struggling with xauth vs xhost

struggling with xauth vs xhost

[Larry W. Virden]

While in the process of moving from a commercial X server to the
cygwin Xfree server, we seem to have run into a peculiar behavior.

The previous environment made heavy use of xhost. I proposed that in
cygwin xfree we move to xauth as a more secure environment. That has
for the most part worked out.

The environment is that the x applications are running on a Solaris 10
sparc machine, displaying back to Win7 desktops with cygwin 1.7.x
running on them.

When a user chooses the single X window method of opening a local
window which ssh's over to the Unix machines, things seem to work
okay.

 When they choose the "full screen" approach, where the entire window
takes over the desktop, and the window manager and everything else is
running remotely, an xhost is being executed. This causes some
applications to fail because the language used considers that to be a
security risk.

When we look in both local start up files as well as remote start up
files, we do not see where the xhost is being performed.

Is there a way for us to track down where that is occurring so that we
can see about commenting that out?

Thanks!


--
Tcl - The glue of a new generation.   http://wiki.tcl.tk/
Larry W. Virden
http://www.facebook.com/lvirden/
Even if explicitly stated to the contrary, nothing in this posting
should be construed as representing my employer's opinions.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/

Re: struggling with xauth vs xhost

[Jon TURNEY]

On 30/04/2013 15:21, Larry W. Virden wrote:
> While in the process of moving from a commercial X server to the
> cygwin Xfree server, we seem to have run into a peculiar behavior.
> 
> The previous environment made heavy use of xhost. I proposed that in
> cygwin xfree we move to xauth as a more secure environment. That has
> for the most part worked out.

The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.

> The environment is that the x applications are running on a Solaris 10
> sparc machine, displaying back to Win7 desktops with cygwin 1.7.x
> running on them.
> 
> When a user chooses the single X window method of opening a local
> window which ssh's over to the Unix machines, things seem to work
> okay.

I'm not sure why you mention xauth above, if you are actually using ssh -Y.
(which is a far better alternative)

> When they choose the "full screen" approach, where the entire window
> takes over the desktop, and the window manager and everything else is
> running remotely, an xhost is being executed. This causes some
> applications to fail because the language used considers that to be a
> security risk.
> 
> When we look in both local start up files as well as remote start up
> files, we do not see where the xhost is being performed.

I don't think there's anything in the X server that does this.

So this is happening somewhere in the client (i.e. on the Solaris host).  Note
that it might be in xdm (or it's equivalent) or something that runs, and that
might be using libX11's XAddHost() function directly, rather than running xhost.

I don't know of any way to make XDMCP secure.  If you are using the default
configuration (e.g. without XDM-AUTHENTICATION-1) it's wide open to MIM
attacks, and the plain-text X protocol is always open to eavesdropping.

You can achieve a somewhat similar effect using something like 'ssh -Y
remotehostname Xnest :1 -query localhost'

> Is there a way for us to track down where that is occurring so that we
> can see about commenting that out?

-- 
Jon TURNEY
Volunteer Cygwin/X X Server maintainer

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/