[help]: X server insecure (must use xauth-style authorization)
Stephen Benson
c.l.tcl and I've seen various posts on the subject there -- none of
the suggestions I've seen have worked for me -- and I haven't found it
in the faq (or the bits I've got) altho' I was told it's there. ]
I've been trying to setup xauth for my linux 1.0.9 (installed originally from
Slack 2.0) so I can use various tcl/tk based toys: send, expect, debuggers...
These find my system "insecure" and recommend xauth as the fix, eg:
..::[snip]::..
X server insecure (must use xauth-style authorization); command ignored
while executing
"send $tutInterpreter {proc XFTUTEval {cmd interp} {eval $cmd; send $interp TUTUnblock}}"
(file "/usr/src/tcldev/xf2.3/xftutorial/xftutorial.tcl" line 447)
invoked from within
"source /usr/src/tcldev/xf2.3/xftutorial/xftutorial.tcl"
..::[snip]::..
So I've read the man pages etc, created an .Xauthority file (several different
ways -- using examples and shell/perl scripts provided by people) and started
it with permutations of "startx --X -xauth" "startx -- -auth $HOME/.Xauthority"
(all I could think of, since I don't use xdm which is what the manual pages
mainly talk about). I can't really work out where in startx (a pretty stock
Slack script) to put the xauth command.
Somewhat to my surprise it seemed to work -- I kicked up xauth and asked list,
nlist etc and it seemed to know what I was talking about. But the xf (a tcl/tk
tool) tutorial still says the same thing: insecure system, use xauth.
Later now it became clear none of this worked. I also have another thing I
don't really understand: one of the scripts creates *binary*
cookies/.Xauthority, which X chokes on *if* specified on the command line ( if
I leave out the name ie. startx -- -auth, X starts OK, but xauth is still not
working enough for send/expect etc)
Clearly I don't know what I'm doing -- but I'd like to. I know I can compile
an interpreter _without_ the security flag but I want to do this right.
--
+ stephen benson + + + + + + linux 1.0.9 + + xfree86 2.1.1 +
+ + step...@scribendum.win-uk.net + + ci$ 10027...@compuserve.com +
. * .
+ . . +
Charles Lopes
|> [ I've cross-posted because there are a lot of linux-based ticklers in
|> c.l.tcl and I've seen various posts on the subject there -- none of
|> the suggestions I've seen have worked for me -- and I haven't found it
|> in the faq (or the bits I've got) altho' I was told it's there. ]
|>
|> I've been trying to setup xauth for my linux 1.0.9 (installed originally from
|> Slack 2.0) so I can use various tcl/tk based toys: send, expect, debuggers...
|> These find my system "insecure" and recommend xauth as the fix, eg:
|>
|> ..::[snip]::..
|>
|> X server insecure (must use xauth-style authorization); command ignored
|> while executing
|> "send $tutInterpreter {proc XFTUTEval {cmd interp} {eval $cmd; send $interp TUTUnblock}}"
|> (file "/usr/src/tcldev/xf2.3/xftutorial/xftutorial.tcl" line 447)
|> invoked from within
|> "source /usr/src/tcldev/xf2.3/xftutorial/xftutorial.tcl"
|>
|> ..::[snip]::..
|>
|> So I've read the man pages etc, created an .Xauthority file (several different
|> ways -- using examples and shell/perl scripts provided by people) and started
|> it with permutations of "startx --X -xauth" "startx -- -auth $HOME/.Xauthority"
|> (all I could think of, since I don't use xdm which is what the manual pages
|> mainly talk about). I can't really work out where in startx (a pretty stock
|> Slack script) to put the xauth command.
Which man pages did you read? The ones containing valuable information are
"xauth.1", "X.1" and "xdm.1". You don't need to create .Xauthority yourself. I
think you're not even supposed to. Moreover I don't know of anyway to tell the X
server to use the COOKIE created by the scripts you mentioned. The way I
understand it the COOKIEs are meant to be created by xdm that also manages the X
server (and so tells it which COOKIE/authorisation mechanism to use).
