From owner-freebsd-security Fri Feb 25 15:23:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (dynamic-68.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.196]) by hub.freebsd.org (Postfix) with ESMTP id 6B8E437BE56; Fri, 25 Feb 2000 15:23:30 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@shift.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id XAA54988; Fri, 25 Feb 2000 23:22:11 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id VAA00381; Fri, 25 Feb 2000 21:59:59 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200002252159.VAA00381@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Matthew Dillon Cc: "A. Rakukin" , freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: X authorization In-Reply-To: Message from Matthew Dillon of "Thu, 24 Feb 2000 11:57:15 PST." <200002241957.LAA41772@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 25 Feb 2000 21:59:59 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > :Hi to all, > : > :Would be grateful for help or explanation. I used to think that by default > :nobody can run anything on my display. But now I revealed that it is enough > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server > :(that has been accessed) says that > : > :access control enabled, only authorized clients can connect > : > :and nothing more. What is the possible source of the problem? > :I have not customized any authorization mechanisms... > :I run FreeBSD 3.4. > : > :Thank you, > :Alex > > I'll bet you are using ssh. > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > machine B to point to machine A will not give machine B access to > machine A's X display. Machine A must give machine B access, typically > through the 'xhost' command. I wouldn't say ``typically''. Using xhost is bad as it gives anybody on the given host access to your display. Xauth is the correct way to do it. It stuffs an authentication key in the .Xauthority file allowing access only to people with access to the .Xauthority file. Check the xauth man page for the magic incantation. > However, some programs will tunnel X sessions automatically. ssh is > one of these. If you are sitting on machine A and you ssh to machine B, > you will then be able to run X binaries on machine B and have them show > up on machine A's display. The X protocol will run through the > 'secure' ssh session. > > I don't know many people who do this, at least not between two local > machines sitting on the same LAN, because running an X client through > an encrypted ssh session tends to really slow down the client. *shrug* I do it all the time for convenience. sshd is on just about every machine I use, whereas the alternative of mucking about with xon, rstart or some locally brewed version is a pain. Besides, CPUs these days can easily encrypt stuff faster than your standard 10mbit network can transport them. > -Matt > Matthew Dillon > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message