gerety@hpfclp.UUCP (03/30/87)
This has undoubtedly been beat into the ground before, but since I don't generally read this note group, here goes. Are there any plans to implement a better networking security model for X. Instead of blanket machine permission, I'd like to see something along the .rhosts model where permission is granted on a machine/user basis (best of all, use the .rhosts and hosts.equiv files). Colin Gerety gerety%hpfclp@hplabs.hp.com
jg@jumbo.UUCP (04/01/87)
In article <9740001@hpfclp.HP.COM> gerety@hpfclp.HP.COM (Colin Gerety) writes: > Are there any plans to implement a better networking >security model for X. Instead of blanket machine permission, >I'd like to see something along the .rhosts model where permission >is granted on a machine/user basis (best of all, use the .rhosts >and hosts.equiv files). This is a hard problem in a distributed environment without proper network authentication services. V11 has a hook in the protocol to permit implementing arbitrary authentication services; since there is no agreement on authentication in Unix or elsewhere as yet, we cannot define it further. Berkeley "poor man's" authetication used in the "r commands" requires that such programs be set uid to root; while barely acceptable in some environments, it would make it impossible for mere mortals to write programs for X. Project Athena has a real authentication server now in production use (called Kerberous, the two headed dog that guards the gates to hell). You might go look at it; send mail to "saltzer@athena.mit.edu" to get more information. - Jim
trinkle@arthur.cs.purdue.edu.UUCP (04/03/87)
On a related issue of host permission, I have noticed that xhost is not very good about handling hosts with multiple networks interfaces. Xhost (seems to) chooses to store and verify host information based on IP address rather than canonical (official) name. When it displays the current hosts (xhost without args), it chooses to display the canonical name rather than IP address (this, I think is wrong because it is hiding info from you). The standard Berkeley rsh utilities handle this correctly. Has anyone done anything to fix this? Is it fixed in version 11? -- Daniel Trinkle trinkle@cs.purdue.edu ARPA Computer Science Department trinkle%purdue.edu@relay.cs.net CSNET Purdue University {ucbvax,decvax,ihnp4}!purdue!trinkle UUCP West Lafayette, IN 47907 (317) 494-7832 PHONE
jg@jumbo.UUCP (04/03/87)
In article <771@jumbo.dec.com> jg@jumbo.UUCP (Jim Gettys) writes: >> Are there any plans to implement a better networking >>security model for X. . . . > >Project Athena has a real authentication server now in production use >(called Kerberous, the two headed dog that guards the gates to hell). I was premature in announcing this to this audience; Athena does not yet have Kerberous in a state for export, and even more important, does not have documents ready yet describing it. Please do not bother Jerry Saltzer until you hear further. I will see that it gets properly announced when it is ready for prime time.... Shows what happens when you forget one of the heads on the dog.... -Jim