LinuxCommandLibrary

xauth

Manage X server authentication data

TLDR

Start interactive mode with a specific authority file (defaults to ~/.Xauthority)

$ xauth -f [path/to/file]
copy

Display information about the authority file
$ xauth info
copy

Display authorization entries for all the displays
$ xauth list
copy

Add an authorization for a specific display
$ xauth add [display_name] [protocol_name] [key]
copy

Remove the authorization for a specific display
$ xauth remove [display_name]
copy

Print the authorization entry for the current display to stdout
$ xauth extract - $DISPLAY
copy

Merge the authorization entries from a specific file into the authorization database
$ cat [path/to/file] | xauth merge -
copy

Display help
$ xauth --help
copy

SYNOPSIS

xauth [-f authfile] [-vqnb] [command arguments ...]

PARAMETERS

-f authfile
    Specifies the authorization file to use. The default is ~/.Xauthority.

-v
    Verbose mode. Provides more detailed output.

-q
    Quiet mode. Suppresses most informational messages.

-n
    Do not resolve hostnames. Speeds up operation but can lead to incorrect authorization entries if hostnames change.

-b
    Break up authorization records into multiple lines. Useful for very long authorization strings.

add hostname/display.screen protocolname hexkey
    Adds a new authorization entry to the database.

extract filename hostname/display.screen ...
    Extracts authorization entries to a file.

list
    Lists all authorization entries in the database.

remove hostname/display.screen ...
    Removes authorization entries.

source filename
    Reads commands from a file.

merge filename
    Merges entries from a file into the current database.

generate hostname/display.screen protocolname
    Generates a new authorization entry using a random key.

DESCRIPTION

xauth is a command-line utility used to manage the X authority database. This database stores authorization information used by X servers and clients to control connections. It's essential for securing X sessions, especially when connecting to remote X servers. xauth can add, extract, edit, and list authorization entries, using various authentication mechanisms like MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. Each entry typically includes the authorization protocol name, hostname, display number, and authorization data. This data (often referred to as a "magic cookie") must match between the client and server for the connection to be allowed. Using xauth effectively allows users to grant or deny access to their X sessions, enhancing security and preventing unauthorized access to graphical applications.

CAVEATS

Incorrect use of xauth can lead to security vulnerabilities or prevent legitimate connections to X servers. Be careful when manipulating the authorization database, especially when dealing with remote X connections.
Hostnames are case-sensitive and must match exactly the hostname used by the X server.

USAGE EXAMPLES

List existing entries:
xauth list

Extract entries for display :0 to a file:
xauth extract /tmp/auth_file localhost/0

Add a new entry:
xauth add example.com/0 MIT-MAGIC-COOKIE-1 5a7b9c1d3e2f4a6b

SECURITY CONSIDERATIONS

The authorization file (typically ~/.Xauthority) should be protected with appropriate file permissions (e.g., 600) to prevent unauthorized access to X sessions. Always treat the authorization data (e.g., magic cookies) as sensitive information.

HISTORY

xauth has been a core component of the X Window System since its early development. Its purpose is to provide a basic security mechanism for controlling access to X servers. Over time, the supported authentication protocols have evolved, but the fundamental role of xauth remains the same: to manage authorization data.

SEE ALSO

X(7), xhost(1), startx(1)

Copied to clipboard