[kwlug disc.] Understanding the X Window System
Oksana Goertzen
ogoertzen at gmail.com
Tue Feb 6 14:48:44 EST 2007
Hi Chris,
I looked around for ddcprobe but I'm not finding it on SuSE. I did find
documentation on it on the net. I downloaded a copy of the live cd for
Knoppix - so I'll see if it's included there. I'm running SLED at work - so
maybe it's not included in favour of SaX2. I can look at my home system
running openSuSE and see if it's there.
Here's some brief info on SaX2.
http://sax.berlios.de/
If you want a look at openSuSE - I have the DVD downloaded at work and I
also have copies of SLED 10 and SLES 10. And, I don't know if you wear
baseball caps, I do have a couple of Novell/SuSE ones. They always seem to
give them out on training or when I go to events and I get a collection.
[Or maybe you're not too enthused about the Novell + M$ agreement - same as
I ]. Anyhow, if you want one - speak up. I vacillated about whether to
bring them to kwlug. Maybe Novell is now a bad word. :) I haven't decided
yet myself. I'm sort of, of the mind, M$ is playing divide and conquer and
for Novell - it's hard to be impartial when you're sleeping with the enemy.
I spent some time going over my notes [and the ones you provided] - thanks!
Hey, it was a great presentation! The place was quiet when you were
talking. :)
I had heard that VNC wasn't as secure as ssh, so one should always use ssh.
Seems like any ssh session that exports X isn't so safe.. depending on the
machine you're connecting to... etc. I did read the section on VNC you
provided below - the url. VNC works more like a traditional client-server,
whereas exporting X through ssh (or port forwarding) the data is exported
but the X server is on your local machine. Do I have this right? And X
server uses udp - is that what you said? In looking up VNC it says it uses
something called remote framebuffer. For some reason I thought VNC used
screen scrapes. VNC doesn't use encryption by default I thought. On KDE
it's called Krfb or KDE remote desktop sharing - there is one Gui to
configure both on SLED. "Desktop Sharing is the KDE server for the Remote
Frame Buffer protocol. Remote Desktop Connection is the KDE client for the
Remote Frame Buffer protocol."
http://www.realvnc.com/howitworks.html
I found in xterm or actually I guess Konsole in KDE that the ctrl-right
click or ctrl-left click didn't work for the font menu - but it's not
strictly xterm. However, the ctrl+right click brought up other Konsole
options. Just using the middle button only pasted a selection (not a cut
buffer) from Firefox.
I"m assuming if you use ssh only it doesn't produce the
mit.magic.cookiesfile. My understanding is that ssh uses the public
key from the server and
the public key from the client to encrypt the data stream. If the client's
public key is found on the server, then you don't have to use a password to
connect - but I guess you would need the client private key to decrypt the
stream of data... so there is still something on the client side that needs
to be there. It sounds as though ssh -X creates a temporary key - and uses
this key as a symmetric cipher - i.e. that it uses the same key for both
encryption and decryption... and this key is available for that session, to
anyone who has root [or can become root] on the system.
I'm assuming that if your home directory mounted as a fileshare then
possibly your hidden directory for .gnupg could be also more or less
available. When I looked at the file on my machine it's a binary file - so
would that make it more protected?
Hey, do you want to go for lunch on Friday? I'll make it easy for you -
I'll buy. We could go to Country Boy - they have all day breakfast [for
those who get out of bed at noon!] or wherever else you'd prefer. Let me
know.
Oksana
On 2/5/07, Chris Frey < cdfrey at foursquare.net> wrote:
>
> Hi,
>
> As promised, here is the detailed outline used for tonight's presentation.
> There were a lot of good comments during the meeting, talking about VNC's
> X server, and FreeNX (?)... please feel free to add more tips to this
> thread.
>
> - Chris
>
>
>
>
>
> Almost all the information presented tonight is available to you
> regardless
> of what desktop you use. I'll be using a lot of low level X commands
> that are on most installations by default.
>
> Ssh will also be used near the end, to point out some security
> considerations.
>
>
> - goals of presentation
>
> - The X model
>
> - XF86Config overview
> - screens bigger than display size? scrolling?
> - Virtual 2048 1024 (in Display subsection)
> - xf86cfg (gui) and xf86config (text) config programs
> - handy keystrokes
> - Ctrl-Alt-Backspace
> - Ctrl-Alt- + and -
> - Ctrl-Alt- F1 to F12
>
>
> - Connecting to your X server
> - display name format:
> hostname:displaynumber.screennumber
> hostname - computer it's running on
> display number - which X server that's running on host
> screen number - which monitor
> - specify:
> - DISPLAY env variable
> - -display command line option
>
>
> - the X startup process
> - starting the X server manually
> - X :1
> - useless
> - xterm -display :1
> - need a window manager!
