A proposal for a new X extension
Garrett Kajmowicz
gkajmowi at tbaytel.net
Sat Jan 22 13:52:27 PST 2005
Forward:
I am attempting to address a concern which I see in the implementation of X11
which makes it less than ideal for many uses. Please note that I am not an
expert with X11 in any way. I have used the system for several years and
occasionally program Qt applications. However, the closest thing that I have
come to "low-level" X11 programming is writing an xlib application which draw
a grey box with two black lines in it on the screen. Needless to say, I am
partially talking from almost no experience here, and much of what I describe
is based upon assumptions, inferences and plain guesses about the way X11
works. Regardless, you should find this either very interesting in it's
briliance or comical in it's ignorance.
Introduction:
One of the key aspects to any computer system is security, especially
authentication. As it stands, implementations of X11 and applications
designed to manage security on top of them are able to effectively ask for
text input from the user when attempting to verify their identity. This is
done easily through the existing input mechanics (keyboard/mouse). However,
this does not address all possible or even desireable security concerns for
systems.
Both users and administyrators frequently encounter problems with passwords
which are either too short to be useful or too long to be memorized. This
results in weak security because the password is easy to guess or brute
force, or it is recoverable by looking for stickey notes. Yes, there are
techniques for generating and storing larger passwords but this requires
large-scale complience and at least a trivial amount of effort. As such,
alternative ways of managing security have emerged.
There exists now on the market a wide variety of methods of authenticating
users. These generally boil down to either some form of token or biometric
device. One of the better views of security was that authentication should
be three-fold: something you know, something you have, and something you
are. The something you know is easy - a password will suffice. Something
you have can be done through the use of a token. And something you are is
likely a biometric scanning device.
The Problem:
X11 currently has no standard mechanism for addressing authentication not
based on existing input methods. Attempting to use PAM only works if the
user is logging into the machine which they are sitting at - it does nothing
to deal with thin clients where a remote display manager is to be used. This
bothers me. There is no way to directly access the hardware on the remote
server, which is both beneficial as well as a hinderence. For X11 to obtain
market superiority and to increase penetration into the corporate desktop
support for these mechanisms must be added.
Currently, there exists an XSecurity extension which is designed to
authenticate X clients to X servers, but fails to address user authentication
to a central display manager.
Proposal:
A new X extension which will provide for the use of remote authentication
mechanisms. This extension would enable a remote client to query the server
for authentication information. This would be accomplished by sending a
single message specifying the request ID (to support multiple simultaneous
requests, if not provided by the core X11 protocol) and a 32-bit integer
providing for the mechanism to be used, along with data which may be used by
the authentication mechanism (is a challenge token). This may be accompanied
by a visual dialog (generated by the client) specifying that authorization is
needed, if the authorization mechanism needs user input (ie biometric
scanner). The server will collect the data and then send it back, refering
to the request previously made. The client can then decide what to do with
the collected information. naturally, error messages for unsupported device
and the like will also need to be provided.
In order to ensure system security, a number of safety precautions must be
taken:
- The server configuration should specify which authentication mechanisms will
be responded to. That is, the server need not enable all authentication
mechanisms which are supported.
- The server should optionally (and by default) only accept security requests
from the root window. This assumes a trusted window manager. This will
prevent a malicious client from attempting to obtain sufficient information
from the authentication mechanism through repeated queries to determine the
authentication secret (if applicable).
- A rate-limiting mechanism should also be added and default enabled int the
server to prevent a malicious client from attempting to obtain sufficient
information from the authentication mechanism to determine the authentication
secret (if applicable).
Work involved:
- Develop extension spec. documentation
- Gather public input. Wash, rinse, repeat
- Implement server-side extension as a reference implementation with null
targets, etc.
- Implement test client.
- Perform extensive testing
- Profit!!!^H^H^H^H^H^H^H^H^H^H^H
Difficulties:
- The author has insufficient knowledge of the X11 system to be able to
implement this as it stands.
- Obtaining commercial acceptance of the system to result in hardware
authentication systems supporting the extension
- Obtaining display manager support for the extension to use the mechanism to
authenticate users
- Obtaining PAM support (if possible) to support the mechanism on the display
manager side.
Conclusion:
These facilities must be provided in order to gain further acceptance of the
X11 system for the desktop in modern computing environments. The author is
willing to invest time (currently limited, but increasing over the next few
months) to learn and implement this extension providing that some basic
guidance and mentoring is available from People Who Know (tm).
Thoughts?
- Garrett Kajmowicz
More information about the xorg
mailing list