On Tue, Mar 17, 1998 at 05:44:19PM +0300, Amos Shapira wrote: > Marcus Brinkmann wrote: > > although I don't understand what it is doing, it is working quite good now. > > X11 magic cookies are usually generated when a user logs in, XDM > copies them to the ~user/.Xauthority file which is supposed to > be readable only by the user. The server also knows the cookie's > value. > > The idea is that each X11 client which connected to the X server > proves that he can read your .Xauthority file by sending the cookie (or > some variation on it, so people can't sniff it from the net). > Since the cookie is (hopefully) very random there is very little > chance that an imposter will be able to guess it.
Ah, I see. If I want to start a client from elsewhere, I have first to copy the cookie to it, everytime the X server was new started (if I try to display a remote client on my home station, for example). Thsi I can do with xauth -extract and -merge (or -add or whatever it is), right? > More than one cookie can be stored in each file, and they are > associated with a particular display. The X server disntinguishes > between the UNIX-domain socket (the one used in ":0.0") and the > TCP port 6000 socket (the ones used when giving a hostname), > that's why you have to copy the cookie twice - once for each display > you might use. Mmmh. I know what a TCP port, but not what a UNIX-domain socket is. > > Now to the quote above: Xvnc is using a single password for authorization. > > The startup scripts uses the above lines I do not understand. Later a viewer > > client can connect to the server via TCP, only giving the password stored in > > a file readable by the server. I don't think that this is a very elegant > > solution, but I'm afraid that there is not much we can do about it... > > I haven't peeped into vnc yet so I don't knw exactly the context in > which this script runs. The basic thing is that it uses xauth (the > authority file management program) to add new cookies to the > .Xauthority file (or whatever file the XAUTHORITY envariable > points to). BTW, you better use something more random for the > seed, like (from the perlfunc manual): > > srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`); > > read the srand section in perlfunc for more detail. Using the > SUM of the pid and time is not random enough since a proximate > guess is pretty easely obtainable (anyone knows what's the time, > and pid's can be aproximated from current pid lists). You might > also want to look at the debian archives for even better random > number generators, or use Linux' /dev/urandom. Ok, but it wasn't my code (it was the upstream code.) I may include this change in the next version, though. Thank you very much! Probably it helps a bit to make vnc more secure (although it is very insecure from a security point of view.) Thank you again, Marcus -- "Rhubarb is no Egyptian god." Debian GNU/Linux finger brinkmd@ Marcus Brinkmann http://www.debian.org master.debian.org [EMAIL PROTECTED] for public PGP Key http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ PGP Key ID 36E7CD09 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
