[KLUG Members] XDMCP and two Ethernet interfaces.
Adam Williams
members@kalamazoolinux.org
18 Jan 2002 06:15:11 -0500
>On the Masq machine, after 'X -query monitor' has timed out:
>AUDIT: X: client 1 rejected from IP 172.16.x.x
> Auth name: MIT-MAGIC-COOKIE-1 ID: -1
>So you see, what is happening is that the Masq client is attempting to XDMCP
>to the monitor host via the eth1 network. However, it is sending the
>eth0 address in the Auth cookie. MIT don't like this cause it means
>cracker is spoofing an ip, pretending to be 205.243.56.6 when the host
>can clearly see it's coming from a 172.16.x.x address.
>I used 'xhost' on the X host to first add the client to the list of allowed
>hosts, then finally to disable authentication completely, as per the
>'xhost' man page. However, I receive the same errors.
>So, my question has two parts:
What does netstat -ap | grep xdm look like?
Do you have diffrent host names for each interface or do they look up
the same?
>1) Is there a way to force the X client to send the eth1 address in the
>cookie, or is this basically a crack? After all, that's why MIT auth
>is so insecure. I'd rather not spoof it if I don't have to. Also, I'd
MIT COOKIE security isn't "secure".
>like to be able to do this via KER BEROS or any other authentication
>system LEGITIMATELY.
GDM supports Kerberos via PAM, as does xdm (I think). Usually this
only concerns itself with allocating tickets for the user upon succesful
login, not with authenticating the XDMCP itself.
>2) How can I get the X host to disable authentication.
>From the xdm man page:
xdm offers display management two different ways. It can
manage X servers running on the local machine and speci
fied in Xservers, and it can manage remote X servers (typ
ically X terminals) using XDMCP (the XDM Control Protocol)
as specified in the Xaccess file.
>It seems that 'xhost'
>is the proper way to do this, but no matter the setting, the machine is
>still using MIT authentication.
xhost is used by running XDMCP sessions to grant additional privilages
to other hosts and users.
>I have stopped and started X, xdm, and gdm several times between configuration
>changes on the X host.