This is the mail archive of the cygwin-xfree mailing list for the Cygwin XFree86 project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: struggling with xauth vs xhost


On 30/04/2013 15:21, Larry W. Virden wrote:
> While in the process of moving from a commercial X server to the
> cygwin Xfree server, we seem to have run into a peculiar behavior.
> 
> The previous environment made heavy use of xhost. I proposed that in
> cygwin xfree we move to xauth as a more secure environment. That has
> for the most part worked out.

The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.

> The environment is that the x applications are running on a Solaris 10
> sparc machine, displaying back to Win7 desktops with cygwin 1.7.x
> running on them.
> 
> When a user chooses the single X window method of opening a local
> window which ssh's over to the Unix machines, things seem to work
> okay.

I'm not sure why you mention xauth above, if you are actually using ssh -Y.
(which is a far better alternative)

> When they choose the "full screen" approach, where the entire window
> takes over the desktop, and the window manager and everything else is
> running remotely, an xhost is being executed. This causes some
> applications to fail because the language used considers that to be a
> security risk.
> 
> When we look in both local start up files as well as remote start up
> files, we do not see where the xhost is being performed.

I don't think there's anything in the X server that does this.

So this is happening somewhere in the client (i.e. on the Solaris host).  Note
that it might be in xdm (or it's equivalent) or something that runs, and that
might be using libX11's XAddHost() function directly, rather than running xhost.

I don't know of any way to make XDMCP secure.  If you are using the default
configuration (e.g. without XDM-AUTHENTICATION-1) it's wide open to MIM
attacks, and the plain-text X protocol is always open to eavesdropping.

You can achieve a somewhat similar effect using something like 'ssh -Y
remotehostname Xnest :1 -query localhost'

> Is there a way for us to track down where that is occurring so that we
> can see about commenting that out?

-- 
Jon TURNEY
Volunteer Cygwin/X X Server maintainer

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]