> Xhost actually has one advantage, of a sort, over xauth: users of xhost > can grant access, and later take that access away. Xauth doesn't permit > this: there's no way to revoke a key to your display. You've got to > restart the X server. Once you've given a key to someone, you can't > take it away. What's needed is a way to dynamically create new, > different keys for your display, and to be able to tell the X server to > individually enable and disable them. I had an idea a while back but no time to implement it. Perhaps some of you would like to rip it to shreds in front of me and tell my why it stinks of dead fish. I'd like to add a new authentication mechanism to X which uses Ident (TAP, RFC-931 etc), to check that a user is permitted. e.g. a server is given a list of allowed user/machine pairs by a program like xhost: (e.g. xhost +fred@jim.jam.org) When a connection is made from that host the X server checks the Ident ID of the TCP connection (only works over TCP (though you can probably add something similar for other transport layers)), and if it matches one in the list allowed from that host the connection is allowed. Ident is not supposed to be used for authentication I hear people shout. However, X connections should really only be made from machines you trust as otherwise anyone with root access can steal the cookie or pretend to be that user anyway. I.e. using Ident for this is no worse than admitting that you must trust the remote host is ok anyway. As far as I can see in my simple minded way I can't see any attacks on this which wouldn't also be possible using any other X authentication technique. The downside is that you can't easily retro-fit this into old X servers such as dedicated Xterminals and it requires that any host which a user wants to connect to such a server from needs to run an Ident server. It might be possible to run a proxy-authenticator on a known trusted machine for all old Xterminals (adds delay and pain I know). Forcing people to run an Ident server might cause problems for some types of system. Ok, what have I missed? Why wouldn't it work, and what it the huge security hole I didn't see? Anyone got an (constructive) comments? -- Jon