A proposal for a new X extension

Garrett Kajmowicz gkajmowi at tbaytel.net
Sat Jan 22 13:52:27 PST 2005 

Forward:

I am attempting to address a concern which I see in the implementation of X11 
which makes it less than ideal for many uses.  Please note that I am not an 
expert with X11 in any way.  I have used the system for several years and 
occasionally program Qt applications.  However, the closest thing that I have 
come to "low-level" X11 programming is writing an xlib application which draw 
a grey box with two black lines in it on the screen.  Needless to say, I am 
partially talking from almost no experience here, and much of what I describe 
is based upon assumptions, inferences and plain guesses about the way X11 
works.  Regardless, you should find this either very interesting in it's 
briliance or comical in it's ignorance.


Introduction:

One of the key aspects to any computer system is security, especially 
authentication.  As it stands, implementations of X11 and applications 
designed to manage security on top of them are able to effectively ask for 
text input from the user when attempting to verify their identity.  This is 
done easily through the existing input mechanics (keyboard/mouse).  However, 
this does not address all possible or even desireable security concerns for 
systems.

Both users and administyrators frequently encounter problems with passwords 
which are either too short to be useful or too long to be memorized.  This 
results in weak security because the password is easy to guess or brute 
force, or it is recoverable by looking for stickey notes.  Yes, there are 
techniques for generating and storing larger passwords but this requires 
large-scale complience and at least a trivial amount of effort.  As such, 
alternative ways of managing security have emerged.

There exists now on the market a wide variety of methods of authenticating 
users.  These generally boil down to either some form of token or biometric 
device.  One of the better views of security was that authentication should 
be three-fold:  something you know, something you have, and something you 
are.  The something you know is easy - a password will suffice.  Something 
you have can be done through the use of a token.  And something you are is 
likely a biometric scanning device.


The Problem:

X11 currently has no standard mechanism for addressing authentication not 
based on existing input methods.  Attempting to use PAM only works if the 
user is logging into the machine which they are sitting at - it does nothing 
to deal with thin clients where a remote display manager is to be used.  This 
bothers me.  There is no way to directly access the hardware on the remote 
server, which is both beneficial as well as a hinderence.  For X11 to obtain 
market superiority and to increase penetration into the corporate desktop 
support for these mechanisms must be added.

Currently, there exists an XSecurity extension which is designed to 
authenticate X clients to X servers, but fails to address user authentication 
to a central display manager.


Proposal:

A new X extension which will provide for the use of remote authentication 
mechanisms.  This extension would enable a remote client to query the server 
for authentication information.  This would be accomplished by sending a 
single message specifying the request ID (to support multiple simultaneous 
requests, if not provided by the core X11 protocol) and a 32-bit integer 
providing for the mechanism to be used, along with data which may be used by 
the authentication mechanism (is a challenge token).  This may be accompanied 
by a visual dialog (generated by the client) specifying that authorization is 
needed, if the authorization mechanism needs user input (ie biometric 
scanner).  The server will collect the data and then send it back, refering 
to the request previously made.  The client can then decide what to do with 
the collected information.  naturally, error messages for unsupported device 
and the like will also need to be provided.

In order to ensure system security, a number of safety precautions must be 
taken:
- The server configuration should specify which authentication mechanisms will 
be responded to.  That is, the server need not enable all authentication 
mechanisms which are supported.
- The server should optionally (and by default) only accept security requests 
from the root window.  This assumes a trusted window manager.  This will 
prevent a malicious client from attempting to obtain sufficient information 
from the authentication mechanism through repeated queries to determine the 
authentication secret (if applicable).
- A rate-limiting mechanism should also be added and default enabled int the 
server to prevent a malicious client from attempting to obtain sufficient 
information from the authentication mechanism to determine the authentication 
secret (if applicable).


Work involved:

- Develop extension spec. documentation
- Gather public input.  Wash, rinse, repeat
- Implement server-side extension as a reference implementation with null 
targets, etc.
- Implement test client.
- Perform extensive testing
- Profit!!!^H^H^H^H^H^H^H^H^H^H^H


Difficulties:

- The author has insufficient knowledge of the X11 system to be able to 
implement this as it stands.
- Obtaining commercial acceptance of the system to result in hardware 
authentication systems supporting the extension
- Obtaining display manager support for the extension to use the mechanism to 
authenticate users
- Obtaining PAM support (if possible) to support the mechanism on the display 
manager side.


Conclusion:

These facilities must be provided in order to gain further acceptance of the 
X11 system for the desktop in modern computing environments.  The author is 
willing to invest time (currently limited, but increasing over the next few 
months) to learn and implement this extension providing that some basic 
guidance and mentoring is available from People Who Know (tm).

Thoughts?

- Garrett Kajmowicz

More information about the xorg mailing list