Configuring Xauthority

Question

"Several of our staff use EXMH. They run it on their Windows 2000 desktops via a WRQ Reflection X XDMCP connection to a SUNOS 5.7 server.

We are trying to transition to a more secure connection with SSH tunneling using the OpenSSH client supplied by WRQ.

When connecting via SSH, EXMH is unable to spawn child windows (compose, etc.). Apparently, they require Xauth support, even though it's not normally an issue with tunneled SSH. This appears to be driven by the TCL wish program, which requires some identity checking.

We found some suggestion that copying the .Xauthority file back to the PC and renaming it RXAUTH will work, but we're not sure where the file is supposed to go."

Configuring Xauthority support can be a pain with Windows-based X servers. You have two choices.

Figure out how to configure Xauthority, or
Recompile Tk on your solaris box and define -DTK_NO_SECURITY.

If you look at the Makefile in tk/unix/Makefile you'll find this. This scary sounding flag means that Tcl interpreters can communicate with each other if they are running on the same X display. If you are in a friendly environment, it really isn't an issue. The worry is that I log into the SUNOS box and open up a window on user Joe's display, then use my program to ask his exmh program to do something unfriendly. With the SECURITY setting, I don't have access to Joe's display. Oh, there is also

Disable the background process in exmh under Preferences->Background Processing->Separate background process. Exmh works OK in this mode, but you get periodic interruptions as it rummages around in folders. Users aren't thrilled by that behavior.

Let me explain the theory of operation for Xauthority in the hopes that it may help you configure it correctly. The idea is that each user has an ~/.Xauthority file that is readable to them, and contains one line for each X display. If you run "xauth list" on the SUNOS box, you should see the contents. When the Xserver starts up, it reads the ~/.Xauthority file looking for the record that corresponds to its display. When an X client application starts up and does XOpenDisplay(), it also looks for that same record and passes the magic cookie to the server. The server makes sure it matches, and the display connection is allowed.

When I used Exceed, I mounted my home directory from my Sun box on Z: I configured the Xauthority file to be Z:/.Xauthority I think used (on SUNOS) the xauth program to give myself a cookie for my windows display. I'd do:

 % xauth
 xauth> list
 cabuild-bsd1/unix:13  MIT-MAGIC-COOKIE-1  05e87b3e7ccb65ff5b9239f7ff0ff97f
 xauth> add mypc:0 MIT-MAGIC-COOKIE-1  05e87b3e7ccb65ff5b9239f7ff0ff97f
 xauth> exit

It doesn't really matter what the cookie value is, so I just copied one from another display.

Updated on 22 Mar 2004, 23:43 GMT
Search - Recent Changes - Reference - Index - Go to Beedub's Wiki - Help