5.4. 对 X 窗口系统的安全访问
今天, 越来越多的使用一台服务器带多台工作站的公司会使用 X 终端. 这可能是很危险的, 因为您需要允许文件服务器连接到客户端(从 X 的观点来看就是 X 服务器. X 的关键词是客户和服务器). 如果听从大多数(糟糕的)文档的建议, 在您的机器上键入 xhost +
. 这将允许任何 X 客户端连接您的机器. 基于安全的考虑, 您则应当使用 xhost +hostname
命令, 仅允许指定的主机连接.
A much more secure solution, though, is to use ssh to tunnel X and encrypt the whole session. This is done automatically when you ssh to another machine. For this to work, you have to configure both the ssh client and the ssh server. On the ssh client, ForwardX11
should be set to yes
in /etc/ssh/ssh_config
. On the ssh server, X11Forwarding
should be set to yes
in /etc/ssh/sshd_config
and the package xbase-clients should be installed because the ssh server uses /usr/X11R6/bin/xauth
(/usr/bin/xauth
on Debian unstable) when setting up the pseudo X display. In times of SSH, you should drop the xhost based access control completely.
For best security, if you do not need X access from other machines, switch off the binding on TCP port 6000 simply by typing:
- $ startx -- -nolisten tcp
This is the default behavior in Xfree 4.1.0 (the Xserver provided in Debian 3.0 and 3.1). If you are running Xfree 3.3.6 (i.e. you have Debian 2.2 installed) you can edit /etc/X11/xinit/xserverrc
to have it something along the lines of:
- #!/bin/sh
- exec /usr/bin/X11/X -dpi 100 -nolisten tcp
If you are using XDM set /etc/X11/xdm/Xservers
to: :0 local /usr/bin/X11/X vt7 -dpi 100 -nolisten tcp
. If you are using Gdm make sure that the DisallowTCP=true
option is set in the /etc/gdm/gdm.conf
(which is the default in Debian). This will basically append -nolisten tcp
to every X command line [36].
您还可以为xscreensaver
锁设置默认系统超时. 既使用户能忽略它, 您应该编辑 /etc/X11/app-defaults/XScreenSaver
配置文件, 修改锁定行:
- *lock: False
(在Debian中是默认设置) 为:
- *lock: True
FIXME: Add information on how to disable the screensavers which show the user desktop (which might have sensitive information).
Read more on X Window security in http://www.tldp.org/HOWTO/XWindow-User-HOWTO.html (/usr/share/doc/HOWTO/en-txt/XWindow-User-HOWTO.txt.gz
).
FIXME: 增加debian-security 线程关于修改 XFree 3.3.6 的配置文件信息.
5.4.1. 检查您的显示管理器
如果您只想安装一个用于本地应用的显示管理器(拥有友好的图形登录界面), 应确保 XDMCP (X管理控制协议)被禁用. 在XDM中您可以在 /etc/X11/xdm/xdm-config
中加入如下行:
- DisplayManager.requestPort: 0
For GDM there should be in your gdm.conf:
- [xdmcp]
- Enable=false
通常, 在 Debian 中所有显示管理器缺省被配置成不启用始XDMCP.
[36] Gdm will not append -nolisten tcp
if it finds a -query
or -indirect
on the command line since the query wouldn’t work.