|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: X authorization
From: Brian Somers (brian
Awfulhak.org)Date: Fri Feb 25 2000 - 15:59:59 CST
- Next message: Tran Ngoc Thuan An: "Asking about the file dhcpdb.bind"
- Previous message: James FitzGibbon: "Re: PAM and quotas"
- Next in thread: A. Rakukin: "Re[2]: X authorization"
- Maybe reply: Brian Somers: "Re: X authorization"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> :Hi to all,
> :
> :Would be grateful for help or explanation. I used to think that by default
> :nobody can run anything on my display. But now I revealed that it is enough
> :to export DISPLAY on remote host to access my xserver. 'xhost' on the server
> :(that has been accessed) says that
> :
> :access control enabled, only authorized clients can connect
> :
> :and nothing more. What is the possible source of the problem?
> :I have not customized any authorization mechanisms...
> :I run FreeBSD 3.4.
> :
> :Thank you,
> :Alex
>
> I'll bet you are using ssh.
>
> Your assumptions as to 'xhost' are correct. Just setting DISPLAY on
> machine B to point to machine A will not give machine B access to
> machine A's X display. Machine A must give machine B access, typically
> through the 'xhost' command.
I wouldn't say ``typically''. Using xhost is bad as it gives anybody
on the given host access to your display. Xauth is the correct way
to do it. It stuffs an authentication key in the .Xauthority file
allowing access only to people with access to the .Xauthority file.
Check the xauth man page for the magic incantation.
> However, some programs will tunnel X sessions automatically. ssh is
> one of these. If you are sitting on machine A and you ssh to machine B,
> you will then be able to run X binaries on machine B and have them show
> up on machine A's display. The X protocol will run through the
> 'secure' ssh session.
>
> I don't know many people who do this, at least not between two local
> machines sitting on the same LAN, because running an X client through
> an encrypted ssh session tends to really slow down the client.
*shrug* I do it all the time for convenience. sshd is on just about
every machine I use, whereas the alternative of mucking about with
xon, rstart or some locally brewed version is a pain. Besides, CPUs
these days can easily encrypt stuff faster than your standard 10mbit
network can transport them.
> -Matt
> Matthew Dillon
> <dillonbackplane.com>
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Tran Ngoc Thuan An: "Asking about the file dhcpdb.bind"
- Previous message: James FitzGibbon: "Re: PAM and quotas"
- Next in thread: A. Rakukin: "Re[2]: X authorization"
- Maybe reply: Brian Somers: "Re: X authorization"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]