Unless the -noauth option is used with openwin (see Changing the Default Authorization Protocol), both the user-based access control mechanism and the host-based access control mechanism are active. The server first checks the user-based mechanism, then the host-based mechanism. The default security configuration uses MIT-MAGIC-COOKIE-1 as the user-based mechanism, and an empty list for the host-based mechanism. Since the host-based list is empty, only the user-based mechanism is effectively active. Using the -noauth option instructs the server to inactivate the user-based access control mechanism and initializes the host-based list by adding the local host.
You can use either of two programs to change a server's access control mechanism: xhost and xauth. For more information, see the man pages under xhost and xauth. These programs access two binary files created by the authorization protocol. These files contain session-specific authorization data. One file is for server internal use only. The other file is located in the user's $HOME directory:
Use the xhost program to change the host-based access list in the server. You can add hosts to, or delete hosts from the access list. If you start with the default configuration–an empty host-based access list–and use xhost to add a machine name, you lower the level of security. The server allows access to the host you added, as well as to any user specifying the default authorization protocol. See Host-Based for an explanation of why the host-based access control mechanism is considered a lower level of security.
The xauth program accesses the authorization protocol data in the .Xauthority client file. You can extract this data from your .Xauthority file so that other users can merge the data into their .Xauthority file, thus allowing them access to your server, or to the server to which you connect.
See Allowing Access When Using MIT-MAGIC-COOKIE-1 for examples of how to use xhost and xauth.
The client authority file is .Xauthority. It contains entries of the form:
By default, .Xauthority contains MIT-MAGIC-COOKIE-1 as the auth-protocol, and entries for the local display only as the connection-protocol and auth-data. For example, on host anyhost, the .Xauthority file may contain the following entries:
When the client starts up, an entry corresponding to the connection-protocol is read from .Xauthority, and the auth-protocol and auth-data are sent to the server as part of the connection packet. In the default configuration, xhost returns an empty host-based access list and states that the authorization is enabled.
If you have changed the authorization protocol from the default to SUN-DES-1, the entries in .Xauthority contain SUN-DES-1 as the auth-protocol and the netname of the user as the auth-data. The netname is in the following form:
For example, on host, anyhost the .Xauthority file may contain the following entries:
where unix.15339@EBB.Eng.Sun.COM is the machine-independent netname of the user.
myhost%$OPENWINHOME/bin/xauth nextract - anyhost:0 > $HOME/xauth.info
Note - Mailing the file containing your authorization information is a safer method than using rcp. If you do use rcp, do not place the file in a directory that is easily accessible by another user.
userhost%$OPENWINHOME/bin/xauth nmerge - <xauth.info
userhost% echo 'addmyhost:0SUN-DES-1 “unix.15339@EBB.Eng.Sun.COM”' | $OPENWINHOME/bin/xauth