hostname change breaks X - how to connect 127.0.0.1 ?

Keith Packard keithp at keithp.com
Tue Aug 31 14:39:09 PDT 2004


Around 20 o'clock on Aug 31, Alan Cox wrote:

> Especially since DNS is not trustable so hostnames are not trustable so X
> host based auth is worth rather less than you might think (ie near zilch).

We're not discussing the (obviously insecure) host based auth scheme here, 
but rather the local hostname-based keying of the shared secret key auth 
schemes (MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1).  The database of 
avaialble secrets is keyed off of the local hostname so that multiple 
hosts can share the same key file.  The database is *also* keyed off of 
the display number, so multiple displays on the same machine are supported.

If the database contains an entry with an empty hostname, it will match 
any hostname, so a .Xauthority file which is used only on a single host 
could use this method quite reliably.

Not that MIT-MAGIC-COOKIE-1 is secure when used across a bare X network 
connection, but it is fine when tunneled over ssh.

-keith


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg/attachments/20040831/81effcac/attachment.pgp>


More information about the xorg mailing list