SUMMARY: X cookies?

From: Jonathan Williams (jonathw@shubertorg.com)
Date: Fri Sep 13 2002 - 10:31:55 EDT

• Next message: Rezk Mekhael: "Calendar in UNIX for all"
• Previous message: Ken Kleiner: "NIS 'make' sometimes fails...with 'garbage'..."
• In reply to: Jonathan Williams: "UPDATE: X cookies?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok...after reading many many more emails, I have come to a potential conclusion.
I think Dr Tim Cutts (hopefully you're not a surgical doctor--hehe) pretty much
summed up what we will be doing:

/snip
One issue is that users will hate using xauth and rsh to pass cookies
around, and it might cause further security complications by allowing
host access using rsh anyway.

Secondly, cookies only authorize the X connection when it is set up.
The X traffic is still unencrypted, and vulnerable to packet sniffing.

You can solve both of these issues with ssh, which (a) automatically
manages cookie transfer and xauth for you, and (b) encrypts the X
traffic across the network. On our systems here, we have rsh and rcp as
symlinks to ssh and scp respectively, so if people try to use the
insecure one they get the secure one anyway!
/snip off

So I'm going to be looking into getting Ssh onto these systems, and going down
that path. Ssh was next on my list from the auditors anyway. (can anyone else
sense the inevitable "Ssh help" email I'll be sending shortly, or is it just
me?). Anyway, as usual, thank you to everyone who replied.

Jonathan Williams
Unix Systems Administrator
The Shubert Organization, Inc.
----- Original Message -----
From: "Jonathan Williams" <jonathw@shubertorg.com>
To: <tru64-unix-managers@ornl.gov>
Sent: Thursday, September 12, 2002 3:56 PM
Subject: UPDATE: X cookies?

> OMG...stop the flood of emails!!! hehe. What a ton of super-fast replies.
> Everyone is suggesting reading the xauth man page. So I'm going to go and do
> that. =)
>
>
> Jonathan Williams
> Unix Systems Administrator
> The Shubert Organization, Inc.
> ----- Original Message -----
> From: "Jonathan Williams" <jonathw@shubertorg.com>
> To: <tru64-unix-managers@ornl.gov>
> Sent: Thursday, September 12, 2002 3:39 PM
> Subject: X cookies?
>
>
> > We recently put ourselves through a system security audit. Their report
came
> > back with a few (dozen) suggestions on how we could do things a bit more
> > securely. One of these things in particular I need help with.
> >
> > We make heavy use of X windows. They say "If there is a strong business
need
> > for X windows, ensure that X cookies (shared secret keys to do secure X) are
> > used." Now, this means absolutely nothing to me. I've searched everywhere
I
> > can think of (including the security doc) for X cookies and things like that
> and
> > have found nothing. If anyone could shed some light on this, it would be
> > wonderful (docs, websites, anything).
> >
> > Jonathan Williams
> > Unix Systems Administrator
> > The Shubert Organization, Inc.
> >
> >
>
>

• Next message: Rezk Mekhael: "Calendar in UNIX for all"
• Previous message: Ken Kleiner: "NIS 'make' sometimes fails...with 'garbage'..."
• In reply to: Jonathan Williams: "UPDATE: X cookies?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:53 EDT