Previous | Contents | Index |
The MIT-MAGIC-COOKIE-1 protocol was designed to provide a more secure alternative to the host-based security mechanism (xhost) available in previous releases of the X Window System. The first protocol to use a token-based approach, it provided the initial, standard means for restricting access to the X server on a user level.
Magic Cookie authorizes connections to an X server based on entries in the X authority file. Each entry for Magic Cookie access control specifies:
Magic Cookie access control can be implemented one of two ways depending on your DECwindows Motif system environment:
When Magic Cookie is used to authorize connections during a DECwindows Motif session, a cookie is generated each time a user successfully logs into their local DECwindows Motif desktop. The magic cookie authorizing the local connection, along with the device, transport, and protocol name is passed to the X server and stored in the current X authority file (SYS$LOGIN:DECW$XAUTHORITY.DECW$XAUTH).
Each time a client application attempts to connect to the X server during the session, the application must present a valid cookie to the X server along with the connection request. If the cookie matches the one maintained by the X server, the connection is authorized, access is granted to the X server, and the display is opened.
If the client does not present a valid cookie, the following message is displayed, and the connection is denied:
Xlib: connection to "0:0.0" refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key X Toolkit Error: Can't Open display |
When the user logs out of the DECwindows Motif session, the server is reset, and the cookie is discarded.
The basic authorization process remains the same when Magic Cookie is used to authorize X server connections outside of a DECwindows Motif session. However, the file creation process is not. Both the X authority file and the magic cookie must be manually generated.
Due to the use of a randomly-generated token, Magic Cookie provides a
more secure form of access control than the user-based scheme. However,
the cookies are sent across the network unencrypted, leaving them prone
to interception. As a result, this form of access control is
recommended for authorizing connections in a local area network (LAN)
or limited DECnet environment.
2.6.2.2 Kerberos (MIT-KERBEROS-5)
Kerberos authorizes connections to an X server based on a combination of the following:
Kerberos credentials, or tickets, are a set of electronic information that can be used to verify the identity of a principal. These principals are stored in an Authorized Principals list kept on the server system. With Kerberos, client applications run by a valid principal send requests for a ticket from the Kerberos Key Distribution Center (KDC) each time they attempt to connect to the Kerberos-protected X server.
Kerberos access control can be implemented one of two ways depending on your DECwindows Motif system environment:
Once Kerberos access control is enabled on the server, a new ticket is requested from the KDC automatically each time a user logs into their local desktop. The KDC creates a ticket-granting ticket (TGT) associated with the user's principal name, encrypts it using the password as the key, and returns the encrypted TGT.
If the TGT is decrypted successfully, the user is authenticated and the TGT is cached. The TGT permits the authenticated principal to obtain additional tickets. These additional tickets grant access to specific services, in this case, access to the X server from other client applications. The requesting and granting of these additional tickets happens transparently.
With DECwindows Motif, user-to-user authentication is employed. In this model, both the client and server use a Kerberos client at each end of the connection to verify the identify of the user (principal). Once the principal is authenticated at both ends of the connection, access is granted to the X server.
By default, each TGT expires at a specified time. If a TGT has expired or been compromised, you can choose to revoke the current TGT and generate a new TGT by forcing a Kerberos login.
The basic authorization process remains the same when Kerberos is used to authorize X server connections outside of a DECwindows Motif session. However, the credential initialization is not. The user who is running the client application must force initialization using the Kerberos Inititialization utility (kinit) or by forcing a login through OpenVMS.
Kerberos is the most secure form of access control since it encrypts the initial authentication information between the requesting client and the server system. Therefore, it is the recommended method for authorizing remote client connections over unsecure networks, such as the Internet.
Kerberos is designed to generate a session key that can be used to encrypt all data transmitted over a network connection. The X Window System uses this key only to encrypt the initial authentication messages. Once the identity of the client has been reliably verified, all subsequent data is sent across the network channel unencrypted. As a result, the server itself can remain susceptible to some forms of network-level attacks. |
When configuring access control for the X display server, you can choose to apply a traditional user-based scheme, a token-based scheme (such as Magic Cookie or Kerberos), or a combination of schemes depending upon your network environment. For example, you may choose to use Kerberos to authorize all remote server connections over TCP/IP and Magic Cookie to authorize LAN network connections.
