On Mon, Oct 01, 2007 at 02:45:30PM -0500, Aaron Konstam wrote: > This may be an off the wall question but here goes. When you bring up > the cups web interface ans choose to administer your printers, you are > asked to login with a username and passwd. Usually it is the name root > and roots passwd that works. > > Let us say some one has a network sniffer on another machine on your > LAN. Since the root passwd your type is going to localhost network it > should be handled by the loopback interface. > > Is it? And if that is so can a sniffer on the LAN see the passwd > entered? What is the URL that gets you to the CUPS IF? Mine is http://localhost:631/, do in my case, yes, it is localhost. If your name resolution is set up correctly, that should point to the local loopback device: [root@dragon ~]# host localhost localhost has address 127.0.0.1 localhost has IPv6 address ::1 [root@dragon ~]# ifconfig lo lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:19437 errors:0 dropped:0 overruns:0 frame:0 TX packets:19437 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4729638 (4.5 MiB) TX bytes:4729638 (4.5 MiB) So, yes, it should go to the local loopback device (LLD). The whole point of the LLD is that it never goes to the network. With a properly written LLD, a packet should go to the IP level of the TCP/IP stack. The LLD's IP code simply swaps the source and destination addresses and ports, and hands the packet back to the appropriate higher level protocol (ICMP, TCP, UDP, etc.). (I haven't looked at the source for Linux's LLD, but that's basically what the one I wrote did.) So if the LLD is properly written, a sniffer on another machine should never see any packets to or from a LLD. As you probably know, the X protocol uses TCP/IP to communicate between clients (programs) and servers (displays, keyboards, etc.). Think of the security implications when X traffic doesn't travel over the loopback device. A cracker who can scarf your X packets could watch you compose mash notes to your secretary on company time in real time. Not very secure! This is one of several reasons the normal "xhost" authentication is deprecated in favor of SSH. So, yeah, the TCP/IP security folks have already thought of this question. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
Attachment:
pgpXBUAKfsCQK.pgp
Description: PGP signature
