Over the Christmas holiday I sent a message to this group about the
Xaccess file on Suns and SGIs which allows other hosts to bring up a
login screen. I am bringing it up again because a friend sent me a
security warning this morning regarding this issue:
http://www.procheckup.com/security_info/vuln_pr0208.html
To quote the Sun AnswerBook:
By default, any host on your network that has access to your login
server host can request a login screen be displayed. You can limit
access to the login server by modifying the Xaccess file.
By default on a Sun and an SGI, any machine with Xterminal software can
request a login screen via XDMCP. The Xaccess file needs to be edited
to close this hole. The website referred to above explains how to do
this. On an SGI the file is
/var/X11/xdm/Xaccess. My experience is that anyone anywhere with
Xterminal software who knows the IP address of a machine can bring up a
login screen if this file is not properly editted.
You need to do this whether or not you are using tcpwrappers and SSH!
Sara
--
Sara Kunz
Chemistry Dept. MS 015
Brandeis University
PO Box 549110
Waltham, MA 02454-9110
Phone: 781-736-2840 Fax: 781-736-2516
Cell: 617-512-0435
Received on Mon Mar 18 2002 - 16:19:57 MST