13

I am interested in an in-depth answer explaining how exactly X11 authorization works and especially MIT Magic Cookies.

I understand that what it actually does is to forbid access to everyone else except the user that is logged in, also there are some control mechanisms that control whether a client application can connect to an X display server or not.

I also found that there are five standard access control mechanisms and they can be categorized in three main categories:

  1. Access based on host
  2. Access based on cookie
  3. Access based on user

But from this point and on I don't really understand the way these work and what ways they exactly use in order to do the authorizations.

tripleee
  • 175,061
  • 34
  • 275
  • 318
Sir. Hedgehog
  • 1,260
  • 3
  • 17
  • 40

1 Answers1

18

Well, first of all there is a file ~/.Xauthority on the machine. Notice that (usually on machine with GUI) wrong permissions of this file, can cause a login screen loop... (took me hours to understand that).

As you mentioned there are 5 mechanisms:

  1. Host access: the server has host access list (if a network address exists in this list, the connection is permitted). the list is managed using xhost command. NOTE: this doesn't allow more than a single connection simultaneously. I don't know more about this method because I don't really used it. but you can see man Xserver GRANTING ACCESS section :)

  2. MIT-magic-cookie-1: Generating 128bit of key ("cookie"), storing it in ~/.Xauthority (or where XAUTHORITY envvar points to). The client sends it to server plain! the server checks whether it has a copy of this "cookie" and if so, the connection is permitted. the key is generated by DMX.

  3. XDM-authorization-1: Again, there is a key stored in ~/.Xauthority. this key consists 2 parts- 56bit DES encryption key and 64bits of random data used as the authenticator. When you connect to the server the client generate 192bits of data: ctime combined with 48bits identifier (for tcp/ip: ip address+port, for local connections it's the PID and 32 bit unique id). the DES key is used to encrypt the data and then it is sent to server. the server validate the user by decrypting it then validating the 64bits authenticator and additional data.

  4. sun-des-1: it uses asymmetric encryption, the server has a public key which he uses to decrypt incomming requests. it also uses the "host list". This require some additional mechanisms in the network, I don't have such network so again, I don't understand this mechanism well.

  5. server interpreted: It can be implemented in so many ways... but in general, the client send 2 string to server. The second string is the user entry (such as username) and the first string is the entry type (such as localuser).

NOTE: the 2nd, 3rd and 4th mechanisms store the keys inside ~/.Xauthority therefore anyone who has access to this file, can connect to the server pretending to be "you".

xauth command can parse Xauthority file and extract the interesting values. 

$ xauth 
Using authority file /home/ME/.Xauthority
xauth> list        
ME/unix:10  MIT-MAGIC-COOKIE-1  5e443c146376d0bdadfd712bfe7654be
ME/unix:0  MIT-MAGIC-COOKIE-1  c48ddba801384dce3aaaa9d442931ea12
xauth> info
Authority file:       /home/ME/.Xauthority
File new:             no
File locked:          no
Number of entries:    2
Changes honored:      yes
Changes made:         no
Current input:        (stdin):2
xauth>
  • The data is changed....
I-V
  • 725
  • 4
  • 10
  • I am looking in a more in depth search/answer specifically for MIT Magic Cookie as I already mentioned, if you could add more info on that your answer would be standing better. thanks! – Sir. Hedgehog May 23 '16 at 08:27
  • 2
    What do you mean by "more info"? I have told you the protocol... if you ask for the implementation then you are wrong because every server can implement it differently and for that there is no answer... there is no search, you either try to connect by ip or by name (using dns). What do you mean "search/answer"? – I-V May 23 '16 at 08:40
  • I mean that I am trying to find a good explanation of how it works, not just the theory of what it does.... that one i could also on google.... so what i need is a well structured and well explained answer on how the MIT Magic Cookie works... what speciffically it does, how else to explain it :) – Sir. Hedgehog May 23 '16 at 08:45
  • 3
    What I told you is exactly how it works. There is no "hidden" info. And you just said in a comment about that you can't search it on the Internet because your Internet is "white list". So I am really missing something. I even told you how to build the cookie and how the server parse it. More than that is showing you the code, and that you can do alone because it's an open source – I-V May 23 '16 at 08:48
  • First of all, i never said i have only one computer.... If i am at work though its white listed, though this has nothing to do with the current matter, anyways, if you think that there is someting more to add in order to make the answer more complete please do so. – Sir. Hedgehog May 23 '16 at 08:54
  • 2
    I'm sorry but I don't think of anything more to add. I have implemented a client once and I told you here anything I know and it worked for me. Of course if you have any specific question I would like to help you! I just really don't understand what you think is missing :/ and I didn't mean to offend you :) – I-V May 23 '16 at 08:59
  • i was just expecting a much simpler though deailed explanation, so i can penetrate it on my own later... no worries mate :) – Sir. Hedgehog May 23 '16 at 09:02
  • If you have access to the computer and it's files, then as I said you can just take the Xauthority file. You don't even need to implement anything! Just replace the file. Of course you can build the packet and establish a connection then transmit it but I would say it's an over kill. If you do want to implement it, you just need to sniff the request because it's plain text (mit-cookie). In this mechanism there is no encryption involved. If you have a X11 server and you can sniff it would be great if you post it so I can help you analyze the it. I just don't have a server anymore – I-V May 23 '16 at 09:09
  • excuse me, when i said penetrate i didnt mean actual penetrate as a "hacker" would say, which i dont claim to be or was (legal disclaimer :p) more like that i have to use it, so i am trying to understand all its ways, so i can know of its capabilities and see how i could maybe use it to my advantage in projects :) – Sir. Hedgehog May 23 '16 at 09:13
  • I assumed you might want to know it for security matter :) it is possible to fake a connection if you sniff and see it. As mentioned above, all the connection is plain text so anything you need to pass the server will pass and you will see it in the sniff (assuming of course you can see it in a sniff). I guess it is possible to use 2 proxies and add a layer of encryption but that's not in the protocol of MIT-COOKIE, and in this case it should be done by using XDM and no 2 proxies. XDM is encrypted so you can't really fake a connection without take the Xauthority file itself – I-V May 23 '16 at 09:19
  • If this answers your question can you marked the answer? So it will be closed question – I-V May 23 '16 at 13:18
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/112819/discussion-between-i-v-and-hedgehog). – I-V May 24 '16 at 16:44