When used in combination, the most restrictive access control scheme presented by the client always takes precedence. For example, if the server has all three schemes enabled, and the requesting client is using Magic Cookie, the server will attempt to authorize the connection via Magic Cookie. Note with Magic Cookie access control, user-based access is available by default. If the client attempts and fails to connect to the server using a token-based scheme and is also a member of the Authorized Users list, then access will be granted.
Before enabling access control, take the following actions:
Action | Description |
---|---|
Verify that an access trusted file exists. | In order to change access control settings, one or more OpenVMS Alpha users must hold trust privileges for the DECwindows Motif system. Before enabling authentication, ensure that an access trusted file exists and that at least one account (such as, SYSTEM) has been granted trust privileges. For information about the access trusted file, see Section 2.6.3.1.2. |
Determine the appropriate method for the DECwindows Motif environment. | Select the authentication method most appropriate to your DECwindows Motif environment, and enable that method only. For example, for DECwindows Motif systems that run applications outside of a desktop, only enable authentication outside of a DECwindows Motif session. Combining schemes can result in a situation where the initial DECwindows Motif login process cannot login. |
Enabling access control outside of a DECwindows Motif desktop session allows authorized OpenVMS users to run X Window System client applications on systems without a login process. This type of access control is used typically for systems that function as a standalone X server, versus an interactive DECwindows Motif workstation.
Use the server customization parameters and either the access allowed
or X authority file to set access control, as described in the
following sections.
2.6.3.1.1 The Access Allowed File
By default, access to the DECwindows X11 Display Server prior to login is limited to the local SYSTEM account via the DECnet or local transport. The access allowed file is an ASCII text file that grants additional OpenVMS users access to the X server automatically at server startup.
The access allowed settings remain in effect until a user logs into a DECwindows Motif desktop. Once a user logs into a desktop and begins a DECwindows Motif session, any security options defined with the Session Manager for that user are applied. If a token-based access control scheme has been enabled, additional information may need to be provided by a client application or user in order to gain access to the X server. See Section 2.6 for more information on token-based schemes currently supported by DECwindows Motif.
Once the user ends the session, the server is reinitialized, and the access allowed settings are restored.
The access allowed file is intended for use on workstations that do not normally use the DECwindows Motif login process. Do not use this file on workstations that rely on the DECwindows Motif login process to restrict access to the X server, as it can compromise the security of the DECwindows Motif system. For example, a user granted access via the access allowed file could spoof a login window that captures the passwords of other users attempting to log into a DECwindows Motif desktop. |
Not to be confused with trusted network connections, as described in Section 1.2.2.7, trusted users are those who are authorized to change security settings. The access trusted file is an ASCII text file that identifies which OpenVMS users can change the access control settings for a particular DECwindows X11 Display Server.
By default, the local SYSTEM account is granted trust privileges (via the local or DECnet transport). However, when using token-based authentication, trust privileges are not assigned by default. You must manually assign these privileges using the access trusted file.
Entries in this file are automatically added to the access allowed
list, unless a token-based authentication scheme is in place. In that
case, trusted users must be granted access to the X server either
through a manual entry to the access allowed list or via an entry in
the appropriate X authority file. Similar to the settings in an access
allowed file, access trusted settings remain in effect until a user
logs into a DECwindows Motif desktop.
2.6.3.1.3 Format of File Entries
Depending on the access control method in place, the format of file entries can differ.
For User-Based or Magic Cookie Access Control
Each entry in an access allowed or access trusted file follows the transport-host-username format currently used by the DECwindows Motif security options, as described in Using DECwindows Motif for OpenVMS.
For example, the following entries in an access allowed file grant user JONES local access to the server as well as network access from node ZEPHYR via the DECnet transport:
DECNET ZEPHYR JONES LOCAL 0 JONES . . . |
Note that when using TCP/IP as the network transport, access and trust privileges can only be assigned to a host versus to specific users. TCP/IP does not provide the user specification as part of the data provided on a remote connection.
