Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!elroy.jpl.nasa.gov!lll-winken!ames!sheba.arc.nasa.gov!schoch
From: schoch@trident.arc.nasa.gov (Steve Schoch)
Newsgroups: comp.windows.x
Subject: Re: Problems with XDM and authorisation
Keywords: XDM,MIT-MAGIC-COOKIE
Message-ID: <1991May1.205726.17323@news.arc.nasa.gov>
Date: 1 May 91 20:57:26 GMT
References: <1991Apr25.130901.6290@dde.dk>
Sender: usenet@news.arc.nasa.gov (USENET Administration)
Organization: NASA - Ames Research Center
Lines: 49

In article <1991Apr25.130901.6290@dde.dk>, thj@dde.dk (Thomas Herlin Jensen) writes:
|> Display manager xdm                            Display NCD
|>                                  <-----------     Query
|>       Willing           ----------->           
|>                                  <-----------     Request
|>       Accept            ----------->        
|>     - mitAuth generate
|>       for proto display
|>                                  <-----------     Manage
|>     - save auth data in 
|>       generated Auth file
|> 1)  -**** 
|>       XOpenDisplay      ----------->          timeout   
|>                                               ???????
|> 
|> 2)  -Set AUTHORITY 
|> 3)  -Load resources with
|>      xrdb
|> 
|> At this point I have looked at the MIT server sample implementation. 
|> When an XOpenDisplay request arrives the first thing checked  is the 
|> authentification, by looking into the auth file. For the sampleserver this is 
|> quite straight forward, as it is assumed to be local and started from the
|> XDM at point 1), e.g. Xsun -auth /usr/lib/X11/xdm/AuthXXXX .
|> But  how does this comply to a remote X-Server ???????????

For a remote server using XDMCP, the authorization cookie is sent to the
server as part of the Accept message.  Xdm then gives that same cookie
in the XOpenDisplay call.

There are actually two "auth" things sent around that are easy to get
confused: authorization and authentication.  I'm not sure to which you
referring in your question above.

Authorization is the key that is passed to a local server with the "-auth"
argument and is sent by each client in the XOpenDisplay call.  If the
authorization scheme is MIT-MAGIC-COOKIE-1 (the only one I've ever used)
the server simply does a binary comparison of the key sent with the key
give to it with the "-auth" argument (local server) or the "Accept"
packet (XDMCP server).

Authentication is the key sent by the server in the "Request" packet
along with the manufacture display ID.  The only authentication in xdm
currently is XDM-AUTHENTICATION-1 which uses DES to decrypt something
sent by the server and then compares it with the value in some file.
If they match then xdm sends an "Accept" packet.  If they don't it sends
a "Decline" packet.  I don't think this is used very much.

	Steve