Xauth

(or how to keep your screen private)

Much of this information blatently stolen from Ben and Baba's Xsecurity document

Why xhost is bad:

If you xhost +machine you are allowing any user on machine complete access to your X display.

That means remote users can do lots of nasty things like:

destroy any (or all) of your windows (xkill)
open up any new windows on your screen
view the contents of your screen remotely
log your keystrokes (capture your passwords)
generate any X event

xhost + is even worse.

Better: xauth

Xauth requires the account on the remote machine to know a secret quantity for your display called an MIT-MAGIC-COOKIE-1. If the remote user knows this quantity it can have complete access to the local display.

Cookbook recipe to using xauth:

On local machine:

dwalin[17]:xauth list                                                         ~
dwalin.acm.uiuc.edu:0  MIT-MAGIC-COOKIE-1  3bbdd486c11d2ddfbb7111ab088e69c6
dwalin.acm.uiuc.edu/unix:0  MIT-MAGIC-COOKIE-1  3bbdd486c11d2ddfbb7111ab088e69c6

The first line is the inet domain and the second line is the unix domain. We only care about the inet domain.

triple click on the inet domain line.
Login to remote machine.
On remote machine: setenv DISPLAY local.machine:0
On remote machine: xauth add <hit paste button>

There are ways of doing this with rsh but that opens up other holes. See xrsh for more details.

Setting up Xauth

If you're running xdm you will be given a fresh cookie every time you login. Otherwise you'll need to start X with authority.

You will need to do two things:

manually give yourself a cookie
start X with authority

As a perl script:


#!/usr/local/bin/perl

set randomkey=`perl -e 'for (1..4) { 
    srand(time+$$+$seed); 
    printf("%4.5x", ($seed = int(rand(65536))));
  } 
  print "\n";'`

  xauth add `hostname`/unix:0 . $randomkey
  xauth add `hostname`:0 . $randomkey

A ksh equivalent would be:


#!/bin/ksh

  randomkey=$(echo $(( $RANDOM * $RANDOM * 2 )))

  xauth add $(hostname)/unix:0 . $randomkey
  xauth add $(hostname):0 . $randomkey

Then start X with authority:


xinit $HOME/.xinitrc -- /usr/bin/X11/X -auth $HOME/.Xauthority

See Ben and Baba's Xsecurity document and the `xauth` manpage for more information

Conclusion:

xauth sucks almost as bad as xhost but at least it won't let everyone in the world snarf your passwords.

xmodmap

top

pagers

jgross@uiuc.edu

Xauth

Much of this information blatently stolen from Ben and Baba's Xsecurity document

Why `xhost` is bad:

Better: `xauth`

Cookbook recipe to using xauth:

Setting up Xauth

See Ben and Baba's Xsecurity document and the `xauth` manpage for more information

Conclusion:

Xauth

Much of this information blatently stolen from Ben and Baba's Xsecurity document

Why xhost is bad:

Better: xauth

Cookbook recipe to using xauth:

Setting up Xauth

See Ben and Baba's Xsecurity document and the xauth manpage for more information

Conclusion:

Why `xhost` is bad:

Better: `xauth`

See Ben and Baba's Xsecurity document and the `xauth` manpage for more information