[X2Go-Dev] x2go and (none)security
Stefan Baur
newsgroups.mail2 at stefanbaur.de
Tue May 21 11:49:31 CEST 2013
Am 21.05.2013 10:40, schrieb Oleksandr Shneyder:
> You are right, it is possible, that X2Go Client can be crashed with the
> wrong output from the server. This issue could (and should) be easily
> fixed by replacing operator "[n]" with method "value(n)". However, I
> don't think, that this issue is so dramatic as you described it. Why
> some one should open a SSH/X2GO connection to "rough" server?
Scenario:
DNS server is under the control of an attacker.
Requests for "myserver.foobar.com" are answered with the IP of the rogue
server.
Obviously, in case of SSH, there should be a fingerprint mismatch
warning if the key of myserver.foobar.com is already known, which in
case of the X2Go client cannot be overridden by clicking it away. But if
it is a first-time connection, there will be a pop-up asking whether the
key fingerprint is correct. If the user doesn't pay attention there (and
to be honest - which average user does?), it would be possible to
connect to a rogue server without wanting to.
-Stefan
More information about the x2go-dev
mailing list