Date: Sat, 26 Feb 2000 16:18:13 +0300 From: "A. Rakukin" <rakukin@mail.ru> To: "Brian Somers" <brian@Awfulhak.org> Cc: "Matthew Dillon" <dillon@apollo.backplane.com>, freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re[2]: X authorization Message-ID: <E12Oh6r-000Epu-00@f1.mail.ru>
next in thread | raw e-mail | index | archive | help
-----Original Message----- From: Brian Somers <brian@Awfulhak.org> To: Matthew Dillon <dillon@apollo.backplane.com> Date: Fri, 25 Feb 2000 21:59:59 +0000 Subject: Re: X authorization > > > > :Hi to all, > > : > > :Would be grateful for help or explanation. I used to think that by default > > :nobody can run anything on my display. But now I revealed that it is enough > > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server > > :(that has been accessed) says that > > : > > :access control enabled, only authorized clients can connect > > : > > :and nothing more. What is the possible source of the problem? > > :I have not customized any authorization mechanisms... > > :I run FreeBSD 3.4. > > : > > :Thank you, > > :Alex > > > > I'll bet you are using ssh. sshd is not running on the host which has been accessed... I am aware of the X-connections forwarding ability of ssh, but it is not the case... > > > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > > machine B to point to machine A will not give machine B access to > > machine A's X display. Machine A must give machine B access, typically > > through the 'xhost' command. > > I wouldn't say ``typically''. Using xhost is bad as it gives anybody > on the given host access to your display. Xauth is the correct way > to do it. It stuffs an authentication key in the .Xauthority file > allowing access only to people with access to the .Xauthority file. > Check the xauth man page for the magic incantation. I know that xhost is insecure. But it worked earlier! And now I have a situation as follows: I merely start X (via xdm) on host A, no windows/commands there, then go to host B, type `export DISPLAY=A:0; xterm' and see xterm window opened on the display of A! Then test `xhost' on A and see no hosts allowed... I think something has been changed in the configuration casually, and would be grateful for any advice what might it be. I loked through Xsessions etc, but have not found anything, unfortunately... > > > However, some programs will tunnel X sessions automatically. ssh is > > one of these. If you are sitting on machine A and you ssh to machine B, > > you will then be able to run X binaries on machine B and have them show > > up on machine A's display. The X protocol will run through the > > 'secure' ssh session. > > > > I don't know many people who do this, at least not between two local > > machines sitting on the same LAN, because running an X client through > > an encrypted ssh session tends to really slow down the client. > > *shrug* I do it all the time for convenience. sshd is on just about > every machine I use, whereas the alternative of mucking about with > xon, rstart or some locally brewed version is a pain. Besides, CPUs > these days can easily encrypt stuff faster than your standard 10mbit > network can transport them. In any case, I would like to forbid unauthorized access at first! > > > -Matt > > Matthew Dillon > > <dillon@backplane.com> > > > > Thanks to all, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E12Oh6r-000Epu-00>