On Thursday 2019-10-24 15:20, Dr. Werner Fink wrote:
On 2019/10/24 15:13:38 +0200, Jan Engelhardt wrote:
On Thursday 2019-10-24 15:03, Dr. Werner Fink wrote:
Sorry but sddm is IMHO broken by design and/or upstream. No XDMCP support means that the only way to go remote is to use VNC and this is more like genuine piece of crap. And upstream is not willingly to add XDMCP support.
That would not surprise me. Was XDMCP ever secure (as in, TLS/SSL)? I don't remember it as such.
Does this mean gdm, xdm, and lightdm are unsecure even with XDMCP+MIT-MAGIC-COOKIE-1
* XDMCP uses udp/177, and "similarly to telnet, the authentication takes place unencrypted." [says Wikipedia on XDMCP], so that could expose your cookie. * Once XDMCP has established the pairing, the display manager runs as a normal X client. To that end, the environment variable is set to something like "DISPLAY=1.2.3.4:6001" I think, and that is an unencrypted TCP/X11 connection.
also there is a secure version using ssh connection tunnel
That would work differently, I imagine. One, because SSH does not support UDP tunneling and you therefore could not run XDMCP over it, and second, SSH already opens a session, therefore you would not need XDMCP anymore to do the same. SSH will then set e.g. "DISPLAY=:10.0" (which essentially leads into the secure tunnel mechanism). So yeah, it's reasonable to have XDMCP suppport patches rejected in favor of the ssh-based approach. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org