gerety@hpfclp.UUCP (03/30/87)
This has undoubtedly been beat into the ground before,
but since I don't generally read this note group, here goes.
Are there any plans to implement a better networking
security model for X. Instead of blanket machine permission,
I'd like to see something along the .rhosts model where permission
is granted on a machine/user basis (best of all, use the .rhosts
and hosts.equiv files).
Colin Gerety
gerety%hpfclp@hplabs.hp.comjg@jumbo.UUCP (04/01/87)
In article <9740001@hpfclp.HP.COM> gerety@hpfclp.HP.COM (Colin Gerety) writes: > Are there any plans to implement a better networking >security model for X. Instead of blanket machine permission, >I'd like to see something along the .rhosts model where permission >is granted on a machine/user basis (best of all, use the .rhosts >and hosts.equiv files). This is a hard problem in a distributed environment without proper network authentication services. V11 has a hook in the protocol to permit implementing arbitrary authentication services; since there is no agreement on authentication in Unix or elsewhere as yet, we cannot define it further. Berkeley "poor man's" authetication used in the "r commands" requires that such programs be set uid to root; while barely acceptable in some environments, it would make it impossible for mere mortals to write programs for X. Project Athena has a real authentication server now in production use (called Kerberous, the two headed dog that guards the gates to hell). You might go look at it; send mail to "saltzer@athena.mit.edu" to get more information. - Jim
trinkle@arthur.cs.purdue.edu.UUCP (04/03/87)
On a related issue of host permission, I have noticed that xhost
is not very good about handling hosts with multiple networks
interfaces.
Xhost (seems to) chooses to store and verify host information
based on IP address rather than canonical (official) name. When it
displays the current hosts (xhost without args), it chooses to display
the canonical name rather than IP address (this, I think is wrong
because it is hiding info from you).
The standard Berkeley rsh utilities handle this correctly. Has
anyone done anything to fix this? Is it fixed in version 11?
--
Daniel Trinkle trinkle@cs.purdue.edu ARPA
Computer Science Department trinkle%purdue.edu@relay.cs.net CSNET
Purdue University {ucbvax,decvax,ihnp4}!purdue!trinkle UUCP
West Lafayette, IN 47907 (317) 494-7832 PHONEjg@jumbo.UUCP (04/03/87)
In article <771@jumbo.dec.com> jg@jumbo.UUCP (Jim Gettys) writes: >> Are there any plans to implement a better networking >>security model for X. . . . > >Project Athena has a real authentication server now in production use >(called Kerberous, the two headed dog that guards the gates to hell). I was premature in announcing this to this audience; Athena does not yet have Kerberous in a state for export, and even more important, does not have documents ready yet describing it. Please do not bother Jerry Saltzer until you hear further. I will see that it gets properly announced when it is ready for prime time.... Shows what happens when you forget one of the heads on the dog.... -Jim