Guided Tours: X
In this section you will information on how to improve your X security.
What is X security and where are the problems.
Let us assume that you want to use the X window system in a
secure manner. You have to control access to your X display,
because everyone who can connect to your display is able to
read everything on your screen and to read every keystroke
on your keyboard. With Netscape, there are easy means how
impersonate you by controlling your Netscape remotely.
There are several means to control security
on an X display:
xhost [+|-] [hostname] allows everyone on that host
to connect to your X display. Very bad and can only be used
in single user environments. It has the additional drawback
the IP-adresses can be faked.
X-authority with type MIT-MAGIC-COOKIE-1 cookie. This is better,
because it uses the secret in the cookie. However, there is no
encryption of the cookie, so everyone who can wiretrap the
transmission can impersonate you.
Kerberos V authentification with X11R6. Unfortunately most
vendors do not support that. It does only solve the
authentification and not the encryption problem.
PDC Kerberos IV travelkit with secure kx. Does
authentificate and encrypt your X connection through
How to use kx.
Download the Kerberos travelkit.
It contains the kauth, rxtelnet, telnet and kx programs needed.
Secure X is supported between your workstation
and all PDC computers. It is supported on most
of NADAs computers, too.
Check that you have closed all X access through
xhost. Do a xhost -hostname until the
xhost program returs that you are safe:
access control enabled, only authorized clients can connect
(empty access list)
Check that your DISPLAY environment variable to the
display of your workstation i.e. ":0" or ":0.0". This is needed
because the X-windows from remote computers will be opened
through the kx program which will acess your local
display directly. If you are the lucky owner of a two screen
configuration, the other display may be named ":1.0" or ":0.1".
> echo $DISPLAY
If not, set your DISPLAY environment variable. If you use tcsh/csh:
> setenv DISPLAY :0
If you use sh/ksh/bash:
$ DISPLAY=:0 ; export DISPLAY
Get a ticket with kauth as described in
travel kit usage guide.
Run the rxtelnet script.
> ./rxtelnet -l your-username-at-pdc strindberg.pdc.kth.se
This script will open a window on your workstation
with a connection to strindberg.pdc.kth.se. From that
window, you might start X programs safely.
The DISPLAY environment variable on strindberg will
be set to a local Unix socket, for example :17 or
a local port, for example localhost:17. (You might
check with echo $DISPLAY).
Check if you can run a simple X program like xclock:
> echo $DISPLAY
:17 # or any other number greater than 3
> xclock &
If a clock shows up on your display, everything is OK and
you might use other X-programs (emacs, xterm) safely.
How does this kx thing work anyway?
The kx program uses a secure channel. This channel is established
between the kx program on your workstation and the kxd on the remote
computer. If you type a keysytoke on your keyboard in an xterm that
is started from an rxtelnet, the following things happen:
Keystoke z on keyboard
-> X-event "keystroke z"
-> kx program on workstation's display :0
-decryption-> kxd program on strindberg
-> xterm program on strindberg generates X events to show "z"
-> kxd program on strindberg's display :17
-decryption-> kx program on workstation
-> you see the "z" on your display.
This seems a lot of work just to display a single letter, but if
the "z" is a part of your password, you'll appreciate it.
back to guided tours