As a result, file entries for hosts using TCP/IP must contain an asterisk (*) for the user specification. This grants all users on a particular host system access or trust privileges when they connect to the X server using TCP/IP. For example, the following entry in an access allowed file grants access to all users on node ZEPHYR via the TCP/IP transport:
TCPIP ZEPHYR * . . . |
For Kerberos Access Control
Under Kerberos access control, entries are only allowed in the access allowed file. Each entry for a Kerberos principal in an access allowed file follows the protocol-principal@realm-accessrights format, where accessrights can be NONE, ALL, or *.
For example, the following entry in an access allowed file grants principal JONES access to the server via the TCP/IP transport:
KERBEROS jones@ORG.COMPANY.COM ALL . . . |
To apply user-based access control outside of a DECwindows Motif session, establish an access allowed and access trusted file, as follows:
$ DECW$SERVER_ACCESS_ALLOWED == "SYS$MANAGER:DECW$SERVER1_ACCESS_ALLOWED.DAT" $ DECW$SERVER_ACCESS_TRUSTED == "SYS$MANAGER:DECW$SERVER1_ACCESS_TRUSTED.DAT" |
Trust privileges do not automatically grant access to the X server when using token-based authentication. If you are creating an access trusted list on a system that has either Magic Cookie or Kerberos enabled, each user on that list must also have a valid entry in the related access allowed file or X authority file in order to access the X server. |
Authorizing TCPIP host connections to an X server using an access allowed file entry provides unauthenticated access to a DECwindows Motif system. This could leave the system vulnerable to unwanted intrusion, Denial of Service (DoS) attacks, and possible data loss. To ensure the proper level of system security, HP strongly recommends that a token-based scheme (such as, Magic Cookie or Kerberos) be used to authorize remote access to an X server via TCP/IP. Not only do these schemes provide greater system protection, they also allow you to grant (or deny) access on a per-user basis. |
To apply Magic Cookie access control outside of a DECwindows Motif session, do the following:
$ DECW$SERVER_XAUTHORITY == "SYS$MANAGER:SERVER_ZEPHYR.DECW$XAUTH" |
$ XAUTH -f SYS$SYSROOT:[SYSMGR]SERVER_ZEPHYR.DECW$XAUTH ADD - _$ :0 MIT-MAGIC-COOKIE-1 12345abcdef56789 |
2.6.3.1.6 Kerberos Access Control
Prerequisites
In order to enable Kerberos, you or your system administrator must have first performed the following on the server system:
To apply Kerberos access control outside of a DECwindows Motif session, do the following:
$ KERBEROS/INTERFACE=DECWINDOWS/ADMIN |
x0/system@ORG.COMPANY.COM |
$ DECW$SERVER_XAUTHORITY == "SYS$MANAGER:SERVER_ZEPHYR.DECW$XAUTH" $ DECW$SERVER_ACCESS_ALLOWED == "SYS$MANAGER:DECW$SERVER_ZEPHYR_ACCESS_ALLOWED.DAT" $ DECW$SERVER_ACCESS_TRUSTED == "SYS$MANAGER:DECW$SERVER_ZEPHYR_ACCESS_TRUSTED.DAT" |
$ XAUTH -f SYS$SYSROOT:[SYSMGR]SERVER_ZEPHYR.DECW$XAUTH ADD - _$ :0 MIT-KERBEROS-5 - _$ 43533a78302c53595324535953524f4f543a5b5359534d47525d44454 - _$ 3572458302e4b4559544142 |
* SYSTEM 0 |
Use the Security Options dialog box to set the access control scheme in effect inside a DECwindows Motif session. The options in the dialog box enable you to set the access control scheme used by the local X display server, authorize other users access to the X server, and specify the scheme local client applications use when connecting to an X server.
Accessed from the Session Manager (Traditional Desktop) or Style Manager (New Desktop), the settings in Security Options dialog box are identical. Note, however, each desktop stores the settings differently:
To enable user-based access control and grant one or more authorized users access to your workstation display:
To disable user-based access control, you must remove all users from the Authorized Users list.
To remove a user name, first click on the names you want to remove. Then click on the Remove button. Finally, click on OK or Apply. The users will no longer have authorized access to your workstation.
Previous | Next | Contents | Index |