X Keys problem [Summary]

From: Joel Caven <caven_at_odo.msoe.edu>
Date: Wed, 23 Oct 1996 18:54:53 -0500 (CDT)

THANK YOU! All who responded...

The solution that I have decided to go with is ssh shell which is to be
installed still but sounds like the best solution. As follows are the
answers:

Thanks again to everyone who helped out...
jc


>From dhoyt_at_oem.net Wed Oct 23 18:52:06 1996
Date: Wed, 23 Oct 1996 11:27:33 -0400
From: David Hoyt <dhoyt_at_oem.net>
To: Joel Caven <caven_at_odo.msoe.edu>
Subject: Re: Xkeys problem...

1. Filter via any router connections to the 6000 + nXwindows
6001, 6002....

2. Run sshd, with ssh-agent starting up X

3. MIT Cookie doesn't matter, we can see everything with xkey

David



At 09:35 AM 10/23/96 -0500, Joel Caven wrote:
>
>Alpha managers HELP!
>
>I have a small problem with X security. We have a campus full of PC's
>that can attach via DEC Excursions to our Alpha 3000 running DU 4.0 for X
>applications.
>
> A few days ago I caught a "hacker" running xkeys on the system to
>capture key presses from ANY X display. I tested this program and it does
>work, even though I beleve (key word here) that we have MIT-COOKIES
>running for security configuration.
>
>THE QUESTION: How can I prevent xkeys from working? What do I check for
>configuration of the security on the Excursions and on DU 4.0 to make sure
>that X is secure from Xkeys? Xkeys is a very easy program to run and it
>WILL get passwords from keypresses if you look long enough. (su's are the
>worst, hence the worry here).
>
>THANKS in advance for any help or suggestions regarding this matter!
>
>( I need to learn a little more about how X works ...)
>
>
>Joel Caven
>
>DEC Systems Administrator, Milwaukee School of Engineering.
>Broadcast Engineer, WMSE Radio/Milwaukee.
>Computer Engineering student, Milwaukee School of Engineering.
>E-mail: caven_at_msoe.edu
>P.O. Box 93506
>Milwaukee, WI 53203
>
>
>
>
!---------------------------------
!David Hoyt OEM.NET
!617.740.6200 USA,EARTH

>From jwiebe_at_ptc.com Wed Oct 23 18:52:10 1996
Date: Wed, 23 Oct 1996 11:36:24 -0400
From: John Wiebe <jwiebe_at_ptc.com>
To: Joel Caven <caven_at_odo.msoe.edu>
Subject: Re: Xkeys problem...

The best way to prevent the use of xkey is to make sure
you have the proper xhost permissions set. Xkey takes
advantage of a security hole in X11. If you are using
xterms, you can secure the keyboard from prying eyes
by bringing up the "MAIN OPTIONS" window and selecting
secure keyboard, this will reverse the colors. If you
unselect the secure keyboard option and the colors stays
reversed you have someone watching you.

On my alphastation 500/266, DU 3.2d with X11R5 and MWM when I secure the
keyboard it only allows me to use that single window while
in secure keyboard mode. If you have people running
xkey, you might want to check for packet sniffers as well.
Personally, I have gotten root using xkey a couple of times.
This is how I would do it, log on to the server, do a who -a,
look for machines with ":0.0" appended to them, and use xkey
to monitor their display. Then go tell a sys admin their
is a problem on that machine.

Also note that if someone is running xkey and you change the
permissions, i.e. xhost -, xkey will still be able to catch
the keystrokes until the server or xkey is restarted.


hope this helps,

John wiebe
QA tools group
Parametric Technologies
>From Hans.Ranke_at_Regent.E-Technik.TU-Muenchen.DE Wed Oct 23 18:52:12 1996
Date: Wed, 23 Oct 1996 17:48:57 +0200
From: Hans Ranke <Hans.Ranke_at_Regent.E-Technik.TU-Muenchen.DE>
To: Joel Caven <caven_at_odo.msoe.edu>
Cc: har_at_regent.e-technik.tu-muenchen.de
Subject: Re: Xkeys problem...

Hello,
>
> THE QUESTION: How can I prevent xkeys from working? What do I check for
> configuration of the security on the Excursions and on DU 4.0 to make sure
> that X is secure from Xkeys? Xkeys is a very easy program to run and it
> WILL get passwords from keypresses if you look long enough. (su's are the
> worst, hence the worry here).
>
Log into a unix workstation via excursion and run the xhost command.
This will tell you if access control is enabled and which hosts can connect.

As far as I can see, excursion does not support the MIT-MAGIC-COOKIES
authorisation scheme. (At least not Version 2.1).
Using the Access tab of the control panel, you can enable access control and
restrict the access to specific hosts. But I do not see a way to specify
a cookie file (such as ~/.Xauthority), which would be necessary to use the
MIT-MAGIC-COOKIE method.

