From owner-freebsd-questions Sat Feb 26 5:19:34 2000 Delivered-To: freebsd-questions@freebsd.org Received: from msk1.mail.ru (mx1.mail.ru [194.67.23.32]) by hub.freebsd.org (Postfix) with ESMTP id B060137C021; Sat, 26 Feb 2000 05:19:24 -0800 (PST) (envelope-from rakukin@mail.ru) Received: from f1.int ([10.0.0.48] helo=f1.mail.ru) by msk1.mail.ru with esmtp (Exim 3.02 #116) id 12OhD3-000CYZ-00; Sat, 26 Feb 2000 16:24:37 +0300 Received: from mail by f1.mail.ru with local (Exim 3.02 #107) id 12Oh6r-000Epu-00; Sat, 26 Feb 2000 16:18:13 +0300 Received: from [194.85.224.35] by koi.mail.ru with HTTP; Sat, 26 Feb 2000 13:18:13 +0000 (GMT) From: "A. Rakukin" To: "Brian Somers" Cc: "Matthew Dillon" , freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re[2]: X authorization Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 194.85.229.131 via proxy [194.85.224.35] Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 26 Feb 2000 16:18:13 +0300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----Original Message----- From: Brian Somers To: Matthew Dillon Date: Fri, 25 Feb 2000 21:59:59 +0000 Subject: Re: X authorization > > > > :Hi to all, > > : > > :Would be grateful for help or explanation. I used to think that by default > > :nobody can run anything on my display. But now I revealed that it is enough > > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server > > :(that has been accessed) says that > > : > > :access control enabled, only authorized clients can connect > > : > > :and nothing more. What is the possible source of the problem? > > :I have not customized any authorization mechanisms... > > :I run FreeBSD 3.4. > > : > > :Thank you, > > :Alex > > > > I'll bet you are using ssh. sshd is not running on the host which has been accessed... I am aware of the X-connections forwarding ability of ssh, but it is not the case... > > > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > > machine B to point to machine A will not give machine B access to > > machine A's X display. Machine A must give machine B access, typically > > through the 'xhost' command. > > I wouldn't say ``typically''. Using xhost is bad as it gives anybody > on the given host access to your display. Xauth is the correct way > to do it. It stuffs an authentication key in the .Xauthority file > allowing access only to people with access to the .Xauthority file. > Check the xauth man page for the magic incantation. I know that xhost is insecure. But it worked earlier! And now I have a situation as follows: I merely start X (via xdm) on host A, no windows/commands there, then go to host B, type `export DISPLAY=A:0; xterm' and see xterm window opened on the display of A! Then test `xhost' on A and see no hosts allowed... I think something has been changed in the configuration casually, and would be grateful for any advice what might it be. I loked through Xsessions etc, but have not found anything, unfortunately... > > > However, some programs will tunnel X sessions automatically. ssh is > > one of these. If you are sitting on machine A and you ssh to machine B, > > you will then be able to run X binaries on machine B and have them show > > up on machine A's display. The X protocol will run through the > > 'secure' ssh session. > > > > I don't know many people who do this, at least not between two local > > machines sitting on the same LAN, because running an X client through > > an encrypted ssh session tends to really slow down the client. > > *shrug* I do it all the time for convenience. sshd is on just about > every machine I use, whereas the alternative of mucking about with > xon, rstart or some locally brewed version is a pain. Besides, CPUs > these days can easily encrypt stuff faster than your standard 10mbit > network can transport them. In any case, I would like to forbid unauthorized access at first! > > > -Matt > > Matthew Dillon > > > > > > Thanks to all, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message