[X2Go-Dev] Bug#34: SSH_OPTIONS_FD

[Moritz Struebe]

On 2012-09-25 10:25, Mike Gabriel wrote:
>
> On Di 25 Sep 2012 05:08:19 CEST glpk xypron wrote:
>
>> I am not aware of proxies being contacted over https.
>
> Hmmm... this indeed is true... The feature will mostly be an
> inside-to-outside connection. Hmmm... To get it clear, would we send
> http-proxy authentication strings in cleartext to the proxy server or
> would we send the remote X2Go server credentials to the proxy in
> cleartext.

Client ---http & Basic Auth---> proxy (Basic Auth) -> New Socket
Using this new socket:
Client ---SSL ---- Socket at Proxy ---Still same SSL---> Server

This we first authenticate unencrypted at the proxy using the proxy
user/pass. Then the SSL connection is made to the server and we
authenticate against the server.


>
> Sending proxy auth in cleartext probably is common practice (?). Most
> proxy setups do not even need an auth-against-the-proxy.

Yep, but some do.

>
> This feature clearly needs a good documentation so that we do not
> false security alarms on the mailing lists!!! 

Nay, I think this is a matter of the gui that must clearly suggest, that
this user/password is for the proxy.

/--- Proxy-----------------------\
| Enable: 
| Address : 
| User (optinal):
| Password (optional):
\-------------------------------/

Morty

-- 
Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter)
Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme)
Friedrich-Alexander-Universität Erlangen-Nürnberg
Martensstr. 1
91058 Erlangen

Tel   : +49 9131 85-25419
Fax   : +49 9131 85-28732
eMail : struebe at informatik.uni-erlangen.de
WWW   : http://www4.informatik.uni-erlangen.de/~morty



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5005 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120925/983efe69/attachment.bin>