[KLUG Members] XDMCP and two Ethernet interfaces
Robert Anderson
members@kalamazoolinux.org
Tue, 22 Jan 2002 10:39:03 -0500
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_316C4DAF.9AFB9CEF
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
>What does netstat -ap | grep xdm look like?
Heh, hacked my way through it first, didn't check LOL.
>Do you have diffrent host names for each interface or do they look up
the same?
Doesn't matter, IP based problem, specifically with MIT-MAGIC.
>MIT COOKIE security isn't "secure".
>From the Xsecurity man page:
When using MIT-MAGIC-COOKIE-1, the client sends a
128 bit "cookie" along with the connection setup
information.=20
I do know what you mean, it's the least preffered method. However, I am =
ASSUMING that the MIT-MAGIC is using a netbios-type authentication method. =
This would include the origin address somewhere in the packet payload. =
According to my problem, this is true. The origin address was 172.16.x.x =
and it was being advertised as 205.243.x.x. MIT sees the IP header, looks =
in the payload for the connection information, they don't match, baboom, =
see ya baby.
That's just a guess based on the man page and the indications of my =
problem, but I'd be willing to put a sushi dinner on it :) Also, I know a =
neato way to defeat netbios and MIT-MAGIC involving Ethereal and a packet =
generator..... ;-)
>>2) How can I get the X host to disable authentication.=20
>
>From the xdm man page:
> xdm offers display management two different ways. It can
> ... =20
I'll answer that. In terms of XDMCP, xhost is used on the host machine to =
provide a simple list of hosts allowed to access the X server. I COULD =
disable the checking of this host list. I could NOT disable XDMCP checks =
to MIT, Kerberos etc. I wanted to use xhost and NOT any of the other =
methods, and that's what I'm doing. So the answer is, I CANNOT use xhost =
to disable authorization, but either to:
1) provide a first level of authentication above the cookie or encryption =
methods or
2) provide a very simple authorization scheme in the absence of the other =
methods. That's my choice, open the gates and pray no Orcs come running.
>>It seems that 'xhost'=20
>>is the proper way to do this, but no matter the setting, the machine is
>>still using MIT authentication.
>
>xhost is used by running XDMCP sessions to grant additional privilages
>to other hosts and users.
See above. xhost won't grant any additional priveledges that I could =
find, it simply checks the .X0-hosts file and if you're there you're in, =
if you're not you ain't in.
xauth was the proper program. It manipulates the list of X users in the =
.Xauthority file and the method used to authorize them. I simply removed =
all the methods for session 0. Like I said, hope them Orcs ain't running =
wild :)
Thanks for the help!!!
--=_316C4DAF.9AFB9CEF
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 5.50.4030.2400" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN-TOP: 2px; FONT: 8pt MS Sans Serif; MARGIN-LEFT: =
2px">
<DIV>>What does netstat -ap | grep xdm look like?</DIV>
<DIV> </DIV>
<DIV>Heh, hacked my way through it first, didn't check LOL.<BR><BR>>Do =
you=20
have diffrent host names for each interface or do they look up<BR>the=20
same?</DIV>
<DIV> </DIV>
<DIV>Doesn't matter, IP based problem, specifically with=20
MIT-MAGIC.<BR><BR>>MIT COOKIE security isn't "secure".</DIV>
<DIV> </DIV>
<DIV>From the Xsecurity man page:</DIV>
<DIV><BR>When using MIT-MAGIC-COOKIE-1, the client sends =20
a<BR> &nbs=
p; =20
128 bit "cookie" along with the connection=20
setup<BR> =
=20
information. </DIV>
<DIV> </DIV>
<DIV>I do know what you mean, it's the least preffered method. =
However, I=20
am ASSUMING that the MIT-MAGIC is using a netbios-type authentication=20
method. This would include the origin address somewhere in the =
packet=20
payload. According to my problem, this is true. The origin =
address=20
was 172.16.x.x and it was being advertised as 205.243.x.x. MIT sees =
the IP=20
header, looks in the payload for the connection information, they don't =
match,=20
baboom, see ya baby.</DIV>
<DIV> </DIV>
<DIV>That's just a guess based on the man page and the indications of =
my=20
problem, but I'd be willing to put a sushi dinner on it :) Also, I =
know a=20
neato way to defeat netbios and MIT-MAGIC involving Ethereal and a =
packet=20
generator..... ;-)</DIV>
<DIV><BR>>>2) How can I get the X host to disable authentication.=20
<BR>><BR>>From the xdm man=20
page:<BR>> xdm offers =
display=20
management two different ways. It=20
can<BR>> ... </DIV>
<DIV> </DIV>
<DIV>I'll answer that. In terms of XDMCP, xhost is used on the =
host=20
machine to provide a simple list of hosts allowed to access the X =
server. =20
I COULD disable the checking of this host list. I could NOT disable =
XDMCP=20
checks to MIT, Kerberos etc. I wanted to use xhost and NOT any of =
the=20
other methods, and that's what I'm doing. So the answer is, I CANNOT =
use=20
xhost to disable authorization, but either to:</DIV>
<DIV> </DIV>
<DIV>1) provide a first level of authentication above the cookie or =
encryption=20
methods or</DIV>
<DIV>2) provide a very simple authorization scheme in the absence of the =
other=20
methods. That's my choice, open the gates and pray no Orcs come=20
running.<BR><BR>>>It seems that 'xhost' <BR>>>is the proper =
way to=20
do this, but no matter the setting, the machine is<BR>>>still using =
MIT=20
authentication.<BR>><BR>>xhost is used by running XDMCP sessions to =
grant=20
additional privilages<BR>>to other hosts and users.</DIV>
<DIV> </DIV>
<DIV>See above. xhost won't grant any additional priveledges that I =
could=20
find, it simply checks the .X0-hosts file and if you're there you're in, =
if=20
you're not you ain't in.</DIV>
<DIV> </DIV>
<DIV>xauth was the proper program. It manipulates the list =
of X=20
users in the .Xauthority file and the method used to authorize them. =
I=20
simply removed all the methods for session 0. Like I said, hope them =
Orcs=20
ain't running wild :)</DIV>
<DIV> </DIV>
<DIV>Thanks for the help!!!<BR></DIV></BODY></HTML>
--=_316C4DAF.9AFB9CEF--