X server insecure (must use xauth-style authorization)for those users who are launching X themselves and need either a display manager or some good means of generating session keys.
Does anyone who uses the console use non-X11 graphic applications? (Using the console as a dumb terminal doesn't count.)Yes.
- You have to arrange for multiple window systems on the console. It's difficult to get this to interoperate with a display manager. If you're not braver than I am, go to [X server insecure: can't manage the local console] to see how to get authorization enabled.
- You have an unmanaged local console, but you could get it managed. Go to [X server insecure: setting up xdm].
You use startx, x11start or xinit and don't want to use xdmPT writes: To secure your X server you need to do two things. First you need a pair of unique and reasonably unguessable cookies in your Xauthorisation file. The cookies themselves are just 32 hex digit numbers. You can generate a reasonable one using 'date +%s%s%s%s | cut -c-32' or you can get the mitcookie program from http://www.zsplat.freeserve.co.uk/progs/mitcookie.c
You need to issuecookie=`mitcookie` or cookie=`date +%s%s%s%s|cut -c-32` xauth add unix:0.0 MIT-MAGIC-COOKIE-1 $cookie xauth add `hostname -f`:0.0 MIT-MAGIC-COOKIE-1 $cookieassuming hostname -f gives you your fully qualified domain name. These commands set up your X authorisation file. Now you need to start your X server and have it use these values. This is done by causing X to be run with -auth ${HOME}/.Xauthority.There are a number of ways to do this depending on how you begin your X session. One would be
xinit /usr/X11R6/bin/twm -- /usr/X11R6/bin/X :0.0 -auth ~/.Xauthoritybut a more normal method is to execute the startx script. You should add the -auth parameters to the $serverargs variable and place the xauth commands just before the invocation of xinit to get everything working.Once the above has been done then xhost should tell you that no-one is permitted to connect and that X authorisation is in use. Of course you now have to pass this cookie to your X client's machine. One way is to use ssh as it'll handle this transparently. So
ssh -f unixbox 'xterm -dispay workstation:0.0'should run xterm for you.Another way using rsh would be:
xauth extract - $HOSTNAME:0.0 | rsh unixbox '/usr/X11R6/bin/xauth merge -'although this is pretty insecure.Another way would be to use a terminal session and paste the cookie value obtained by the xauth list command into the remote session.