This is what can do to have it working properly:
* edit the files in /usr/lib/X11/xdm. I have the following in mines:
xdm-config:
DisplayManager.removeDomainname: true
DisplayManager.errorLogFile: /var/adm/xdm-errors
DisplayManager.pidFile: /var/run/xdm-pid
DisplayManager.authDir: /var/X11/xdm
DisplayManager.keyFile: /usr/lib/X11/xdm/xdm-keys
DisplayManager.servers: /usr/lib/X11/xdm/Xservers
DisplayManager.accessFile: /usr/lib/X11/xdm/Xaccess
DisplayManager._0.setup: /usr/lib/X11/xdm/Xsetup_0
DisplayManager._0.startup: /usr/lib/X11/xdm/GiveConsole
DisplayManager._0.reset: /usr/lib/X11/xdm/TakeConsole
DisplayManager*resources: /usr/lib/X11/xdm/Xresources
DisplayManager*session: /usr/lib/X11/xdm/Xsession
DisplayManager*chooser: /usr/lib/X11/xdm/chooser
DisplayManager*userPath: /bin:/usr/local/bin:/usr/bin
DisplayManager*systemPath: /sbin:/bin:/usr/sbin:/usr/local/bin:/usr/bin:/usr/bin/X11/
Xservers:
<empty file>
Xaccess:
localhost
<your host name>
* then run xdm as a daemon process
* start the X server using the following command line: "X -query localhost -once".
This will eventually become my startx script.
Starting the X server this way will make it connect the xdm daemon that will in
turn create an MIT MAGIC COOKIE and make the X server use it. Then xdm will
prompt for a login in the X server. If the login procedure succeeds xdm then
creates the required .Xauthority in the user's home directory.
I advise you to edit Xsession. Mine does some of things startx used
to do like appending some directories to $PATH, merge system and/or user
resources, load the right Xmodmap, etc. Also you'd better have Xsetup_0 run
XConsole instead of xconsole since the last one doesn't work (at least for me).
One last thing: check that there is no host in xhost's list. If it's the case
look for a file called X0.hosts and delete it. If you try this out and it stiil
doesn't work feel free to send me e-mail.
Regards,
Charles
|> + stephen benson + + + + + + linux 1.0.9 + + xfree86 2.1.1 +
|> + + step...@scribendum.win-uk.net + + ci$ 10027...@compuserve.com +
|> . * .
|> + . . +
--
------------------
Charles Lopes | Internet: Charle...@infm.ulst.ac.uk
Computing Officer | Phone: +44 (0504) 265621
Faculty of Informatics | Phone extension: 5315
Magee College, University of Ulster | Office: MB023
Brian L. Kahn
In article <33abdu$7...@niaomi.iscm.ulst.ac.uk> tja...@petrel.infm.ulst.ac.uk (Charles Lopes) writes:
Which man pages did you read? The ones containing valuable information are
"xauth.1", "X.1" and "xdm.1". You don't need to create .Xauthority yourself. I
think you're not even supposed to. Moreover I don't know of anyway to tell the X
server to use the COOKIE created by the scripts you mentioned. The way I
understand it the COOKIEs are meant to be created by xdm that also manages the X
server (and so tells it which COOKIE/authorisation mechanism to use).
Xdm is just one way. I never use it myself. If everything is built
right, all you have to do is use 'xauth' to create a .Xauthority file
and start your server with -auth option. Specifically,
% xauth add :0 . a7b89cad
xauth: creating new authority file .Xauthority
% xauth list
your_host/unix:0 MIT-MAGIC-COOKIE-1 a7b89cad
% cat .xserverrc
X :0 -auth $HOME/.Xauthority
--
Brian L. Kahn "In theory, there is no difference between theory and practice.
b...@mitre.org In practice, of course, there is."
Frank Dwyer
:>I've been trying to setup xauth for my linux 1.0.9 (installed originally from
:>Slack 2.0) so I can use various tcl/tk based toys: send, expect, debuggers...
:>These find my system "insecure" and recommend xauth as the fix, eg:
What you may be missing is a .xserverrc file. This is where you can specify
a list of command line argument to the X server. It looks for this file at
startup. Mine reads like this:
enterprise:~>more .xserverrc
X :0 -auth /home/dwyer/.Xauthority
If you're using xdm, you can change one of the configuration files to have
it create a .Xauthority file for you at the start of each session.
A good clue that xauth is working comes from running the xhost command. On
my system, this results in:
enterprise:/tmp>xhost
access control enabled, only authorized clients can connect
If you see other hostnames (including the local machine) listed after this
message, do an xhost - for each of them. The xhost command should then
return exactly what's shown above. Now, try to open an xterm from the local
machine (where X is running). If you can, xauth is working (since no
machines are currently xhost-ed).
Note that you will need to replicate the .Xauthority file on any machine you
ever intend to run X clients. This is usually not a problem at sites that
use cross-mounted NFS, but can be tricky to set up if you're working at
home and you can't get at your home directory at work.
