[KLUG Members] XDMCP and two Ethernet interfaces.
Robert Anderson
members@kalamazoolinux.org
Wed, 16 Jan 2002 11:55:14 -0500
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_C895BC69.E382E41F
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
RH7.2 both machines.
I run a masquerading machine with two ethernet interfaces, eth0 and eth1.
My eth0 address is an 'illegal' public IP address that I am bound to use =
by way of a contractual obligation with a client. My eth1 is a 172.16.x.x =
address. =20
I am attempting to establish an XDMCP session between this Masq machine =
and another Linux box running on the 172.16.x.x network. The other Linux =
box, we'll call him 'monitor', runs xdm/gdm just fine, I can connect from =
any machine I desire. However, when i attempt to connect from the Masq =
machine, I get this error:
On monitor, the X host, /var/log/xdm-errors:
Xlib: connection to "205.243.56.6:0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
On the Masq machine, after 'X -query monitor' has timed out:
AUDIT: X: client 1 rejected from IP 172.16.x.x
Auth name: MIT-MAGIC-COOKIE-1 ID: -1
So you see, what is happening is that the Masq client is attempting to =
XDMCP to the monitor host via the eth1 network. However, it is sending =
the eth0 address in the Auth cookie. MIT don't like this cause it means a =
cracker is spoofing an ip, pretending to be 205.243.56.6 when the host can =
clearly see it's coming from a 172.16.x.x address.
I used 'xhost' on the X host to first add the client to the list of =
allowed hosts, then finally to disable authentication completely, as per =
the 'xhost' man page. However, I receive the same errors.
So, my question has two parts:
1) Is there a way to force the X client to send the eth1 address in the =
cookie, or is this basically a crack? After all, that's why MIT auth is =
so insecure. I'd rather not spoof it if I don't have to. Also, I'd like =
to be able to do this via KER BEROS or any other authentication system =
LEGITIMATELY.
2) How can I get the X host to disable authentication. It seems that =
'xhost' is the proper way to do this, but no matter the setting, the =
machine is still using MIT authentication.
I have stopped and started X, xdm, and gdm several times between configurat=
ion changes on the X host.
--=_C895BC69.E382E41F
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 5.50.4030.2400" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN-TOP: 2px; FONT: 8pt MS Sans Serif; MARGIN-LEFT: =
2px">
<DIV><FONT size=3D1>RH7.2 both machines.</FONT></DIV>
<DIV><FONT size=3D1></FONT> </DIV>
<DIV><FONT size=3D1>I run a masquerading machine with two ethernet =
interfaces,=20
eth0 and eth1.</FONT></DIV>
<DIV><FONT size=3D1></FONT> </DIV>
<DIV><FONT size=3D1>My eth0 address is an 'illegal' public IP address that =
I am=20
bound to use by way of a contractual obligation with a client. My =
eth1 is=20
a 172.16.x.x address. </FONT></DIV>
<DIV><FONT size=3D1></FONT><FONT size=3D1></FONT> </DIV>
<DIV><FONT size=3D1>I am attempting to establish an XDMCP session between =
this=20
Masq machine and another Linux box running on the 172.16.x.x network. =
The=20
other Linux box, we'll call him 'monitor', runs xdm/gdm just fine, I =
can=20
connect from any machine I desire. However, when i attempt =
to=20
connect from the Masq machine, I get this error:</FONT></DIV>
<DIV><FONT size=3D1></FONT> </DIV>
<DIV><FONT size=3D1>On monitor, the X host, /var/log/xdm-errors:</FONT></DI=
V>
<DIV><FONT size=3D1></FONT> </DIV>
<DIV>Xlib: connection to "205.243.56.6:0.0" refused by server<BR>Xlib: =
Invalid=20
MIT-MAGIC-COOKIE-1 key</DIV>
<DIV> </DIV>
<DIV>On the Masq machine, after 'X -query monitor' has timed out:</DIV>
<DIV> </DIV>
<DIV>AUDIT: X: client 1 rejected from IP 172.16.x.x</DIV>
<DIV> Auth name: MIT-MAGIC-COOKIE-1 ID: -1</DIV>
<DIV> </DIV>
<DIV>So you see, what is happening is that the Masq client is attempting =
to=20
XDMCP to the monitor host via the eth1 network. However, it is =
sending the=20
eth0 address in the Auth cookie. MIT don't like this cause it means =
a=20
cracker is spoofing an ip, pretending to be 205.243.56.6 when the host =
can=20
clearly see it's coming from a 172.16.x.x address.</DIV>
<DIV> </DIV>
<DIV>I used 'xhost' on the X host to first add the client to the list of =
allowed=20
hosts, then finally to disable authentication completely, as per the =
'xhost' man=20
page. However, I receive the same errors.</DIV>
<DIV> </DIV>
<DIV>So, my question has two parts:</DIV>
<DIV> </DIV>
<DIV>1) Is there a way to force the X client to send the eth1 =
address in=20
the cookie, or is this basically a crack? After all, that's why MIT =
auth=20
is so insecure. I'd rather not spoof it if I don't have to. =
Also,=20
I'd like to be able to do this via KER BEROS or any other authentication =
system=20
LEGITIMATELY.</DIV>
<DIV> </DIV>
<DIV>2) How can I get the X host to disable authentication. It seems =
that=20
'xhost' is the proper way to do this, but no matter the setting, the =
machine is=20
still using MIT authentication.</DIV>
<DIV> </DIV>
<DIV>I have stopped and started X, xdm, and gdm several times between=20
configuration changes on the X host.</DIV></BODY></HTML>
--=_C895BC69.E382E41F--