Lloyd Chambers wrote:
> On server startup, the server would generate a large random number
> and write it in a file that is readable only by the owner of the
> file (the user who started the server).
>
> Local commands, such as stop-domain, would read this file if it's
> available and send the number as part of the authentication information
> to the server. The server would accept either the normal
> username/password
> authentication, or some special username along with this number as the
> password.
>
> This allows anyone who can read the file to authenticate to the server.
> Normally this would only be the user who owns the server and is running
> on the same machine.
>
> First, see any holes with this approach?
That sounds very much like the MIT-MAGIC-COOKIE authentication method
available in the X Window System via the xauth command. Since that's
been in use for 15 years, perhaps seeing just how close you are to that
model would be interesting.
--
-Alan Coopersmith- alan.coopersmith at sun.com
Sun Microsystems, Inc. - X Window System Engineering
