Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

WWWXXXAPC, docmd.close 2585, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ



#1: xorg with GSSAPI

Posted on 2010-03-16 23:25:48 by Yuri Csapo

Hash: SHA1

OK, let's see if the list still lives up to my memories of it:

How can I use Kerberos to authenticate X Window sessions?

I mean, I know I can move the xauth cookie around like this:

ycsapo@sampa # ssh -Y light
ycsapo@light # xauth list
light.Mines.EDU/unix:10 MIT-MAGIC-COOKIE-1 (lots of hex gibberish)
ycsapo@light # sudo su - oracle
LDAP Password:
oracle@light # xauth add light.Mines.EDU/unix:10 MIT-MAGIC-COOKIE-1 (lots of hex gibberish)
xauth: creating new authority file /u/pa/ci/oracle/.Xauthority

And now I can run the Oracle installer on the headless VM light and have its GUI show under X on my
Mac, through sudo and ssh encryption.

Although this works well, I don't feel comfortable telling users to do this. And frankly the whole
copy-and-paste thing is not very elegant, not to mention it's not too safe.

I have read enough about this to know there should be some way to use Kerberos authentication as
opposed to the infamous MIT MAGIC COOKIE. xOrg is supposed to allow a MIT-KERBEROS-5 mechanism and I
read somewhere they were implementing this through the GSSAPI.

Does anybody know anything about this who could point me to a howto or any form of documentation?
The way I envision this (well, fantasize might be a better word) is, as long as the user as whom I'm
running the application has the correct Kerberos ticket, things should work. something like:

ycsapo@sampa # kinit
Please enter the password for ycsapo@MINES.EDU:
ycsapo@sampa # ssh -Y light
ycsapo@light # sudo su - oracle
LDAP Password:
oracle@light # kinit ycsapo
Password for ycsapo@MINES.EDU:
oracle@light # xclock

And I should be able to run xclock on the remote host light but have it display on my local box,
sampa, as simple as that.



- --
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
Phone: (303) 273-3503
Fax: (303) 273-3475

Please use the following link to open a service request:
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
- --Peter J. Schoenster
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla -

9RDtGevpwoWWypQL7miaEjwg+IUXB+JQXfXzQ3pEClD6u41NemTKCGXt/kTS 8/wg
5cTfrzGQVZDcU23lu0Q8iXD3lAHzlDSYMJY5zLsIE8Udyky9/nw7+BLZt2i0 /dZc
rlrHZM/HOlSgOKPQqhcZfrsDpqXsTyOZn2rC9sWuzTicoUZCHxNw2yYuGn+x qqjy
u2PhZeNAHA9JAGOQ4mErRzDZftFOjshgzojgicAAs6cipwQlqWvuEQANOYwr kYU=
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to
More majordomo info at

Report this message