pam_xauth

auth [control_flag] pam_xauth.so [module_options]

This module is configured within PAM service files (e.g., /etc/pam.d/su, /etc/pam.d/sudo) rather than being invoked directly from the command line.

debug
    Enables verbose debugging output to system logs, which can be helpful for troubleshooting.

xauth_path=/path/to/xauth
    Specifies the explicit path to the xauth utility. Useful if xauth is not in the default system PATH.

target_user=user
    Specifies the username for which X authorization data should be prepared. This is crucial when switching identities (e.g., from root back to a regular user).

data_dir=/path/to/dir
    Defines a directory for temporary X authority data storage if needed by the module.

non_interactive
    Prevents the module from prompting for a password if the target user is not specified or cannot be determined.

x_display
    Explicitly sets the X display name (e.g., ':0.0') for which authorization is managed, overriding the DISPLAY environment variable.

always
    Forces the creation of new X authority entries, even if suitable ones already exist in the target user's session.

retain_parent_auth
    Copies the X authority entries from the parent session to the new session, even when a target_user is specified. This helps maintain X access across user switches.

clean
    Removes all existing X authority entries from the target session's .Xauthority file before adding new ones.

quiet
    Suppresses non-critical error messages, leading to less verbose logging.

use_first_available
    If multiple .Xauthority files are found, uses the first one encountered for input rather than trying to merge or select based on other criteria.

write_to_stdout
    Writes the generated X authority data to standard output instead of a file. This option is typically used in specific scripting scenarios rather than direct PAM configurations.

pam_xauth is a Pluggable Authentication Module (PAM) designed to facilitate the proper handling of X authorization data, typically stored in a .Xauthority file, for user sessions. When a user changes identity (e.g., via su or sudo) or logs in, this module ensures that the new session has the necessary X authentication cookies to interact with an X server.

It primarily works by copying X authority entries from the parent session or creating new ones, allowing graphical applications to run without explicit xauth commands. This is crucial for maintaining a seamless graphical environment across session transitions, especially when dealing with X forwarding or shared display environments. It integrates with PAM configuration files to provide this service during authentication or session setup phases.

Security Considerations: Incorrect configuration of pam_xauth can potentially expose X sessions to unauthorized access. Always review permissions on .Xauthority files and module settings carefully.

Dependency: This module requires the xauth utility to be installed and accessible on the system to function correctly.

Interaction with SSH: When using ssh -X (X forwarding over SSH), SSH typically handles X authorization securely. In such cases, pam_xauth might be redundant or could potentially conflict if not carefully managed.

Environment Variables: Proper functioning relies on the correct setting of DISPLAY and XAUTHORITY environment variables.

pam_xauth emerged as part of the broader PAM (Pluggable Authentication Modules) framework, which was developed to modularize and centralize authentication services in Linux and Unix-like systems. Its creation was driven by the need to manage X server access seamlessly for users undergoing identity changes (e.g., via su or sudo), where default X authorization might not propagate correctly.

It addresses challenges related to X server security and the propagation of X cookies across different user contexts, becoming a standard component in systems requiring robust graphical session management since the early days of PAM's adoption.

xauth(1), pam(8), pam.conf(5), su(1), sudo(8)