Re: Clarification regarding x-authentication

[nisse%lysator.liu.se@localhost (Niels Möller)]

"Glen Matthews" <glen%montreal.hcl.com@localhost> writes:

>   who should check? The ssh client or the server?

1. If the ssh client creates the fake cookie and includes it in the
   "x11-req" message, then the ssh client should dig into received X11
   data and check that received cookies are correct. There are at
   least two other ways of doing it:

2. Sending the real cookie. Then neither the client nor the server
   need to look into the X11 datastream, as the real X server will
   check the cookie.

3. Sending an empty cookie in the "x11-req" message. Let the server
   create a fake cookie. For each X11 connection, the server digs into
   the x11 datastream to check and remove the cookie. The client will
   also dig into the X11 connection to insert the real cookie before
   connecting to the real X server.

All ssh implementations I know of do (1). (2) is discouraged, for
security reasons: One should never reveal the real cookie to remote
machines. I think (3) is in some ways cleaner: ssh server and client
have already authenticated each other, so the X11 authentication on
the wire is redundant. But (3) has some drawbacks:

  * both server and client must dig into the X11 protocol.
  
  * since it's not specified what a server should do if it receives an
    empty cookie in the "x11-req", the client can't know if the server
    implementation will behave as described above, and generate a
    suitable random cookie that X clients must use. So the user is
    safer if the client implements (1).

In more general terms, letting the server do the authentication is in
a way making an (X11) client responsible for X11 server security, which
is not good practice.

/Niels