Darren J Moffat wrote:
> Roland Mainz wrote:
> > Would be there any (technical) objections to modify "useradd" to add
> > entries to /etc/publickey by default (and assign a default host key for
> > the machines, too) ?
> > The idea is to get SecureRPC working by default on a plain Solaris
> > installation to allow users to use X11's SUN-DES-1 authentification
> > scheme instead of MIT-MAGIC-COOKIE-1 stuff (e.g. use $ xhost +username@
> > # instead of shuffeling cookies around which should be much more
> > user-friendly) and/or use SecureRPC for NFS...
>
> Sounds like a great idea to me.
Even if this means that "keyserv" needs to be enabled by default (which
becomes a bit tricky if a user wants to run an Xserver without
"-nolisten tcp" and then needs the "keyserv" deamon being accessible,
too) ? And how can we generate the hosts's entry for /etc/publickey at
install time ? What do we do when the user does not specify a domainname
? Finally... how can we figure out the uid of the person who owns the
target Xserver (see $ xauth add ... SUN-DES-1
unix.${uid_who_owns_target_xserv...@monsterinc.com # -lines below) ...
Anyway... what about a joint-venture between the security and X11 teams
to implement such a thing and make SecureRPC authentification then the
default for both X11 and NFS authentification (more or less a follow-up
to the "secure-by-default" project... :-) ) ?
BTW: For those who are interested: X11's SUN-DES-1 auth. can be used
(without NIS+) like this:
1. Create a domain name for the machine:
$ domainname monsterinc.com
2. Create key for the current machine
$ newkey -h myhostname -s files
<enter root password>
3. Enable keyserv
$ svcadm enable keyserv
4. Build /etc/.rootkey (I have no clue why this is required)
$ chkey -s files
<enter root password>
5. Create key per user. This needs to be repeated for all users who wish
to use this feature (the keys will AFAIK be updated when someone changes
his/her password (at least NIS+ works this way but I'm not sure for
plain files-based publickeys))
$ newkey -u myusername -s files
<enter user password>
6. Either reboot, let the users re-login or each user just issue a $
keylogin # for users who wish to use SecureRPC
7. Use $ xhost +anotherusername@ # to allow user "anotherusername" to
access your display
8. The user who wishes to access the Xserver must remove the existing
xauth info for the target display and replace it with the "netname"
value of the person who owns the matching Xserver
$ uid_who_owns_target_xserver=666
$ xauth remove myhostname:0
$ xauth remove myhostname/unix:0
$ xauth add myhostname:0 SUN-DES-1
unix.${uid_who_owns_target_xserv...@monsterinc.com
$ xauth add myhostname/unix:0 SUN-DES-1
unix.${uid_who_owns_target_xserv...@monsterinc.com
Long ago I wrote a script which probes whether the user has valid NIS+
credentials and then replaces the MIT-MAGIC-COOKIE-1 with SUN-DES-1 when
X11 starts (and the matching script was contributed back to X.org) ...
maybe this can be used as basis to do the same for dtlogin/gdm/kdm/xdm
without hacking these deamons...
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
