[lug] Processor assignment
Rob Nagler
nagler at bivio.biz
Fri Apr 1 16:38:45 MDT 2016
>
>
> > I bet people tunnel X11 back to their workstations, which is insecure.
>
> I guess it depends on what you mean by insecure and on how you do it.
> But as I said, I am no security expert. Some of the NCAR's security
> experts sometimes lurk on this list and might chime in.
X11 does not isolate applications, similar to DOS. It's one big memory
space. There are technologies to do that isolation, but I don't think they
are that popular. Browsers have a security model which ensures isolation
(assuming no bugs :), but with X11, there is no security model except
"locking the front door" with a password.
In my experience, a well written web server is more security than allowing
people to ssh into a server. The Jupyter folks now offer a containerized,
multi-user hub, which would be more secure than what reverse tunneling
Jupyter. You can plug in any auth model so you can use OTP. This provides
end-to-end security from the app to the server, which is less likely to be
hacked than having an unsecured tunnel (ssh -N -l username -L
8888:geyser03-ib:8888 yellowstone.ucar.edu).
At least that's my $.02. :)
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20160401/6936c9b8/attachment.html>
More information about the LUG
mailing list