Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 686 — #712
i
i
i
i
i
i
i
i
Network Security
Network security is important for protecting from an attack that is started
outside. The typical login procedure requiring a user name and a password
for user authentication is still a local security issue. In the particular case of
logging in over a network, differentiate between the two security aspects.
What happens until the actual authentication is network security and any-
thing that happens afterwards is local security.
X Window System and X Authentication
As mentioned at the beginning, network transparency is one of the central
characteristics of a UNIX system. X, the windowing system of UNIX op-
erating systems, can make use of this feature in an impressive way. With
X, it is basically no problem to log in at a remote host and start a graphi-
cal program that is then be sent over the network to be displayed on your
computer.
When an X client should be displayed remotely using an X server, the latter
should protect the resource managed by it (i.e., the display) from unautho-
rized access. In more concrete terms, certain permissions must be given
to the client program. With the X Window System, there are two ways to
do this, called host-based access control and cookie-based access control.
The former relies on the IP address of the host where the client should run.
The program to control this is xhost. xhost enters the IP address of a legit-
imate client into a tiny database belonging to the X server. However, rely-
ing on IP addresses for authentication is not very secure. For example, if
there were a second user working on the host sending the client program,
that user would have access to the X server as well — just like someone
stealing the IP address. Because of these shortcomings, this authentication
method is not described in more detail here, but you can learn about it with
man xhost.
In the case of cookie-based access control, a character string is generated
that is only known to the X server and to the legitimate user, just like an ID
card of some kind. This cookie (the word goes back not to ordinary cook-
ies, but to Chinese fortune cookies, which contain an epigram) is stored on
login in the file .Xauthority in the user’s home directory and is avail-
able to any X client wanting to use the X server to display a window. The
file .Xauthority can be examined by the user with the tool xauth. If you
were to rename .Xauthority or if you deleted the file from your home
directory by accident, you would not be able to open any new windows or
X clients. Read more about X Window System security mechanisms in the
man page of Xsecurity (man Xsecurity).
686 26.7. Security and Confidentiality