that.
Now log onto another machine, C.
On C, type:
xwd -root -display A:0.0 -out screen.dump
or set your DISPLAY variable to A:0.0 and run any client you like.
Oops! You can still get an image of the X server even though the user
is using SSH.
This is because ssh only protects the TCP connection between the ssh
daemon itself and the X client. It does *nothing* to protect access
to the X server itself. If you think it does, then you have given
your users a false sense of security.