[vox-tech] xhost+: Why you should NEVER DO THAT

Fri Mar 18 09:15:13 PST 2005

Quoting Peter Jay Salzman (p at dirac.org):

> However, it should be pointed out that once someone gets access to your LAN,
> even ssh, sshd and gnupg are all suspects.

I can actually speak to this from having lived that situation.  Maybe
you never visited the CoffeeNet in its heyday.  (Web mirror:
http://linxumafia.com/coffeenet/)  It was a 100% Linux-based Internet
cafe in a small two-story building in South of Market, San Francisco.  I
helped the owner, Richard Couture, build it.  He and I lived in the two 
apartments, upstairs -- plus there was a sort of "community room" at the
bottom of the stairs, behind the cafe.

The entire building was on real public IP space, using hubs rather than
switches (a consequence of the years in question), which all was
connected to the Internet over a T1 line.   The hubs included ports
accessible to the public _inside_ the cafe, where people could plug in
laptops. 

_So_, I lived with the knowledge that my home LAN was utterly public.
Therefore, I could not and did not trust the LAN.

My point is that this was _not a problem_:  Anything that I cared about
not being sniffable got encrypted, and I took care of my own nameservers
(taking measures to protect them against cache poisoning).  While I was
at it, I figured:  Why not also adopt a model that none of the machines
trusts each other, either?  This, likewise, proved pretty easy once I
got well into the mindset.  I still use that model, today:  Each of my
machines has a "security perimeter" at the edge of its case, and I place
no reliance whatsoever on "firewalls" for primary protection.  (If
memory serves, even at my interior NAT host, the only rulesets I used
were ones to reject spoofed packets and certain sorts of broadcasts.)

My experience suggests that you're not correct that ssh, sshd, and gnupg
all automatically become suspects, in cases like that.  To the contrary,
they become primary tools.  The only complication is that you have to be
really careful about key management, in order to foil imposters and MitM
attacks.  But you should do that, _anyway_.