Just think of xauth and xhost as a two-tiered authentication scheme. When
you start clients that attempt to connect to your X display, your X server
first checks to see if the hostname where the client is running is host-ed.
If it is, the client is allowed to connect. If not, the client tries to
find and present an Xauth cookie to the server. If the cookie matches what
the X server is using (from the Xauthority file), the client can connect.
In general, the cookie the server and client use come from the same
Xauthority file (in your home directory). Hence, they contain the same
values, and clients started by you can connect to your X server. Should
someone else attempt to connect to your X display, their clients will be
unable to present the correct cookie. As long as you keep your .Xauthority
file secure (chmod it 600), this is a simple method for maintaining X
security.
You'll also find that it's nice not having to xhost anymore... Xauth takes
care of it. :)
Incidentally, xauth only manipulates the Xauthority file, it does not affect
the functionality of the X server. You can't use it to tell if xauth is
working (unfortunately). You just have to try running clients and see if
they show up.
-f
--
Frank Dwyer (dw...@scri.fsu.edu) Office: 443 SCL (904) 644-6008
http://www.scri.fsu.edu/~dwyer FAX : (904) 644-0098
Unix System Manager / Systems Development Pager : (904) 422-4333
Supercomputer Computations Research Institute
Florida State University
Tallahassee, FL 32306
-----------------------------------------------------------------------------
"Unix _IS_ user friendly... It's just selective about who its friends are."
-----------------------------------------------------------------------------
N Metheringham
: In article <33abdu$7...@niaomi.iscm.ulst.ac.uk> tja...@petrel.infm.ulst.ac.uk (Charles Lopes) writes:
: Which man pages did you read? The ones containing valuable information are
: "xauth.1", "X.1" and "xdm.1". You don't need to create .Xauthority yourself. I
: think you're not even supposed to. Moreover I don't know of anyway to tell the X
: server to use the COOKIE created by the scripts you mentioned. The way I
: understand it the COOKIEs are meant to be created by xdm that also manages the X
: server (and so tells it which COOKIE/authorisation mechanism to use).
: Xdm is just one way. I never use it myself. If everything is built
: right, all you have to do is use 'xauth' to create a .Xauthority file
: and start your server with -auth option. Specifically,
: % xauth add :0 . a7b89cad
: xauth: creating new authority file .Xauthority
: % xauth list
: your_host/unix:0 MIT-MAGIC-COOKIE-1 a7b89cad
: % cat .xserverrc
: X :0 -auth $HOME/.Xauthority
If you want to make long randomish keys I have a perl script to do that.
It might be a bit specific to my system - you need a few things
such as a host and a hostname command. Its not perfect but it works
OK - NB I often get line too long errors from xauth - not sure why,
but it works OK.
#!/usr/bin/perl
$KeyLength = 16;
# set random nums up
srand(time|$$);
for ($Index = 0;($Index < $KeyLength); $Index++) {
$Key .= sprintf("%02x", int(rand(256)));
}
$HostName = `hostname`;
chop($HostName);
($FullHostName) = split(' ',`host $HostName`);
open(XAUTH, "|xauth");
print XAUTH ("add $FullHostName:0 MIT-MAGIC-COOKIE-1 $Key\n",
"add :0 MIT-MAGIC-COOKIE-1 $Key\n",
"quit");
close XAUTH;
Nigel.
David Werner
: If you want to make long randomish keys I have a perl script to do that.
: It might be a bit specific to my system - you need a few things
: such as a host and a hostname command. Its not perfect but it works
: OK - NB I often get line too long errors from xauth - not sure why,
: but it works OK.
: #!/usr/bin/perl
: $KeyLength = 16;
: # set random nums up
: srand(time|$$);
: for ($Index = 0;($Index < $KeyLength); $Index++) {
: $Key .= sprintf("%02x", int(rand(256)));
: }
: $HostName = `hostname`;
: chop($HostName);
: ($FullHostName) = split(' ',`host $HostName`);
: open(XAUTH, "|xauth");
: print XAUTH ("add $FullHostName:0 MIT-MAGIC-COOKIE-1 $Key\n",
: "add :0 MIT-MAGIC-COOKIE-1 $Key\n",
: "quit");
: close XAUTH;
: Nigel.
Your Script is'nt secure enough. Someone who is logged on the same
Host, where you want to start the X-Server can easely obtain time
(if the time is not correct enough he can guess it with several tries)
and $$ by observing your processes with ps. Then he can generate with
a similiar script the right MAGIC-COOKIE.
Ciao, Dave