[EMAIL PROTECTED] wrote: > > Martin wrote, > > > From: "Christian Hudon" <[EMAIL PROTECTED]> > > Date: Sat, 21 Jun 1997 14:48:19 +0000 > > Subject: "xauth +", not a good idea... > > > > > If you don't trust every user on your machine, you'll need to learn a bit > > about xauth. "xauth list $DISPLAY" will list the key for the display > > $DISPLAY. > > > pianocktail.org/unix:0 MIT-MAGIC-COOKIE-1 > > 53a82429fe56a1cf5236f3d4852e7d79e > > > Anyone who has that key is authorized to connect to the X server managing > > display $DISPLAY. So say you want to grant user bar access to the display > > that user foo is using, you just do (as bar): > > > [EMAIL PROTECTED]:[~]> xauth add pianocktail.org/unix:0 MIT-MAGIC-COOKIE-1 > > 53a82429fe56a1cf5236f3d4852e7d79e > > curioser and curioser. I tried this, and it worked--once. I then > successfully launched emacs, then lost the ability to change the remote xauth > entirely. (???). > > Getting the sequence from the login xterm, I then type > pv2086ttyp7:rhawkins>xauth list $DISPLAY > eyry.econ.iastate.edu:0 MIT-MAGIC-COOKIE-1 e627d47d72c34079be1f6c35ca3b58b1 > pv2086ttyp7:rhawkins>xauth add eyry.econ/unix:0 MIT-MAGIC-COOKIE-1 > 684e3c0f4c1e460741426f5272005d0c > pv2086ttyp7:rhawkins>xauth list $DISPLAY > eyry.econ.iastate.edu:0 MIT-MAGIC-COOKIE-1 e627d47d72c34079be1f6c35ca3b58b1
Note: there can be more than one entry for a given host. The '/unix' in 'eyry.econ/unix:0' mean that the entry is good for a "unix-domain socket". Unix-domain sockets on work on a single system, not over the network. Note also that there can be (and generally are) several entries in an xauth file. By using the construct 'xauth list $DISPLAY' you are limiting the list printed out to the entry for '$DISPLAY'. In fact, if after the above 'add' command you ran 'xauth list eyry.econ/unix:0' you would see the entry you added. What you want to do is 'xauth add $DISPLAY <...>'. > That is, it isn't changing it in the remote system. However, it does seem to > work in the root window on the local system. > > The remote system is using kerberos if this makes a difference. I still > haven't figured out how to get the rpm's for kerberos installed. This > prevents me from using rsh, getting pop-3 mail, etc. > > I've looked at the telnet man page, and it looks like I could evaluate the > cookie, put it in a variable, pass this with the environ option, then have the > remote .cshrc check for the variable, and add it if present. > > At the moment, i'm not worried nearly as much about security as in getting > something to work. Even xhost + only works for a few seconds. This is very odd. I'm really wondering how it can work only for a few seconds. There would have to be something else disabling the perms after you allowed them. kerberos is orthogonal (in this case, sinc we're using MIT-MAGIC-COOKIE-1 authorization) to X security and should have no effect unless you're bringing other programs into the equation--for example to get your key across the network--which use kerberos. -- Jens B. Jorgensen [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .