C-RAM Group: 

Shahid Aslam Khan, Sue Ann Ung and Satneev Bhamra 

Application Notes

We have found some things that are very useful while working as a team on the EE 552 project.

• We can also included a section how you can run Xauth to protect your display from being captured by unwanted eyes (obtained from http://www.acm.uiuc.edu/workshops/cool_unix/xauth.html)

Last Modified: October 5, 2001

---

Xauth: How to protect your Display

(or how to keep your screen private)

Much of this information blatently stolen from Ben and Baba's Xsecurity document

Why xhost is bad:

If you xhost +machine you are allowing any user on machine complete access to your X display.

 

 

That means remote users can do lots of nasty things like:

• destroy any (or all) of your windows (xkill)
• open up any new windows on your screen
• view the contents of your screen remotely
• log your keystrokes (capture your passwords)
• generate any X event

xhost + is even worse.

Better: xauth

Xauth requires the account on the remote machine to know a secret quantity for your display called an MIT-MAGIC-COOKIE-1. If the remote user knows this quantity it can have complete access to the local display.

Cookbook recipe to using xauth:

On local machine:

dwalin[17]:xauth list                                                         ~

dwalin.acm.uiuc.edu:0  MIT-MAGIC-COOKIE-1  3bbdd486c11d2ddfbb7111ab088e69c6

dwalin.acm.uiuc.edu/unix:0  MIT-MAGIC-COOKIE-1  3bbdd486c11d2ddfbb7111ab088e69c6

The first line is the inet domain and the second line is the unix domain. We only care about the inet domain.

1. triple click on the inet domain line.
2. Login to remote machine.
3. On remote machine: setenv DISPLAY local.machine:0
4. On remote machine: xauth add <hit paste button>

There are ways of doing this with rsh but that opens up other holes. See xrsh for more details.

Setting up Xauth

If you're running xdm you will be given a fresh cookie every time you login. Otherwise you'll need to start X with authority.

 

 

You will need to do two things:

1. manually give yourself a cookie
2. start X with authority

As a perl script:

#!/usr/local/bin/perl

set randomkey=`perl -e 'for (1..4) { 

    srand(time+$$+$seed); 

    printf("%4.5x", ($seed = int(rand(65536))));

  } 

  print "\n";'`

  xauth add `hostname`/unix:0 . $randomkey

  xauth add `hostname`:0 . $randomkey

A ksh equivalent would be:

#!/bin/ksh

  randomkey=$(echo $(( $RANDOM * $RANDOM * 2 )))

  xauth add $(hostname)/unix:0 . $randomkey

  xauth add $(hostname):0 . $randomkey

Then start X with authority:

xinit $HOME/.xinitrc -- /usr/bin/X11/X -auth $HOME/.Xauthority

See Ben and Baba's Xsecurity document and the xauth manpage for more information

Conclusion:

xauth is not a lot better than xhost but at least it won't let everyone in the world snarf your passwords.