Date: Fri, 25 Feb 2000 21:59:59 +0000 From: Brian Somers <brian@Awfulhak.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: "A. Rakukin" <rakukin@mail.ru>, freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: X authorization Message-ID: <200002252159.VAA00381@hak.lan.Awfulhak.org> In-Reply-To: Message from Matthew Dillon <dillon@apollo.backplane.com> of "Thu, 24 Feb 2000 11:57:15 PST." <200002241957.LAA41772@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > :Hi to all, > : > :Would be grateful for help or explanation. I used to think that by default > :nobody can run anything on my display. But now I revealed that it is enough > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server > :(that has been accessed) says that > : > :access control enabled, only authorized clients can connect > : > :and nothing more. What is the possible source of the problem? > :I have not customized any authorization mechanisms... > :I run FreeBSD 3.4. > : > :Thank you, > :Alex > > I'll bet you are using ssh. > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > machine B to point to machine A will not give machine B access to > machine A's X display. Machine A must give machine B access, typically > through the 'xhost' command. I wouldn't say ``typically''. Using xhost is bad as it gives anybody on the given host access to your display. Xauth is the correct way to do it. It stuffs an authentication key in the .Xauthority file allowing access only to people with access to the .Xauthority file. Check the xauth man page for the magic incantation. > However, some programs will tunnel X sessions automatically. ssh is > one of these. If you are sitting on machine A and you ssh to machine B, > you will then be able to run X binaries on machine B and have them show > up on machine A's display. The X protocol will run through the > 'secure' ssh session. > > I don't know many people who do this, at least not between two local > machines sitting on the same LAN, because running an X client through > an encrypted ssh session tends to really slow down the client. *shrug* I do it all the time for convenience. sshd is on just about every machine I use, whereas the alternative of mucking about with xon, rstart or some locally brewed version is a pain. Besides, CPUs these days can easily encrypt stuff faster than your standard 10mbit network can transport them. > -Matt > Matthew Dillon > <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002252159.VAA00381>