[vdr] Re: Programm VDR over Web

[Usenet-372112@zocki.toppoint.de (Rainer Zocholl)]

Klaus.Schmidinger@cadsoft.de(Klaus Schmidinger)  03.10.01 14:46

Once upon a time Klaus Schmidinger shaped the electrons to say...

>Guido Fiala wrote:
>>
>>>> The remote login method i intended to be an "additional" feature
>>>> to interfere directly with vdr. Of course you can still ssh into
>>>> your machine and start a telnet-session to do so...
>>>
>>> I wouldn't want to implement full "login" control etc. into VDR.
>>> That's something the system already does a lot better.
>>
>> That's right - but without a firewall the vdr-port is open to
>> everybody! Even if you just use EPG2timers - during connect someone
>> could possibly hack vdr and use some obscure trick to obtain
>> vdr-UID-shell access.

>But that's not the problem of VDR, I would say.

The autentisation is always a problem of the service
which opens the port.
If VDR opens a port to the internet: It's his problem
to authenticate, not the systems.

I don't know how the "system" should authenticate if 
no "logind" etc. is involved at all.


The only ways i see currently are extra applications,
that do already authentisation, but opens there own ports:

Bind the VDR port explicit to "localhost" (127.0.0.1) or
a "named pipe" or such and use SSH to tunnel to.
The only open port will be port 22 of sshd, assuming
that this Application will be already tested very very well.
SSH will do the remote authentisation, but
local abuses are still possible.

Another idea would be a HTTP server that do the authentisation too.
(There were already someone who wanted to write a HTTP Interface, IIRC?)
But there too: No open port to the internet from VDR is allowed/required
and local exploits are still possible, because only VDR "knows"
who is allowed to administer him.