Path: utzoo!attcan!uunet!samsung!usc!wuarchive!mit-eddie!bloom-beacon!THINK.COM!barmar From: barmar@THINK.COM (Barry Margolin) Newsgroups: comp.windows.x Subject: Re: locking out users from a server.... Message-ID: <9010300543.AA20348@godot.think.com> Date: 30 Oct 90 05:43:10 GMT References: <8974@ncar.ucar.edu> Sender: daemon@athena.mit.edu (Mr Background) Organization: Thinking Machines Corporation, Cambridge MA, USA Lines: 37 In article <8974@ncar.ucar.edu> you write: >Hopefully a simple question..... No such thing when X is involved. :-) >I'm trying to figger-out how I can lock my server against unauthorized >use on a *user* basis. Locking out a host is easy, but can I >allow access from a specific logon on a host? You can't do this in general, because user names aren't passed in the X connection request. And even if user names were passed, you'd need an additional mechanism (such as prompting for a password, or using an authentication system such as Kerberos) to verify the user's identity. >X(1) and xauth(1) seem to imply that you can, however I see no provision >(in xauth) to allow say joe@foo.bar to connect to smith's server on >foobar.bar. That's not what I infer from the xauth documentation. The access control that xdm and xauth implement is based on the server being given a random number (the "magic cookie") by xdm and only accepting connections from clients that know the magic cookie. Xdm also writes the magic cookie into a file (the value of the env variable XAUTHORITY, usually ~/.Xauthority), and clients run by the user can get the magic cookie from this file. So long as the file is only readable by the user, only he can access the display. >What am I missing? Can someone explain how? (if it is possible...) Here's how Smith can use this facility to allow joe@foo.bar to connect to his display. After logging in with xdm he can use xauth to copy the magic cookie for his display into a file that joe@foo.bar can read. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar