mwz@arp.anu.oz.au (Markus Zellner) (06/07/90)
I've been trying to use the X11R4 authorisation mechanisms on Suns, and I've come up with some problems and some general queries about the whole authorisation system. (Yes I've RTFMed, the xauth and Xau manual pages, and the xdm and Xserver manual pages). 1 - I'm using the authorisation mechanism WITHOUT using XDM, so I use the MIT-MAGIC-COOKIE scheme, and xauth add to add entries to my authorisation file. What system is used to encrypt the 8 bit hex value that you give to the xauth add command ? Is the creation of the authentication cookie based on just this value, or on other things like the user name ? If the whole authentication scheme is based on this 8 bit value, a brute force approach to cracking the token would be pretty easy, would it not ? Or isn't it designed for this level of security ? 2 - To start the Xserver on a workstation, it seems that specifying just the workstation name on the xauth add command is not enough, and you must also specify unix:0.0 to the xauth add command as well. Problem is that this just creates a hostname/unix:0 entry in your authorisation file. Since I run tools from many different machines, and run the Xserver on many different workstations, does this mean that I have to xauth add both hostname:0 and unix:0 for each machine ? Another approach to this would be to start the server as something other than unix:0.0, but this would then mean that Internet rather than Unix domain sockets would be used for local clients, resulting in a performance drop. Is this correct, or is there a better way of doing this ? 3 - How do I selectively let another user (either on the same or a different machine) open a window on the workstation on which I am currently using X ? Can I give them the magic cookie, or do I give them the "seed" value that I gave to xauth add ? Any help on any of these questions would be much appreciated. Please e-mail and I will duly summarise. Markus Zellner | Phd student | mwz@anucsd.anu.oz.au -- Markus Zellner mwz@anucsd.anu.oz.au
rws@EXPO.LCS.MIT.EDU (Bob Scheifler) (06/08/90)
What system is used to encrypt the 8 bit hex value that you give to the xauth add command ? The value you supply is stored directly in the database file. For MIT-MAGIC-COOKIE-1, there is no further processing of the data, it's just a number. Xdm uses crypt facilities to generate numbers for MIT-MAGIC-COOKIE-1 in order to make them hard to guess, that's all. If the whole authentication scheme is based on this 8 bit value, a brute force approach to cracking the token would be pretty easy, would it not ? Ah, I think you misinterpreted the man page. The hexkey you supply to xauth can be longer than two characters. You can use any even-length string you want. Xdm generates a 128-bit value (32 characters), for example. Since I run tools from many different machines, and run the Xserver on many different workstations, does this mean that I have to xauth add both hostname:0 and unix:0 for each machine ? You need to add hostname:0 and unix:0 for the machine where the server is running (in order to run clients both locally with UDS and remotely with TCP). I'm afraid we haven't attempted to make using authorization with xinit very easy; you're welcome to contribute code. :-) 3 - How do I selectively let another user (either on the same or a different machine) open a window on the workstation on which I am currently using X ? You have to give them the cookie (which is the value you gave to xauth). We haven't provided a mechanism for adding/revoking additional cookies for per-user control. This rapidly progresses into more general security mechanisms, which are under discussion in more than one forum.