xauth
Manage X server authentication data
TLDR
Start interactive mode with a specific authority file (defaults to ~/.Xauthority)
Display information about the authority file
Display authorization entries for all the displays
Add an authorization for a specific display
Remove the authorization for a specific display
Print the authorization entry for the current display to stdout
Merge the authorization entries from a specific file into the authorization database
Display help
SYNOPSIS
xauth [-f authfile] [-vqnb] [command arguments ...]
PARAMETERS
-f authfile
Specifies the authorization file to use. The default is ~/.Xauthority.
-v
Verbose mode. Provides more detailed output.
-q
Quiet mode. Suppresses most informational messages.
-n
Do not resolve hostnames. Speeds up operation but can lead to incorrect authorization entries if hostnames change.
-b
Break up authorization records into multiple lines. Useful for very long authorization strings.
add hostname/display.screen protocolname hexkey
Adds a new authorization entry to the database.
extract filename hostname/display.screen ...
Extracts authorization entries to a file.
list
Lists all authorization entries in the database.
remove hostname/display.screen ...
Removes authorization entries.
source filename
Reads commands from a file.
merge filename
Merges entries from a file into the current database.
generate hostname/display.screen protocolname
Generates a new authorization entry using a random key.
DESCRIPTION
xauth is a command-line utility used to manage the X authority database. This database stores authorization information used by X servers and clients to control connections. It's essential for securing X sessions, especially when connecting to remote X servers. xauth can add, extract, edit, and list authorization entries, using various authentication mechanisms like MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. Each entry typically includes the authorization protocol name, hostname, display number, and authorization data. This data (often referred to as a "magic cookie") must match between the client and server for the connection to be allowed. Using xauth effectively allows users to grant or deny access to their X sessions, enhancing security and preventing unauthorized access to graphical applications.
CAVEATS
Incorrect use of xauth can lead to security vulnerabilities or prevent legitimate connections to X servers. Be careful when manipulating the authorization database, especially when dealing with remote X connections.
Hostnames are case-sensitive and must match exactly the hostname used by the X server.
USAGE EXAMPLES
List existing entries:xauth list
Extract entries for display :0 to a file:xauth extract /tmp/auth_file localhost/0
Add a new entry:xauth add example.com/0 MIT-MAGIC-COOKIE-1 5a7b9c1d3e2f4a6b
SECURITY CONSIDERATIONS
The authorization file (typically ~/.Xauthority) should be protected with appropriate file permissions (e.g., 600) to prevent unauthorized access to X sessions. Always treat the authorization data (e.g., magic cookies) as sensitive information.
HISTORY
xauth has been a core component of the X Window System since its early development. Its purpose is to provide a basic security mechanism for controlling access to X servers. Over time, the supported authentication protocols have evolved, but the fundamental role of xauth remains the same: to manage authorization data.