xorg with GSSAPI
am 16.03.2010 23:25:48 von Yuri Csapo-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OK, let's see if the list still lives up to my memories of it:
How can I use Kerberos to authenticate X Window sessions?
I mean, I know I can move the xauth cookie around like this:
ycsapo@sampa # ssh -Y light
ycsapo@light # xauth list
light.Mines.EDU/unix:10 MIT-MAGIC-COOKIE-1 (lots of hex gibberish)
ycsapo@light # sudo su - oracle
LDAP Password:
oracle@light # xauth add light.Mines.EDU/unix:10 MIT-MAGIC-COOKIE-1 (lots of hex gibberish)
xauth: creating new authority file /u/pa/ci/oracle/.Xauthority
And now I can run the Oracle installer on the headless VM light and have its GUI show under X on my
Mac, through sudo and ssh encryption.
Although this works well, I don't feel comfortable telling users to do this. And frankly the whole
copy-and-paste thing is not very elegant, not to mention it's not too safe.
I have read enough about this to know there should be some way to use Kerberos authentication as
opposed to the infamous MIT MAGIC COOKIE. xOrg is supposed to allow a MIT-KERBEROS-5 mechanism and I
read somewhere they were implementing this through the GSSAPI.
Does anybody know anything about this who could point me to a howto or any form of documentation?
The way I envision this (well, fantasize might be a better word) is, as long as the user as whom I'm
running the application has the correct Kerberos ticket, things should work. something like:
ycsapo@sampa # kinit
Please enter the password for ycsapo@MINES.EDU:
ycsapo@sampa # ssh -Y light
ycsapo@light # sudo su - oracle
LDAP Password:
oracle@light # kinit ycsapo
Password for ycsapo@MINES.EDU:
oracle@light # xclock
And I should be able to run xclock on the remote host light but have it display on my local box,
sampa, as simple as that.
TIA
Yuri
- --
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu
Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
- --Peter J. Schoenster
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJLoAVsAAoJEKIAUGoymiHAal8H/3o3SK3ngQjOAnU+/Gnw OA5K
XbrwCp6Wa+OeuacjU5/zxR7pPBmmHnfVMv6EPP6RrKPW9RBxLTGLh1IR+EOL MCTE
9RDtGevpwoWWypQL7miaEjwg+IUXB+JQXfXzQ3pEClD6u41NemTKCGXt/kTS 8/wg
5cTfrzGQVZDcU23lu0Q8iXD3lAHzlDSYMJY5zLsIE8Udyky9/nw7+BLZt2i0 /dZc
rlrHZM/HOlSgOKPQqhcZfrsDpqXsTyOZn2rC9sWuzTicoUZCHxNw2yYuGn+x qqjy
u2PhZeNAHA9JAGOQ4mErRzDZftFOjshgzojgicAAs6cipwQlqWvuEQANOYwr kYU=
=SVAz
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html