[KLUG Members] XDMCP and two Ethernet interfaces

Robert Anderson members@kalamazoolinux.org
Tue, 22 Jan 2002 10:39:03 -0500
Previous message: [KLUG Members] CofC maps
Next message: [KLUG Members] Seeking March Speakers....
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This is a MIME message. If you are reading this text, you may want to 
consider changing to a mail reader or gateway that understands how to 
properly handle MIME multipart messages.

--=_316C4DAF.9AFB9CEF
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

>What does netstat -ap | grep xdm look like?

Heh, hacked my way through it first, didn't check LOL.

>Do you have diffrent host names for each interface or do they look up
the same?

Doesn't matter, IP based problem, specifically with MIT-MAGIC.

>MIT COOKIE security isn't "secure".

>From the Xsecurity man page:

When using MIT-MAGIC-COOKIE-1, the client  sends  a
              128  bit  "cookie"  along with the connection setup
              information.=20

I do know what you mean, it's the least preffered method.  However, I am =
ASSUMING that the MIT-MAGIC is using a netbios-type authentication method. =
 This would include the origin address somewhere in the packet payload.  =
According to my problem, this is true.  The origin address was 172.16.x.x =
and it was being advertised as 205.243.x.x.  MIT sees the IP header, looks =
in the payload for the connection information, they don't match, baboom, =
see ya baby.

That's just a guess based on the man page and the indications of my =
problem, but I'd be willing to put a sushi dinner on it :)  Also, I know a =
neato way to defeat netbios and MIT-MAGIC involving Ethereal and a packet =
generator..... ;-)

>>2) How can I get the X host to disable authentication.=20
>
>From the xdm man page:
>       xdm  offers display management two different ways.  It can
>     ... =20

I'll answer that.  In terms of XDMCP, xhost is used on the host machine to =
provide a simple list of hosts allowed to access the X server.  I COULD =
disable the checking of this host list.  I could NOT disable XDMCP checks =
to MIT, Kerberos etc.  I wanted to use xhost and NOT any of the other =
methods, and that's what I'm doing.  So the answer is, I CANNOT use xhost =
to disable authorization, but either to:

1) provide a first level of authentication above the cookie or encryption =
methods or
2) provide a very simple authorization scheme in the absence of the other =
methods.  That's my choice, open the gates and pray no Orcs come running.

>>It seems that 'xhost'=20
>>is the proper way to do this, but no matter the setting, the machine is
>>still using MIT authentication.
>
>xhost is used by running XDMCP sessions to grant additional privilages
>to other hosts and users.

See above.  xhost won't grant any additional priveledges that I could =
find, it simply checks the .X0-hosts file and if you're there you're in, =
if you're not you ain't in.

xauth was the proper program.  It manipulates the list of X users in the =
.Xauthority file and the method used to authorize them.  I simply removed =
all the methods for session 0.  Like I said, hope them Orcs ain't running =
wild :)

Thanks for the help!!!

--=_316C4DAF.9AFB9CEF
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 5.50.4030.2400" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN-TOP: 2px; FONT: 8pt MS Sans Serif; MARGIN-LEFT: =
2px">
<DIV>&gt;What does netstat -ap | grep xdm look like?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Heh, hacked my way through it first, didn't check LOL.<BR><BR>&gt;Do =
you=20
have diffrent host names for each interface or do they look up<BR>the=20
same?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Doesn't matter, IP based problem, specifically with=20
MIT-MAGIC.<BR><BR>&gt;MIT COOKIE security isn't "secure".</DIV>
<DIV>&nbsp;</DIV>
<DIV>From the Xsecurity man page:</DIV>
<DIV><BR>When using MIT-MAGIC-COOKIE-1, the client&nbsp; sends&nbsp;=20
a<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;=20
128&nbsp; bit&nbsp; "cookie"&nbsp; along with the connection=20
setup<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;=20
information. </DIV>
<DIV>&nbsp;</DIV>
<DIV>I do know what you mean, it's the least preffered method.&nbsp; =
However, I=20
am ASSUMING that the MIT-MAGIC is using a netbios-type authentication=20
method.&nbsp; This would include the origin address somewhere in the =
packet=20
payload.&nbsp; According to my problem, this is true.&nbsp; The origin =
address=20
was 172.16.x.x and it was being advertised as 205.243.x.x.&nbsp; MIT sees =
the IP=20
header, looks in the payload for the connection information, they don't =
match,=20
baboom, see ya baby.</DIV>
<DIV>&nbsp;</DIV>
<DIV>That's just a guess based on the man page and the indications of =
my=20
problem, but I'd be willing to put a sushi dinner on it :)&nbsp; Also, I =
know a=20
neato way to defeat netbios and MIT-MAGIC involving Ethereal and a =
packet=20
generator..... ;-)</DIV>
<DIV><BR>&gt;&gt;2) How can I get the X host to disable authentication.=20
<BR>&gt;<BR>&gt;From the xdm man=20
page:<BR>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xdm&nbsp; offers =
display=20
management two different ways.&nbsp; It=20
can<BR>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...&nbsp; </DIV>
<DIV>&nbsp;</DIV>
<DIV>I'll answer that.&nbsp; In terms of XDMCP, xhost is used on the =
host=20
machine to provide a simple list of hosts allowed to access the X =
server.&nbsp;=20
I COULD disable the checking of this host list.&nbsp; I could NOT disable =
XDMCP=20
checks to MIT, Kerberos etc.&nbsp; I wanted to use xhost and NOT any of =
the=20
other methods, and that's what I'm doing.&nbsp; So the answer is, I CANNOT =
use=20
xhost to disable authorization, but either to:</DIV>
<DIV>&nbsp;</DIV>
<DIV>1) provide a first level of authentication above the cookie or =
encryption=20
methods or</DIV>
<DIV>2) provide a very simple authorization scheme in the absence of the =
other=20
methods.&nbsp; That's my choice, open the gates and pray no Orcs come=20
running.<BR><BR>&gt;&gt;It seems that 'xhost' <BR>&gt;&gt;is the proper =
way to=20
do this, but no matter the setting, the machine is<BR>&gt;&gt;still using =
MIT=20
authentication.<BR>&gt;<BR>&gt;xhost is used by running XDMCP sessions to =
grant=20
additional privilages<BR>&gt;to other hosts and users.</DIV>
<DIV>&nbsp;</DIV>
<DIV>See above.&nbsp; xhost won't grant any additional priveledges that I =
could=20
find, it simply checks the .X0-hosts file and if you're there you're in, =
if=20
you're not you ain't in.</DIV>
<DIV>&nbsp;</DIV>
<DIV>xauth was the proper program.&nbsp; It&nbsp;manipulates the&nbsp;list =
of X=20
users in the .Xauthority file and the method used to authorize them.&nbsp; =
I=20
simply removed all the methods for session 0.&nbsp; Like I said, hope them =
Orcs=20
ain't running wild :)</DIV>
<DIV>&nbsp;</DIV>
<DIV>Thanks for the help!!!<BR></DIV></BODY></HTML>

--=_316C4DAF.9AFB9CEF--
Previous message: [KLUG Members] CofC maps
Next message: [KLUG Members] Seeking March Speakers....
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]