Re: loss of xauthority
hawk@eyry.econ.iastate.edu wrote:
>
> Martin wrote,
>
> > From: "Christian Hudon" <chudon@ee.mcgill.ca>
> > Date: Sat, 21 Jun 1997 14:48:19 +0000
> > Subject: "xauth +", not a good idea...
> >
>
> > If you don't trust every user on your machine, you'll need to learn a bit
> > about xauth. "xauth list $DISPLAY" will list the key for the display
> > $DISPLAY.
>
> > pianocktail.org/unix:0 MIT-MAGIC-COOKIE-1 53a82429fe56a1cf5236f3d4852e7d79e
>
> > Anyone who has that key is authorized to connect to the X server managing
> > display $DISPLAY. So say you want to grant user bar access to the display
> > that user foo is using, you just do (as bar):
>
> > bar@pianocktail:[~]> xauth add pianocktail.org/unix:0 MIT-MAGIC-COOKIE-1
> > 53a82429fe56a1cf5236f3d4852e7d79e
>
> curioser and curioser. I tried this, and it worked--once. I then
> successfully launched emacs, then lost the ability to change the remote xauth
> entirely. (???).
>
> Getting the sequence from the login xterm, I then type
> pv2086ttyp7:rhawkins>xauth list $DISPLAY
> eyry.econ.iastate.edu:0 MIT-MAGIC-COOKIE-1 e627d47d72c34079be1f6c35ca3b58b1
> pv2086ttyp7:rhawkins>xauth add eyry.econ/unix:0 MIT-MAGIC-COOKIE-1
> 684e3c0f4c1e460741426f5272005d0c
> pv2086ttyp7:rhawkins>xauth list $DISPLAY
> eyry.econ.iastate.edu:0 MIT-MAGIC-COOKIE-1 e627d47d72c34079be1f6c35ca3b58b1
Note: there can be more than one entry for a given host. The
'/unix' in 'eyry.econ/unix:0' mean that the entry is good for a
"unix-domain socket". Unix-domain sockets on work on a single system,
not over the network. Note also that there can be (and generally are)
several entries in an xauth file. By using the construct
'xauth list $DISPLAY' you are limiting the list printed out to the
entry for '$DISPLAY'. In fact, if after the above 'add' command you
ran 'xauth list eyry.econ/unix:0' you would see the entry you added.
What you want to do is 'xauth add $DISPLAY <...>'.
> That is, it isn't changing it in the remote system. However, it does seem to
> work in the root window on the local system.
>
> The remote system is using kerberos if this makes a difference. I still
> haven't figured out how to get the rpm's for kerberos installed. This
> prevents me from using rsh, getting pop-3 mail, etc.
>
> I've looked at the telnet man page, and it looks like I could evaluate the
> cookie, put it in a variable, pass this with the environ option, then have the
> remote .cshrc check for the variable, and add it if present.
>
> At the moment, i'm not worried nearly as much about security as in getting
> something to work. Even xhost + only works for a few seconds.
This is very odd. I'm really wondering how it can work only for a few
seconds. There would have to be something else disabling the perms after
you allowed them. kerberos is orthogonal (in this case, sinc we're using
MIT-MAGIC-COOKIE-1 authorization) to X security and should have no
effect unless you're bringing other programs into the equation--for
example to get your key across the network--which use kerberos.
--
Jens B. Jorgensen
jjorgens@bdsinc.com
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: