OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re[2]: X authorization
From: A. Rakukin (rakukinmail.ru)
Date: Sat Feb 26 2000 - 07:18:13 CST

-----Original Message-----
From: Brian Somers <brianAwfulhak.org>
To: Matthew Dillon <dillonapollo.backplane.com>
Date: Fri, 25 Feb 2000 21:59:59 +0000
Subject: Re: X authorization

> >
> > :Hi to all,
> > :
> > :Would be grateful for help or explanation. I used to think that by default
> > :nobody can run anything on my display. But now I revealed that it is enough
> > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server
> > :(that has been accessed) says that
> > :
> > :access control enabled, only authorized clients can connect
> > :
> > :and nothing more. What is the possible source of the problem?
> > :I have not customized any authorization mechanisms...
> > :I run FreeBSD 3.4.
> > :
> > :Thank you,
> > :Alex
> >
> > I'll bet you are using ssh.

sshd is not running on the host which has been accessed...
I am aware of the X-connections forwarding ability of ssh,
but it is not the case...

> >
> > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on
> > machine B to point to machine A will not give machine B access to
> > machine A's X display. Machine A must give machine B access, typically
> > through the 'xhost' command.
>
> I wouldn't say ``typically''. Using xhost is bad as it gives anybody
> on the given host access to your display. Xauth is the correct way
> to do it. It stuffs an authentication key in the .Xauthority file
> allowing access only to people with access to the .Xauthority file.
> Check the xauth man page for the magic incantation.

I know that xhost is insecure. But it worked earlier!
And now I have a situation as follows: I merely start X (via xdm) on host A,
no windows/commands there, then go to host B,
type `export DISPLAY=A:0; xterm' and see xterm window
opened on the display of A! Then test `xhost' on A and see no hosts allowed...

I think something has been changed in the configuration casually,
and would be grateful for any advice what might it be.
I loked through Xsessions etc, but have not found anything,
unfortunately...

>
> > However, some programs will tunnel X sessions automatically. ssh is
> > one of these. If you are sitting on machine A and you ssh to machine B,
> > you will then be able to run X binaries on machine B and have them show
> > up on machine A's display. The X protocol will run through the
> > 'secure' ssh session.
> >
> > I don't know many people who do this, at least not between two local
> > machines sitting on the same LAN, because running an X client through
> > an encrypted ssh session tends to really slow down the client.
>
> *shrug* I do it all the time for convenience. sshd is on just about
> every machine I use, whereas the alternative of mucking about with
> xon, rstart or some locally brewed version is a pain. Besides, CPUs
> these days can easily encrypt stuff faster than your standard 10mbit
> network can transport them.

In any case, I would like to forbid unauthorized access at first!

>
> > -Matt
> > Matthew Dillon
> > <dillonbackplane.com>
>
>
>
>

Thanks to all,
Alex

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message