> - try it: fluxbox -display :1
>
>
> - startx
> - user friendly wrapper for xinit
> - startup scripts in /home/user
> - .xinitrc - default script to start up the client
>
> - .xserverrc - default script for X server
> - xinit kills the X server when client exits (last
> connection)
> - specify the display number
> startx -- :1
>
>
> - xdm/gdm/kdm
> - see below
>
>
> - X managers
> - The display manager - manages logins graphically
> - takes the place of init, getty, login
> - via inittab or daemon
> - xdm starts an X server based on
> /etc/X11/xdm/Xservers
> - remote access from the network
> - port 177, UDP, the xdmcp protocol
> - has to be configured specifically for security
> reasons
> - xdm needs to be "willing"
> - gdm needs xdmcp turned on
> - demo gdm
> - turn on xdmcp in gdm config
> - X :1 -query localhost
>
>
> - The window manager
> - fluxbox
> - gnome / kde
>
>
> - The session manager
> - xsm
> - place at the end of your .xinit
> - rather limited
> - gnome
> - automatic session management in the logout
> screen
> - when using gnome applications, can save even
> small details
> - try metacity
>
>
> - X fonts
> - fonts are loaded from the server's local filesystem, or from
> one or more font servers, or both
> - xfontsel
>
> - Cut and paste
> - the selection and the cut buffer
> - selection - application holds the data for anyone that
> asks
> - cut buffer - X server holds the data
> - xcutsel
> - http://www.realvnc.com/pipermail/vnc-list/2001-May/022320.html
>
> - experiment:
> - mozilla works with selection
> - xterm works with both cut buffer and selection
> - xcutsel to work with cut buffer even after
> mozilla
> exits
> - the clipboard
> - xclipboard
> - listens for CLIPBOARD assertions and keeps a stack of
> string data... xterm doesn't do this, but mozilla
> does when doing a Copy
>
>
> - X toys
> - xsetroot
> - xsetroot -solid black
> - xsetroot -solid red
> - xsetroot -bitmap pumpkin.xbm
> - bsetroot, part of fluxbox, handles jpg's
> - bitmap
> - xeyes
> - xmag
> - xmessage
> - xmessage -center 'Hello world!'
> - xmessage -center -file Xpresentation.txt
> - taking screenshots with xwd | xwud
> - of the root window (shows everything)
> - xwd -root
> - of a given window
> - xwd by itself, allows selection
> - xwdtopnm
> - convert to pnm
> - ppmtopgm back.ppm | pgmtopbm | pbmtoxbm > back.xbm
> - xwd | xwdtopnm | ppmtopgm | pgmtopbm | pbmtoxbm >
> window.xbm
> - xsetroot -bitmap window.xbm
>
>
> - Poking around the X window system
> - xmodmap
> - xmodmap -pk (gets list of keycodes)
>
> - xset
> - keyboard rate:
> - xset r rate 250 30
> - turning autorepeat on/off per key
> - xset -r 65 (spacebar)
>
> - xls* family
> - xlsclients Shows client programs currently connected
> - xlsfonts
> - xfd -fn <name>
> - xlsatoms
> - atom: (1.) A unique ID corresponding to a string
> name. Atoms are used to identify
> properties,
> types, and selections.
>
> - info family
> - xdpyinfo
> - xwininfo
> - xwininfo -tree -root
> - xwininfo -tree (lets user select window)
> - xfsinfo
> - xfsinfo -server unix/localhost:7100
> - glxinfo (not covered)
> - xvinfo (not covered)
>
>
> - xprop - watching properties
> - mozilla remote
>
> - xev - watching events
>
>
>
> - X authentication
> - X uses "old school" security, like unix itself... there is one
> barrier to getting in, but once you're in, you're IN!
> - xhost
> - allows anyone from one of the listed hostnames access
> - leave this on, with the host list empty
> - xauth
> - MIT magic cookie - used on most linux installs
> - kerberos
> - getting access to X after running "su"
> - xauth, merge, etc
>
>
> - X forwarding
> - ssh -X and ssh -Y
> - forwards a connection via TCP... often port 6010, etc
> - how an attacker might gain access to your X server
> - spying on the visitor (xwininfo)
> - screen captures! (xwd)
> - keyboard sniffing! (xev)
> - mess with his mind!
> - xmessage
> - xwud a picture onto his display
> - xkill
> - not just hacking, but collaboration
> - ooffice -display :0
>
>
>
> - Security recommendations
> - never ssh -X into a machine that:
> - you don't trust (insecure machine, possibly hacked, etc)
> - you don't trust all people who have root on that machine
> - turn off X forwarding with:
> - ssh -x user at host
> - /etc/ssh/ssh_config (client config)
> - logins can occur via:
> - telnet
> - ssh
> - the X display manager
> - if your home directory is mounted on a network filesystem, your
> magic cookies may be travelling the network in the clear
>
> _______________________________________________
> KWLUG-Disc mailing list
> KWLUG-Disc at kwlug.org
> http://listserv.kwlug.org/mailman/listinfo/kwlug-disc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20070206/9b2c3411/attachment.htm
More information about the KWLUG-Disc
mailing list