On Thu, 21 Sep 2000, Sebastian Fallert wrote:
Generally this is desirable in the interest of security but your X terminals have to support it or they have to be on a separate segment with a machine doing SSH tunneling to the server (sort of VPN).
Could you point me to some ressource elaborating on that?
Sorry I did anything like this in practice. You could of course setup a real VPN (there was a thread about using freeSWAN on this list) but maybe that's overkill and port forwarding by SSH can do it. Try searching the net on more specific info or just start experimenting by forwarding the X ports 6000, 7100 (any other?) and xdmcp 177 from your "VPN-router" to your server and point the terminals to the "VPN-router". Still there must be no access to the X terminals network segment or the whole exercise will be futile since the traffice goes unencrypted between the terminal and the "VPN-router".
Because I am afraid of people sniffing on my LAN grabbing passwords from users authenticating against a server using XDMCP. I know about the Cookie-Mechanism...but first there has to happen some sort of handshake between the server and the authenticating client...I'm sure someone could (in case he can monitor the whole chatter) use this information in order to exctract a username/passwd-pair (is this true???).
AFAIK all traffic on the wire goes unencrypted, cookie or not. So if anyone can sniff the network traffic you can't help it. Using cookies only helps against other users on the same or other hosts who cannot sniff your network traffic.
Is there a way of anhancing the security of the whole XDMCP-Authentication-Thingy?
I don't know any way. Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)