This is the mail archive of the
cygwin-xfree@sources.redhat.com
mailing list for the Cygwin project.
Re: Running remote X apps
- To: "'acmay at mace dot penguinpowered dot com'" <acmay at mace dot penguinpowered dot com>
- Subject: Re: Running remote X apps
- From: Alexander Gottwald <Alexander dot Gottwald at informatik dot tu-chemnitz dot de>
- Date: Fri, 1 Dec 2000 12:59:53 +0100 (MET)
- Cc: Harold Hunt <Harold at compasstechnologies dot com>, "Cygx (E-mail)" <cygwin-xfree at sources dot redhat dot com>
On Thu, 30 Nov 2000 acmay@mace.penguinpowered.com wrote:
> The link seems to cover just about everything pretty well.
>
> I never have gotten xauth working without using xdm, but since
> I haven't used OS/2 much anymore I just use run level 5 in linux and
> start xdm automatically.
>
> I have not dealt with the low level X stuff much, but I believe it
> is possible to write a client that is hard to observer that just
> captures all the keyboard access, and it is pretty easy to do a
> DoS by throwing up a lot of clients, and not to mention things
> you wouldn't want your mother to see. So by just saying other
> clients are "allowed to connect" seems to understatement the
> problem to me. People need to be aware that there are many bad
> things that can happen besides a random X-Client popping up
> a window on their screen.
xhost is an easy way to access X from the remote host. If you are the only user on
host (or you trust the others completly) it is a save method.
The other way is using xauth.
The xauth protocol is quite simple. When connecting to the xserver, xlib will send
the authentication protocol name and the authentication data.
The protocols supported by xfree (for linux) are
- MIT-MAGIC-COOKIE-1
- XDM-AUTHORIZATION-1
- SUN-DES-1
- MIT-KERBEROS-1
The first one uses just a 128 bit random number, which is in general created by
xdm. This number is transmitted unencrypted over the network.
The three others use all some kind of encryption.
To start XWin with MAGIC-COOKIE authorization i tried the following.
- create an server authorization file
done by starting xdm on linux, logged in and copied the /var/lib/xdm/authdir/authfiles/*
to the windows machine.
- started XWin
>XWin -screen 0 640x480x16 -auth ~/xauth.server
- added the authorization key to the linux .Xauthority file
>xauth -f ~/xauth.server list
#ffff##: MIT-MAGIC-COOKIE-1 76aaadf5164a584120ff790856683134
>xauth add windows.box:0 MIT-MAGIC-COOKIE-1 76aaadf5164a584120ff790856683134
and xterm could connect from the linux box.
I then removed the entry again
>xauth remove windows.box:0
and xterm complained it could not connect.
ok, this is a little bit complicated, but if you find a tool which generates the
serverkey a bit more easyer, this would be the right way.
eg. (on windows box)
> generate-server-key ~/xauth.server
> ssh user@linux.box /usr/X11R6/bin/xauth add windows.box:0 \
> $(xauth -f ~/xauth.server list|sed "s/#ffff##://")
> Xwin -screen 0 800x600x16 -auth ~/xauth.server
> ssh user@linux.box /usr/X11R6/bin/xauth remove windows.box:0
>
> On Thu, Nov 30, 2000 at 08:45:54AM -0500, Harold Hunt wrote:
> > In life one must find a balance between time for drinking beer and time for
> > all other things; xauth requires too much beer time :)
> >
> > I've never used xauth, but I will probably add a blurb about how dangerous
> > and vile xhost is :) I'm assuming that the xhost dangers you referred to
> > were that host names can be spoofed and any user from an allowed host name
> > is allowed to connect? Was there anything else?
> >
> > On a side note, I found "Remote X Apps mini-HOWTO" which has a pretty good
> > discussion of the different ways to display remote X clients:
> > http://www.xs4all.nl/~zweije/xauth.html
> >
> > Does xauth work yet?
> >
> > xhost is pretty dangerous and you might want to at least mention why.
> >
> > When I first started with X somebody gave me an real interesting
> > picture for a background.
> >
>
--
Alexander.Gottwald@informatik.tu-chemnitz.de
http://www.gotti.org
+49 3725 3498080