dtlogin and secure access control

From: Small, Jim (jim.small@eds.com)
Date: 07/10/02 

From: "Small, Jim" <jim.small@eds.com>
To: focus-sun@securityfocus.com
Date: Wed, 10 Jul 2002 14:35:40 -0400

Using the CDE environment (i.e. dtlogin), is it possible to use a secure
access control method (e.g. XDM-AUTHORIZATION-1, SUN-DES-1, or
MIT-KERBEROS-5)?

While you can have the X server (X/Xsun) use a secure access control method,
it does not appear that dtlogin or the CDE programs in general support the
secure methods:
strings `which X` | egrep
'(MIT-MAGIC-COOKIE-1|XDM-AUTHORIZATION-1|SUN-DES-1|MIT-KERBEROS-5)'
MIT-MAGIC-COOKIE-1
SUN-DES-1

strings `which Xsun` | egrep
'(MIT-MAGIC-COOKIE-1|XDM-AUTHORIZATION-1|SUN-DES-1|MIT-KERBEROS-5)'
MIT-MAGIC-COOKIE-1
SUN-DES-1

strings `which dtlogin` | egrep
'(MIT-MAGIC-COOKIE-1|XDM-AUTHORIZATION-1|SUN-DES-1|MIT-KERBEROS-5)'
MIT-MAGIC-COOKIE-1

strings `which xdm` | egrep
'(MIT-MAGIC-COOKIE-1|XDM-AUTHORIZATION-1|SUN-DES-1|MIT-KERBEROS-5)'
SUN-DES-1
MIT-KERBEROS-5
MIT-MAGIC-COOKIE-1

  All the documentation I can find suggests using xdm to implement secure
access control. However, then you would have to give up CDE wouldn't you?

I am aware of and use ssh. However, while ssh provides secure forwarding,
it does not secure the X server (the socket or port 6000). The problem I
have with the MIT-MAGIC-COOKIE access control method is that the Magic
Cookie is stored in plain text in a file. I want an access control method
that uses encryption. Without encryption, it's all too easy to obtain the
Magic Cookie and defeat the minimal security the X server provides by
default.

Any ideas or suggestions are welcome.

Thanks,
   <> Jim

Jim Small
EDS - Infrastructure Integrity
MS 5D
750 Tower Dr.
Troy, MI 48098-2868
* phone: +01-248-265-4863 [8-365]
* mailto:jim.small@eds.com

Relevant Pages

  • Re: write with cURL
    ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ...
    (alt.php)
  • Re: NT4 -> Win2K3 question
    ... disable SMB signing for the Workstation or Server service on a domain ... Get Secure! ... The File Replication Service Event log test ... controller to the following destination domain ...
    (microsoft.public.windows.server.migration)
  • [OT] Re: RSA implementation, please comment.
    ... on a separate server is actually a very good idea, ... This web front uses a well defined and secure ... Don't store the private key on the server. ... Every client gets a smartcard for the decryption (or a HSM, ...
    (comp.lang.perl.misc)
  • Re: Word 2007 Missing User Level Securitty - ARRRGGGGHHHH What were they thinking?
    ... File servers aren't secure? ... Access predates Windows security, ... database system has never been updated or kept current. ... the OS-based database server product, ...
    (microsoft.public.access.security)
  • Re: local admin account password
    ... >> except its based on something specific about the server. ... >> more recovery console and don't think cached logins will work. ... >> The DB file would be encrypted with EFS so only the limited user SQL ... >> and the app itself doesn't really need to be secure as the ...
    (Focus-Microsoft)