Re: loss of xauthority

To: hawk@eyry.econ.iastate.edu
Cc: Martin Bialasinski <martin@internet-treff.uni-koeln.de>, debian-user@lists.debian.org
Subject: Re: loss of xauthority
From: "Jens B. Jorgensen" <jjorgens@bdsinc.com>
Date: Mon, 29 Dec 1997 13:28:33 -0600
Message-id: <[🔎] 34A7F9E1.24B3@bdsinc.com>
Reply-to: jjorgens@bdsinc.com
References: <[🔎] m0xmju8-0024PzC@eyry.econ.iastate.edu>

hawk@eyry.econ.iastate.edu wrote:
> 
> Martin wrote,
> 
> > From: "Christian Hudon" <chudon@ee.mcgill.ca>
> > Date: Sat, 21 Jun 1997 14:48:19 +0000
> > Subject: "xauth +", not a good idea...
> >
> 
> > If you don't trust every user on your machine, you'll need to learn a bit
> > about xauth. "xauth list $DISPLAY" will list the key for the display
> > $DISPLAY.
> 
> > pianocktail.org/unix:0  MIT-MAGIC-COOKIE-1  53a82429fe56a1cf5236f3d4852e7d79e
> 
> > Anyone who has that key is authorized to connect to the X server managing
> > display $DISPLAY. So say you want to grant user bar access to the display
> > that user foo is using, you just do (as bar):
> 
> > bar@pianocktail:[~]> xauth add pianocktail.org/unix:0 MIT-MAGIC-COOKIE-1
> > 53a82429fe56a1cf5236f3d4852e7d79e
> 
> curioser and curioser.  I tried this, and it worked--once.  I then
> successfully launched emacs, then lost the ability to change the remote xauth
> entirely. (???).
> 
> Getting the sequence from the login xterm, I then type
> pv2086ttyp7:rhawkins>xauth list $DISPLAY
>  eyry.econ.iastate.edu:0  MIT-MAGIC-COOKIE-1  e627d47d72c34079be1f6c35ca3b58b1
> pv2086ttyp7:rhawkins>xauth add eyry.econ/unix:0 MIT-MAGIC-COOKIE-1
> 684e3c0f4c1e460741426f5272005d0c
> pv2086ttyp7:rhawkins>xauth list $DISPLAY
>  eyry.econ.iastate.edu:0  MIT-MAGIC-COOKIE-1  e627d47d72c34079be1f6c35ca3b58b1

Note: there can be more than one entry for a given host. The 
'/unix' in  'eyry.econ/unix:0' mean that the entry is good for a
"unix-domain socket". Unix-domain sockets on work on a single system,
not over the network. Note also that there can be (and generally are)
several entries in an xauth file. By using the construct 
'xauth list $DISPLAY' you are limiting the list printed out to the 
entry for '$DISPLAY'. In fact, if after the above 'add' command you
ran 'xauth list eyry.econ/unix:0' you would see the entry you added.
What you want to do is 'xauth add $DISPLAY <...>'. 

> That is, it isn't changing it in the remote system.  However, it does seem to
> work in the root window on the local system.
> 
> The remote system is using kerberos if this makes a difference.  I still
> haven't figured out how to get the rpm's for kerberos installed.  This
> prevents me from using rsh, getting pop-3 mail, etc.
> 
> I've looked at the telnet man page, and it looks like I could evaluate the
> cookie, put it in a variable, pass this with the environ option, then have the
> remote .cshrc check for the variable, and add it if present.
> 
> At the moment, i'm not worried nearly as much about security as in getting
> something to work.  Even xhost + only works for a few seconds.

This is very odd. I'm really wondering how it can work only for a few
seconds. There would have to be something else disabling the perms after
you allowed them. kerberos is orthogonal (in this case, sinc we're using
MIT-MAGIC-COOKIE-1 authorization) to X security and should have no
effect unless you're bringing other programs into the equation--for 
example to get your key across the network--which use kerberos.

-- 
Jens B. Jorgensen
jjorgens@bdsinc.com

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: loss of xauthority
  - From: hawk@eyry.econ.iastate.edu

Prev by Date: .bash_profile and TCP/IP
Next by Date: Re: .bash_profile and TCP/IP
Previous by thread: Re: loss of xauthority
Next by thread: sendmail relay against spam on debian
Index(es):
- Date
- Thread