From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8990 invoked by alias); 1 May 2013 13:46:24 -0000 Mailing-List: contact cygwin-xfree-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-xfree-owner@cygwin.com Reply-To: cygwin-xfree@cygwin.com Mail-Followup-To: cygwin-xfree@cygwin.com Received: (qmail 8979 invoked by uid 89); 1 May 2013 13:46:23 -0000 X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,KHOP_THREADED,RCVD_IN_DNSWL_NONE,RCVD_IN_HOSTKARMA_YE autolearn=ham version=3.3.1 Received: from nm7-vm5.bt.bullet.mail.ir2.yahoo.com (HELO nm7-vm5.bt.bullet.mail.ir2.yahoo.com) (212.82.99.214) by sourceware.org (qpsmtpd/0.84/v0.84-167-ge50287c) with ESMTP; Wed, 01 May 2013 13:46:22 +0000 Received: from [212.82.98.45] by nm7.bt.bullet.mail.ir2.yahoo.com with NNFMP; 01 May 2013 13:46:19 -0000 Received: from [77.238.189.16] by tm6.bt.bullet.mail.ir2.yahoo.com with NNFMP; 01 May 2013 13:46:19 -0000 Received: from [127.0.0.1] by smtp816.mail.ird.yahoo.com with NNFMP; 01 May 2013 13:46:19 -0000 X-Yahoo-SMTP: u.JgLvyswBBMp9ZJJfsX14qmYb3T2ivhMAr6OupnxLpNQEFZ9g-- X-Rocket-Received: from [192.168.1.72] (jon.turney@86.132.150.23 with plain) by smtp816.mail.ird.yahoo.com with SMTP; 01 May 2013 13:46:19 +0000 GMT Message-ID: <51811CB6.2090403@dronecode.org.uk> Date: Wed, 01 May 2013 13:46:00 -0000 From: Jon TURNEY Reply-To: cygwin-xfree User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: cygwin-xfree@cygwin.com CC: lvirden@gmail.com Subject: Re: struggling with xauth vs xhost References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SW-Source: 2013-05/txt/msg00000.txt.bz2 On 30/04/2013 15:21, Larry W. Virden wrote: > While in the process of moving from a commercial X server to the > cygwin Xfree server, we seem to have run into a peculiar behavior. > > The previous environment made heavy use of xhost. I proposed that in > cygwin xfree we move to xauth as a more secure environment. That has > for the most part worked out. The usual caveat applies: if you have an actual need for security, a random person on the internet is not where you should be getting your information. > The environment is that the x applications are running on a Solaris 10 > sparc machine, displaying back to Win7 desktops with cygwin 1.7.x > running on them. > > When a user chooses the single X window method of opening a local > window which ssh's over to the Unix machines, things seem to work > okay. I'm not sure why you mention xauth above, if you are actually using ssh -Y. (which is a far better alternative) > When they choose the "full screen" approach, where the entire window > takes over the desktop, and the window manager and everything else is > running remotely, an xhost is being executed. This causes some > applications to fail because the language used considers that to be a > security risk. > > When we look in both local start up files as well as remote start up > files, we do not see where the xhost is being performed. I don't think there's anything in the X server that does this. So this is happening somewhere in the client (i.e. on the Solaris host). Note that it might be in xdm (or it's equivalent) or something that runs, and that might be using libX11's XAddHost() function directly, rather than running xhost. I don't know of any way to make XDMCP secure. If you are using the default configuration (e.g. without XDM-AUTHENTICATION-1) it's wide open to MIM attacks, and the plain-text X protocol is always open to eavesdropping. You can achieve a somewhat similar effect using something like 'ssh -Y remotehostname Xnest :1 -query localhost' > Is there a way for us to track down where that is occurring so that we > can see about commenting that out? -- Jon TURNEY Volunteer Cygwin/X X Server maintainer -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://x.cygwin.com/docs/ FAQ: http://x.cygwin.com/docs/faq/