l4-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH revised


From: Lluis
Subject: Re: SSH revised
Date: Tue, 28 Mar 2006 15:54:06 +0200
User-agent: Mutt-ng devel-r782 (based on Mutt 1.5.11/2005-09-15)

Well Bas, you already explained over my poor words, and clarified me some 
questions, thanks :)

El Tue, Mar 28, 2006 at 01:12:01PM +0200, Bas Wijnen ens deleità amb les 
següents paraules:
>>> I mean, when the user server gets the connection, it is already 
>>> encrypted, so unless a re-negotiation of session encryption takes 
>>> place, any of the programs that handled that connection cap. to the 
>>> user server could be snooping on it...
>> 
>> "Any of these programs" are exactly the ssh server and the user's own 
>> programs handling the connection.
> 
> The only relevant one is the system ssh server.
> 
>> There is no issue here.
> 
> Of course you must trust the system anyway, but it would have been nice if 
> the 
> ssh server could have been kept out of the TCB.  It can though, if users run 
> their own server (through their own domain, or each on their own port).  This 
> may be a good reason for doing it that way.  However, we don't really need 
> full trust in the code (as we do for the TCB), we must only know that it is 
> confined.  That is, the layer doing the en/decryption must get the 
> capabilities to both ends of the connection, and no other unconfined 
> capabilities.  In that case, even if it does a man in the middle attack, it 
> cannot tell anyone about it (except a compromised server on the other end, 
> but 
> if we have that, we lose anyway).

But... a cap. to a network connection makes any non-TCB code untrusted, 
right?

You can't guarantee it is confined, because a network connection makes it 
unconfined, and even if it isn't you can't know the characteristics of a 
remote program... of course, if you are logging on to a remote server, you 
already have some sort of trust on it

I don't know how the confinement tests work... is there a way to ask "are 
you confined except for this set of caps?" or something similar? I know (or 
think to know) that EROS makes this tests with the constructor, but "this 
set of caps" is not static, so the constructor can't tell us about it.  
Sorry but I don't know much about this.

What assumptions can you make about a network connection cap when being a 
server? and a client?

Read you,
  Lluis

PD: reading some of the messages of this list is like travelling to the 
past... attendees of the time-travellers symposium, the meeting will be 
held the past week

-- 
 "And it's much the same thing with knowledge, for whenever you learn
 something new, the whole world becomes that much richer."
 -- The Princess of Pure Reason, as told by Norton Juster in The Phantom
 Tollbooth




reply via email to

[Prev in Thread] Current Thread [Next in Thread]