Each X authority file assumes the default protections of the
account and directory in which it resides. If you have the
appropriate privileges, you can view or edit the contents of
an X authority file. To ensure the appropriate level of security,
access to this file is typically limited to either the local
SYSTEM account, the file owner, or both.
NOTE
When an X authority file is open for viewing or editing,
one or more lock files are created by adding -L or -C to the
file extension (such as, *.DECW$XAUTH-C). This renders the
X authority file locked from further use. When the file is
closed, the lock is subsequently removed, and the lock files
deleted.
If a DECwindows Motif session is terminated abruptly, one
or more locked files can remain. Use the XAUTH command with
options -b or -i to either break or ignore the locks and
gain access to the file.
1 – Displaying File Entries
Use the XAUTH LIST command to display the contents of an X
authority file.
For example, the following XAUTH command displays the entries in
the X authority file UNTRUSTED.DECW$XAUTH:
$ XAUTH -f UNTRUSTED.DECW$XAUTH LIST
local/ZEPHYR:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
116.94.24.187:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
NOTE
TCP/IP is considered the default transport for X authority
file entries. As a result, the transport portion of the
display name is assumed and not displayed for entries that
use the TCP/IP transport.
To limit the list to entries related to a particular display,
enter the display name at the end of the XAUTH LIST command, as
follows:
$ XAUTH -f UNTRUSTED.DECW$XAUTH LIST ZEPHYR::0
decnet/ZEPHYR::0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
With the TCPIP transport, multiple addresses may correspond to
the same display name. When displaying X authority file entries,
it may be difficult to distinguish which entry applies to which
address. To differentiate the entries, use the -n qualifier to
list them in numeric format, as follows:
$ XAUTH LIST
test13_2:0 MIT-MAGIC-COOKIE-1 12
test13_2:0 MIT-MAGIC-COOKIE-1 23
$ XAUTH -n LIST
#0006#fe800000000000000200f8fffe101905#:0 MIT-MAGIC-COOKIE-1 12
#0000#c0a70209#:0 MIT-MAGIC-COOKIE-1 23
2 – Adding and Removing File Entries
Use the XAUTH ADD and XAUTH REMOVE commands to add entries to or
delete entries from an X authority file.
If you have created a display device (using the SET DISPLAY
command), you can specify the device name on the xauth command
line to insert or remove entries related to the display device.
Typically, the X authority file entry for a display device
corresponds to the display server specified by the SET DISPLAY
command. However, if the SET DISPLAY command specifies that
a proxy server be used, the file entry pertains to that proxy
server.
For example, the following X authority file has a single
entry for the LOCAL transport on node ZEPHYR. To use the same
authorization key for the DECnet transport and to specify
that Kerberos be used when connecting to remote node HUBBUB,
you could add the following entries to the X authority file
UNTRUSTED.DECW$XAUTH:
$ XAUTH -f UNTRUSTED.DECW$XAUTH
Using authority file untrusted.decw$xauth
xauth> LIST
local/ZEPHYR:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
xauth> ADD ::0 . cfcc5ef98f9718f90154f355c0ae9f62
xauth> ADD HUBBUB::0 MIT-KERBEROS-5 ""
xauth> LIST
local/ZEPHYR:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
decnet/HUBBUB::0 MIT-KERBEROS-5
xauth> EXIT
Writing X authority file untrusted.decw$xauth
Client applications running on systems in the same cluster
share a single X authority file. As a result, in cluster
configurations, adding an entry for the DECnet transport to the
local system grants client applications running on other nodes in
the cluster access to that system.
To discontinue remote access to HUBBUB, you could use the XAUTH
REMOVE command to remove the entry, as follows:
$ XAUTH -f UNTRUSTED.DECW$XAUTH
Using authority file untrusted.decw$xauth
xauth> REMOVE HUBBUB::0
1 entries removed
xauth> LIST
local/ZEPHYR:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
xauth> EXIT
Writing X authority file untrusted.decw$xauth
3 – Copying Entries Between Files
Use one or more of the following XAUTH commands to copy entries
for a particular display from one X authority file to another.
This enables you to use an existing entry to grant another user
access to a particular display or to obtain access to a remote
host from the current display device.
o EXTRACT - Creates a new X authority file whose entries match
those in the original file.
o MERGE - Appends the contents of one file to another, replacing
entries for the same display name or adding entries for
different names.
o NEXTRACT and NMERGE - These commands are designed to be used
with the PIPE command. NEXTRACT extracts file entries in a
text format that can then be used as input for the NMERGE
command.
For example, the following command extracts the X
authority file entry for the local transport from the file
UNTRUSTED.DECW$XAUTH and adds it to a new X authority file
NEW_XAUTHORITY.DECW$XAUTH:
$ PIPE XAUTH -f UNTRUSTED.DECW$XAUTH NEXTRACT SYS$OUTPUT :0 | -
_$ XAUTH -f NEW_XAUTHORITY.DECW$XAUTH NMERGE SYS$INPUT
These commands can also be used with the rsh command to
copy entries from an X authority file on an OpenVMS host to
an X authority file on a remote UNIX system. For example,
the following command extracts the entry for TCP/IP access
(TCPIP/0:0) and adds it to the current file for user SMITH on
the remote UNIX system FLOPSY:
$ PIPE XAUTH -f UNTRUSTED.DECW$XAUTH NEXTRACT TCPIP/0:0 | -
_$ rsh/user=smith/password=secret flopsy "xauth nmerge -"
NOTE
When using the PIPE and XAUTH commands to pass information
to a UNIX host, you must press Ctrl/C to terminate the
connection to the UNIX host and return control to OpenVMS.