Greetings, Hans

Hans Ranke Hans.Ranke_at_regent.e-technik.tu-muenchen.de
Lehrstuhl fuer Institute of
Rechnergestuetztes Entwerfen Electronic Design Automation
Technische Universitaet Muenchen Technical University of Munich, Germany
Phone +49 89 289 23660 Fax +49 89 289 23696

>From coxa_at_cableol.net Wed Oct 23 18:52:18 1996
Date: Wed, 23 Oct 1996 17:20:11 +0100 (BST)
From: Alan Cox <coxa_at_cableol.net>
To: Joel Caven <caven_at_odo.msoe.edu>
Cc: alpha-osf-managers_at_ornl.gov
Subject: Re: Xkeys problem...

> THE QUESTION: How can I prevent xkeys from working? What do I check for
> configuration of the security on the Excursions and on DU 4.0 to make sure

Having xdm set up right (and ensuring the PC clients actually support and
use MIT cookies and no other access control) will help. The xkeys program
is attacking the PC side not the alpha, so its probably a case of finding
the options on the PC to turn off access from all hosts and enable only
MIT cookie authentication

> WILL get passwords from keypresses if you look long enough. (su's are the
> worst, hence the worry here).

X is no more secure than telnet, that means you shouldnt use either of them
across a network that could be sniffed. You might want to look at something
like secure shell 'ssh' for that

        http://www.cs.hut.fi/ssh

Alan

>From boc_at_ironbark.bendigo.latrobe.edu.au Wed Oct 23 18:52:22 1996
Date: Thu, 24 Oct 1996 08:35:31 +1000 (EST)
From: Brian James O'Connor <boc_at_ironbark.bendigo.latrobe.edu.au>
To: Joel Caven <caven_at_odo.msoe.edu>
Subject: Re: Xkeys problem...

Reply To: b.oconnor_at_bendigo.latrobe.edu.au
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 2459

You wrote:
>
>
> Alpha managers HELP!
>
> I have a small problem with X security. We have a campus full of PC's
> that can attach via DEC Excursions to our Alpha 3000 running DU 4.0 for X
> applications.
>
> A few days ago I caught a "hacker" running xkeys on the system to
> capture key presses from ANY X display. I tested this program and it does
> work, even though I beleve (key word here) that we have MIT-COOKIES
> running for security configuration.
>
> THE QUESTION: How can I prevent xkeys from working? What do I check for
> configuration of the security on the Excursions and on DU 4.0 to make sure
> that X is secure from Xkeys? Xkeys is a very easy program to run and it
> WILL get passwords from keypresses if you look long enough. (su's are the
> worst, hence the worry here).
>
> THANKS in advance for any help or suggestions regarding this matter!
>
> ( I need to learn a little more about how X works ...)
>
>
> Joel Caven
>
> DEC Systems Administrator, Milwaukee School of Engineering.
> Broadcast Engineer, WMSE Radio/Milwaukee.
> Computer Engineering student, Milwaukee School of Engineering.
> E-mail: caven_at_msoe.edu
> P.O. Box 93506
> Milwaukee, WI 53203
>
>

We too had this problem, although on a lab full of SGI indys.
After we installed MIT-COOKIES the problem disappeared. However,
xhost authentication OVER RIDES xauth style security, if your
clients type "xhost +" then MIT-COOKIES is not used, and xkey works.
The indys come with "xhost +" in the system Xsession file so I had to
edit this to remove all instances of "xhost +".
The only way for xkey to work if MIT-COOKIES is used is for the client to
circumvent it via xhosts(as above) or for the hacker to "steal" the .Xauthority
file(fairly easily done, usualy by a client having the wrong permissions)

A better solution is to use ssh. This package does end to end encryption
of telnet, rlogin, rsh and X sessions(amoungst other things), and is IMHO
the definitive network security solution. Its fast, easy to setup, etc, etc
(Tatu Ylonen, thanks for a great package, pity it doesn't forward dgl packets)
check out http://www.cs.hut.fi/ssh


Welcome to the black hole that is X

HTH
boc
-- 
------------------------------------------------------------
        Brian O'Connor, Unix Systems Consultant
              Latrobe University,Bendigo
          boc_at_ironbark.bendigo.latrobe.edu.au
------------------------------------------------------------
Joel Caven
DEC Systems Administrator, Milwaukee School of Engineering.
Broadcast Engineer, WMSE Radio/Milwaukee.
Computer Engineering student, Milwaukee School of Engineering.
E-mail: caven_at_msoe.edu
P.O. Box 93506
Milwaukee, WI 53203
Received on Thu Oct 24 1996 - 02:23:25 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:47 NZDT