JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Solaris X Window System Developer's Guide
search filter icon
search icon

Document Information


1.  Introduction to the Solaris X Server

2.  DPS Features and Enhancements

3.  Visuals on the Solaris X Server

4.  Font Support

5.  Server Overlay Windows

6.  Transparent Overlay Windows

7.  Security Issues

Access Control Mechanisms



Authorization Protocols



Changing the Default Authorization Protocol

Manipulating Access to the Server

Client Authority File

Allowing Access When Using MIT-MAGIC-COOKIE-1

Allowing Access When Using SUN-DES-1

Running Clients Remotely, or Locally as Another User

To Run Clients Remotely, or Locally As Another User

A.  Reference Display Devices



Authorization Protocols

The OpenWindows environment supports two different authorization protocols: MIT-MAGIC-COOKIE-1 and SUN-DES-1. While they differ in the authorization data used, they are similar in the access control mechanism used.

The MIT-MAGIC-COOKIE-1 protocol, using the user-based mechanism, is the OpenWindows environment default.


The MIT-MAGIC-COOKIE-1 authorization protocol was developed by the Massachusetts Institute of Technology (MIT). A magic cookie is a long, randomly generated binary password. At server startup, the magic cookie is created for the server and the user who started the system. On every connection attempt, the user's client sends the magic cookie to the server as part of the connection packet. This magic cookie is compared with the server's magic cookie. The connection is allowed if the magic cookies match, or denied if they do not match.


The SUN-DES-1 authorization protocol was developed by Sun Microsystems. It is based on Secure Remote Procedure Call (RPC) and requires Data Encryption Software (DES) support. The authorization data is the machine-independent netname, or network name, of a user. This data is encrypted and sent to the server as part of the connection packet. The server decrypts the data, and, if the netname is known, allows the connection.

The SUN-DES-1 authorization protocol provides a higher level of security than the MIT-MAGIC-COOKIE-1 protocol. There is no way for another user to use your machine-independent netname to access a server, but it is possible for another user to use the magic cookie to access a server.

This protocol is available only in libraries in the OpenWindows Version 3 and later environments. Any applications built with static libraries, in particular Xlib, in environments prior to OpenWindows Version 3 cannot use this authorization protocol.

Allowing Access When Using SUN-DES-1 describes how to allow another user access to your server by adding their netname to your server's access list.

Changing the Default Authorization Protocol

The default authorization protocol, MIT-MAGIC-COOKIE-1, can be changed to another supported authorization protocol or to no user-based access mechanism at all. The default is changed by supplying options with the openwin command. See the openwin(1) man page for more information.

For example, to change the default from MIT-MAGIC-COOKIE-1 to SUN-DES-1, start the OpenWindows environment as follows:


openwin -auth sun-des

If you must run OpenWindows without the user-based access mechanism, use the -noauth command line option.


openwin -noauth


Caution - Using -noauth weakens security. It is equivalent to running OpenWindows with only the host-based access control mechanism; the server inactivates the user-based access control mechanism. Anyone who can run applications on your local machine will be allowed access to your server.