[5929] in Kerberos
X11R6 and kerberos - problems
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Tue Sep 26 13:06:26 1995
To: kerberos@MIT.EDU
Date: 26 Sep 1995 15:18:08 GMT
From: krienke@infko.uni-koblenz.de (Rainer Krienke)
Reply-To: krienke@infko.uni-koblenz.de
Hello,
I'm having trouble using kerberos with X11R6.
- The problem (short description):
I run kerberos 5B4 on a sunsparc 5 under solaris 2.4. I want to
run X11R6 via xdm using kerberos, to make my display secure.
Everything seems to work (X comes up, a new ticket is entered into
my Credentialcachefile, .Xauthority is updated with a new KERBEROS-5
entry) but my display is not secure! Everyone can connect, even if I
destroy the ticket obtained by xdm. xhost is set to "xhost -", so only
authorized clients should be able to connect.
What am I missing ?
Are there other resources that have to be set, than I did (see below).
Perhaps someone who has X11R6 and kerberos successfully running
can tell what might be wrong.
- Additional Information about my local configuration:
Here is my xdm-config file:
DisplayManager.servers: /usr/X11R6/lib/X11/xdm/Xservers
DisplayManager.errorLogFile: /usr/X11R6/lib/X11/xdm/xdm-errors
DisplayManager*resources: /usr/X11R6/lib/X11/xdm/Xresources
DisplayManager*startup: /usr/X11R6/lib/X11/xdm/Xstartup
DisplayManager*session: /usr/X11R6/lib/X11/xdm/Xsession
DisplayManager.pidFile: /usr/X11R6/lib/X11/xdm/xdm-pid
DisplayManager._0.authorize: true
DisplayManager*authorize: true
DisplayManager*authName: MIT-KERBEROS-5
DisplayManager._0.authName: MIT-KERBEROS-5
The Xsession-file:
#!/bin/sh
xlogin -showMOTD Always -userFiles /usr/X11R6/lib/X11/xdm/motd
xhost -
case $1 in
failsafe) xhost +
xclock &
xterm -geometry 80x24+200+200
exit ;;
usetwm) _WINDOWMANAGER="twm"
export _WINDOWMANAGER ;;
esac
DEFAULTXINITRC=/usr/X11R6/lib/X11/xinit/Xinitrc
if [ -r $HOME/.xinitrc ]; then
. $HOME/.xinitrc
else
. $DEFAULTXINITRC
fi
And finally the Xservers-file is:
:0 LOCAL local /usr/bin/X11/Xsun :0 -su -bs -fn courb14
The other files are default.
After xdm gets started it starts the Xserver with the additional argument of
-auth /usr/X11R6/lib/X11/xdm/A:0-a000TX. After a login, and the X-Startup
the auth-file contains an entry:
#ffff##: MIT-KERBEROS-5 UU:FILE:/tmp/K5C:0
Issuing klist at this point results in the output:
Ticket cache: /tmp/K5C:0
Default principal: krienke@UNI-KOBLENZ.DE
Valid starting Expires Service principal
25-Sep-95 11:27:14 25-Sep-95 19:27:14 krbtgt/UNI-KOBLENZ.DE@UNI-KOBLENZ.DE
Everything seems to work, but nevertheless my display ist not secure by now.
Anyone with a different account than mine can contact my server without that I
granted the permission to him to do so.
Any ideas what goes wrong, or what I'm doing wrong are appreciated.
Thank you very much
Rainer
