X-server configuration

Many X-servers are not configured correctly out-of-the-box and are insecure as a result. An attacker has full access to the screen and keyboard on an insecure X-server so X-servers provide an easy source of user passwords.

This document explains how to configure some of the more popular X-servers used in the University. Some of the popular X-servers use to connect to hammer.thor, part of the undergraduate teaching system, are:

Exceed (Control Data/Hummingbird Communications)
Xwin (StarNet Communications Corp.)
XFree86 (The XFree86 Project, Inc)
HP Entria (Hewlett-Packard Company)

Once the X-server has been configured, you will need to either use xauth to transfer cookies between machines, or use X11 connection forwarding in ssh. (See "Running X-clients on other machines".)

Exceed

Older versions of Exceed are slightly awkward to configure, but fortunately you only need to do it once.

Open the eXceed/W group in the Program Manager.
Start Xconfig/W and double-click on the "Access" icon.
Click on "Edit..." This will start Notepad and allow you to alter Exceed's configuration.
Ensure that "/security" is set, and that there is no line with "/access".
Save the file and quit Notepad.
Click on "Compile."

In newer versions of Exceed, it's easier:

Open the eXceed/W group in the Program Manager.
Start Xconfig/W and double-click on the "Security" icon.
Select "Enabled - No host access".
Deselect the "Allow clients to modify host access" checkbox.

Note that in order to get the client authorization 'cookie' to work, you will need to use XDM to login to the remote machine. A convenient way of doing this is to use XDMCP-Indirect via cus.cam.ac.uk. The login method is in the "Communication" section of Xconfig/W.

Xwin

Open the Xwin group in the program manager.
Run Xutil. (On Win95/NT, try Start/Programs/Xutil.)
From the "Options" menu, check the status of "Access control". If it has a tick by it, click on it to deselect it. ("Access control" in Xwin does not refer to the output of the "xhost" command.)
From the "Options" menu, select "Xhost".
If the host list is not empty, select each host in turn and click on "Delete".

As with Exceed, you must use XDMCP to log in in order to setup the authorization cookie.

XFree86

XFree86, the most common X-server used on Linux, has access control enabled by default when used with XDMCP (ie. when -indirect or -query is used, or when the X-server is start by xdm).

To start XFree86 on the command line without using XDMCP, use a wrapper script to generate the xauthorization cookie:

#!/bin/sh
set -e
if [ -z "$XAUTHORITY" ]; then
        XAUTHORITY=$HOME/.Xauthority
        export XAUTHORITY
fi
auth=`mcookie`
xauth add :0 . $auth
xauth add `hostname -f`:0 . $auth
xinit -- :0 -auth $XAUTHORITY

[Note: Many graphical Web browsers don't render backquotes around mcookie correctly.]

HP Entria

Hold down F12 for two seconds. (Try F3 if that doesn't work.)
Select the "Server" menu.
Turn on "Client Authorization" and "Access Control".

Last updated by Peter Benie <pjb1008@cam.ac.uk>
unix-support@ucs.cam.ac.uk
[Back to index]