X-Terminal Security : TechWeb : Boston University

Setting up remote X clients to use the Magic Cookie
The X Window System allows you to display output from multiple computer systems to one X terminal. In previous releases of X, the security scheme used to control who could display output to a terminal was “host-based”, and used a program called “xhost”. Xhost gave permission to remote hosts to display output on a particular X terminal. The obvious security hole in this scheme was that *anyone* on that remote host could display to your X terminal.

In X11R4 this problem has been addressed with the implementation of “user-based” security. The mechanism is called the “MIT Magic Cookie”; it uses a secret password (“cookie”) known only to your X display device (more accurately, your X server) and the X applications (X clients) which you specifically authorize during a login session. If an application cannot provide the correct cookie, it will not be allowed access to your X display.

A new, randomly-generated Magic Cookie is created each time you log in to an X terminal which uses XDM (all X terminals in the IT terminal clusters use XDM). It is stored in a binary format, in a file called .Xauthority. The X server will then ask each new X client to provide the proper Magic Cookie before granting it access to the display.

Because of the superior security offered by the Magic Cookie scheme, you should use the “xauth” program rather than the older “xhost” program. Whenever you want to use an X application on a remote computer system, your home directory on that remote host must contain the same Magic Cookie as your X server. The “xauth” program will copy the new cookie from the server and install it in your home directory on the remote host.

If an application does not have permission to display output on a particular X display, an error message similar to the following will be issued:



  Xlib: connection to "pub3-xt3:0.0" refused by server

  Xlib: Client is not authorized to connect to Server

  xterm: Can't open display too 'pub3-xt3:0.0'

How to use xauth:

Before the MIT Magic Cookie was implemented, a command to open an xterm window to the machine named ACS might have looked like this:



  xhost acs; rsh acs xterm -display $DISPLAY

The equivalent command, using xauth, looks like this (should all appear on one line):



  xauth extract - $DISPLAY | rsh acs xauth merge - ;

    rsh acs xterm -display $DISPLAY

To avoid having to type such a long command, people often use xauth and the xterm program in the .mwmrc file to create a “host menu”. Commands in the .mwmrc file that were similar to this:

  "acs" f.exec "rsh acs xterm -T acs -n acs -display $DISPLAY &"

should now be changed to the following (should all appear on one line):

  "acs" f.exec "xauth extract - $DISPLAY | rsh acs xauth merge -;

    rsh acs xterm -T acs -n acs -display $DISPLAY

    '< /dev/null > & /dev/null &'"

References
More information about xauth is available in the manual page; type man xauth at the command shell prompt to read it. If you have questions, speak to someone in Information Technology Consulting Services.

Important alerts

Incident: Intermittent Internet Connectivity Issues Across Campus

Resolved: The Links are Unavailable