D.2.3 Authorization Protocols

Two authorization protocols are supported in this version of the OpenWindows software: MIT-MAGIC-COOKIE-1 and SUN-DES-1. They differ in the authorization data used; they are similar in the access control mechanism used. At any time, the server implements only one protocol. The MIT-MAGIC-COOKIE-1 protocol using the user-based mechanism is the default in the OpenWindows software.

D.2.3.1 MIT-MAGIC-COOKIE-1

The MIT-MAGIC-COOKIE-1 authorization protocol was developed by the Massachusetts Institute of Technology. At server start-up, a magic cookie is created for the server and the user who started the system. On every connection attempt, the user's client sends the magic cookie to the server as part of the connection packet. This magic cookie is compared with the servers' magic cookie. The connection is allowed if the magic cookies match, or denied if they do not match.

D.2.3.2 SUN-DES-1

The SUN-DES-1 authorization protocol, developed by Sun Microsystems, is based on Secure RPC (Remote Procedure Call) and requires DES (Data Encryption Software) support. The authorization information is the machine-independent netname, or network name, of a user. This information is encrypted and sent to the server as part of the connection packet. The server decrypts the information, and if the netname is known, allows the connection.

This protocol provides a higher level of security than the MIT-MAGIC-COOKIE-1 protocol. There is no way for another user to use your machine independent netname to access a server, but it is possible for another user to use the magic cookie to access a server.

This protocol is available only in libraries in the OpenWindows Version 3 and later environments. Any applications built with static libraries, in particular Xlib, in environments prior to OpenWindows Version 3 cannot use this authorization protocol.

"D.2.4.3 Allowing Access When Using SUN-DES-1", in this chapter, describes how to allow another user access to your server by adding their netname to your server's access list.

D.2.3.3 Changing the Default Authorization Protocol

The default authorization protocol, MIT-MAGIC-COOKIE-1, can be changed to SUN_DES-1, the other supported authorization protocol, or to no user-based access mechanism at all. You change the default by supplying options with the openwin command. For example, to change the default from MIT-MAGIC-COOKIE-1 to SUN-DES-1, start the OpenWindows software as follows:

example% openwin -auth sun-des

If you must run the OpenWindows software without the user-based access mechanism, use the -noauth command line option:

example% openwin -noauth

Using -noauth weakens security. It is equivalent to running the OpenWindows software with the host-based access control mechanism only; the server inactivates the user-based access control mechanism. Anyone that can run applications on your local machine will be allowed access to your server.