From: Yuri Csapo <ycsapo@exchange.mines.edu>
To: linux-admin <linux-admin@vger.kernel.org>
Subject: xorg with GSSAPI
Date: Tue, 16 Mar 2010 16:25:48 -0600 [thread overview]
Message-ID: <4BA0056C.7000908@exchange.mines.edu> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OK, let's see if the list still lives up to my memories of it:
How can I use Kerberos to authenticate X Window sessions?
I mean, I know I can move the xauth cookie around like this:
ycsapo@sampa # ssh -Y light
ycsapo@light # xauth list
light.Mines.EDU/unix:10 MIT-MAGIC-COOKIE-1 (lots of hex gibberish)
ycsapo@light # sudo su - oracle
LDAP Password:
oracle@light # xauth add light.Mines.EDU/unix:10 MIT-MAGIC-COOKIE-1 (lots of hex gibberish)
xauth: creating new authority file /u/pa/ci/oracle/.Xauthority
And now I can run the Oracle installer on the headless VM light and have its GUI show under X on my
Mac, through sudo and ssh encryption.
Although this works well, I don't feel comfortable telling users to do this. And frankly the whole
copy-and-paste thing is not very elegant, not to mention it's not too safe.
I have read enough about this to know there should be some way to use Kerberos authentication as
opposed to the infamous MIT MAGIC COOKIE. xOrg is supposed to allow a MIT-KERBEROS-5 mechanism and I
read somewhere they were implementing this through the GSSAPI.
Does anybody know anything about this who could point me to a howto or any form of documentation?
The way I envision this (well, fantasize might be a better word) is, as long as the user as whom I'm
running the application has the correct Kerberos ticket, things should work. something like:
ycsapo@sampa # kinit
Please enter the password for ycsapo@MINES.EDU:
ycsapo@sampa # ssh -Y light
ycsapo@light # sudo su - oracle
LDAP Password:
oracle@light # kinit ycsapo
Password for ycsapo@MINES.EDU:
oracle@light # xclock
And I should be able to run xclock on the remote host light but have it display on my local box,
sampa, as simple as that.
TIA
Yuri
- --
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu
Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
- --Peter J. Schoenster
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJLoAVsAAoJEKIAUGoymiHAal8H/3o3SK3ngQjOAnU+/GnwOA5K
XbrwCp6Wa+OeuacjU5/zxR7pPBmmHnfVMv6EPP6RrKPW9RBxLTGLh1IR+EOLMCTE
9RDtGevpwoWWypQL7miaEjwg+IUXB+JQXfXzQ3pEClD6u41NemTKCGXt/kTS8/wg
5cTfrzGQVZDcU23lu0Q8iXD3lAHzlDSYMJY5zLsIE8Udyky9/nw7+BLZt2i0/dZc
rlrHZM/HOlSgOKPQqhcZfrsDpqXsTyOZn2rC9sWuzTicoUZCHxNw2yYuGn+xqqjy
u2PhZeNAHA9JAGOQ4mErRzDZftFOjshgzojgicAAs6cipwQlqWvuEQANOYwrkYU=
=SVAz
-----END PGP SIGNATURE-----
reply other threads:[~2010-03-16 22:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA0056C.7000908@exchange.mines.edu \
--to=ycsapo@exchange.mines.edu \
--cc=linux-admin@vger.kernel.org \
--cc=ycsapo@mines.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).