From owner-freebsd-security  Tue Sep 15 14:34:26 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA10774
          for freebsd-security-outgoing; Tue, 15 Sep 1998 14:34:26 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (ts02-067.dublin.indigo.ie [194.125.134.197])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10678
          for <freebsd-security@FreeBSD.ORG>; Tue, 15 Sep 1998 14:34:11 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id WAA01237;
	Tue, 15 Sep 1998 22:27:13 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199809152127.WAA01237@indigo.ie>
Date: Tue, 15 Sep 1998 22:27:12 +0000
In-Reply-To: <98Sep14.144916est.40329@border.alcanet.com.au>; Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>
Reply-To: rotel@indigo.ie
X-Files: The truth is out there
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>,
        freebsd-security@FreeBSD.ORG
Subject: Re: X-security
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sep 14,  2:49pm, Peter Jeremy wrote:
} Subject: Re: X-security
> Wes Peters <wes@softweyr.com> wrote:

> >  By default, XFree86 uses "MIT MAGIC COOKIE" authen-
> >tication; when the server starts it creates a .Xauthority file in 
> >your home directory.  Anyone who can read this file will still be 
> >able to connect to your X server
> 
> Note that the authentication tokens are not encrypted on the network.
> Anyone who can sniff the network will also be able to connect to your
> X-server.
> 
> If you're worried about someone stealing your authentication token,
> you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**)
> or ssh.

After you've authenticated you're still vulnerable to snooping or
active attacks though, someone could still steal your authentication
data by desynchronising your TCP stream and injecting the right
commands.  Better to use port forwarding with ssh if possible.


-- 
Niall Smart, rotel@indigo.ie.
Amaze your friends and annoy your enemies:
echo '#define if(x) if (!(x))' >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message