Updated 2013-01-18 21:05:17 by pooryorick

Purpose: Help with the error message:
X server insecure (must use xauth-style authorization)

for those users who are launching X themselves and need either a display manager or some good means of generating session keys.

Does anyone who uses the console use non-X11 graphic applications? (Using the console as a dumb terminal doesn't count.)

Yes.

  • You have to arrange for multiple window systems on the console. It's difficult to get this to interoperate with a display manager. If you're not braver than I am, go to [X server insecure: can't manage the local console] to see how to get authorization enabled.

No.

  • You have an unmanaged local console, but you could get it managed. Go to [X server insecure: setting up xdm].

You use startx, x11start or xinit and don't want to use xdm

PT writes: To secure your X server you need to do two things. First you need a pair of unique and reasonably unguessable cookies in your Xauthorisation file. The cookies themselves are just 32 hex digit numbers. You can generate a reasonable one using 'date +%s%s%s%s | cut -c-32' or you can get the mitcookie program from http://www.zsplat.freeserve.co.uk/progs/mitcookie.c

You need to issue
cookie=`mitcookie` or cookie=`date +%s%s%s%s|cut -c-32` 
xauth add unix:0.0          MIT-MAGIC-COOKIE-1 $cookie
xauth add `hostname -f`:0.0 MIT-MAGIC-COOKIE-1 $cookie

assuming hostname -f gives you your fully qualified domain name. These commands set up your X authorisation file. Now you need to start your X server and have it use these values. This is done by causing X to be run with -auth ${HOME}/.Xauthority.

There are a number of ways to do this depending on how you begin your X session. One would be
  xinit /usr/X11R6/bin/twm -- /usr/X11R6/bin/X :0.0 -auth ~/.Xauthority

but a more normal method is to execute the startx script. You should add the -auth parameters to the $serverargs variable and place the xauth commands just before the invocation of xinit to get everything working.

Once the above has been done then xhost should tell you that no-one is permitted to connect and that X authorisation is in use. Of course you now have to pass this cookie to your X client's machine. One way is to use ssh as it'll handle this transparently. So
ssh -f unixbox 'xterm -dispay workstation:0.0'

should run xterm for you.

Another way using rsh would be:
xauth extract - $HOSTNAME:0.0 | rsh unixbox '/usr/X11R6/bin/xauth merge -'

although this is pretty insecure.

Another way would be to use a terminal session and paste the cookie value obtained by the xauth list command into the remote session.