Linux newbie question: problems using XDMCP to remotely start KDE session from a Windows PC

Nigel Wade nmw at ion.le.ac.uk
Tue Dec 6 09:34:51 UTC 2005 

John Summerfied wrote:
> Nigel Wade wrote:
> 
>> Sundarapandian A wrote:
>>
>>> There is one more easy way of doing this. Just follow the steps below
>>>
>>> 1) Make sure you have XFree86 with cygwin is installed on your XP, ssh
>>> is available on XP machine <you can use telnet also>, X server is
>>> running on linux/unix host, sshd is running on linux/unix host.
>>> 2) Make sure your <cygwin dir>/usr/X11R6/bin is specified in PATH then
>>> start X Windows using the command "XWin.exe -fullscreen -clipboard
>>> -unixkill -nowinkill"
>>> 3) Now you will get XWindows sceen without any applications or window
>>> (You can use ALT+TAB to switch between windows and XWindows)
>>> 4) Start xterm on your XP machine (terminal will appear on xwindow 
>>> screen)
>>> 5) On the command prompt of xterm say "xhost <linux/unix server name 
>>> or IP>"
>>> 6) Now on xterm type the command "ssh <username at linux/unix
>>> servername>" enter password to complete the login
>>> 7) On the xterm now type "export DISPLAY=<windows XP hostname/IP>:0.0
>>> 8) Now on xterm execute "startkde &"
>>> 9) Boooom!! now you'll see KDE on your XP machine!!!!
>>
>>
>>
>> Boooom!! - anyone else who can login to your Linux box can see 
>> everything you do, and type. Only do this if security isn't an issue 
>> for you.
>>
> How is this Nigel?
> Can you suggest a better way, and explain why it's better?
> 
> 
> 
> 

The reason is that "xhost host" permits any X client from host "host" to connect 
to your X server, irrespective of who is executing that client. That X client is 
permitted to to anything - post modal windows to block the display, receive 
keyboard events etc.

The way to allow certain clients to connect, whilst refusing others, is to use 
xauth and the standard MIT_MAGIC_COOKIE. Clients which are unable to supply the 
correct cookie for the server will be refused connection. This is only as secure 
as the filesystem security on any system which holds the xauth files for clients 
which are allowed to connect.

ssh X11 forwarding is no more secure in this respect than xauth - it uses xauth 
on the client. It simply provides a secure tunnel over the network between the 
client and the server. Any user who has access to the xauth file containing the 
cookie can use that tunnel.

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the fedora-list mailing list