Scientific Computing & Visualization
Help Contact
About Accounts Computation Visualization Documentation Services

Terminal/Workstation Access ControlUsing Xhost and Xauth

Overview

By default, when you log into a machine, only the local host (workstation itself if you are on a workstation, host you logged in through if you are on an X terminal) is allowed to display information to your display. You can allow information to be displayed from other machines by use of one of two programs: xhost or xauth. Xhost is "host-based" and easy to use but insecure. When you authorize a certain host (example: twister) to display information to your display, you authorize all users of that host to not only display information to your display but also to watch everything you type on that display. This is almost certainly not what you want. You almost always only really want to allow yourself to display information to your display from these remote hosts. Xauth was introduced to solve this problem and is "user-based" security. Xauth is somewhat difficult to use and machines must be configured to support it (all SCV machines have been so configured) but it is very secure. Using xauth, only you will be able to display information to your display from remote hosts.

Both xhost and xauth are available on all SCV systems.

XHOST

Advantages: Easy to use. Available on all machines.
Disadvantages: Insecure.

Using xhost
All xhost access control commands must be performed on the local host (workstation itself if you are on a workstation, host you logged in through if you are on an X terminal) and you must first set your DISPLAY environment variable correctly to the name of your display/workstation.

Examples (All examples assume you are on the workstation barbie.)

To allow a remote host to display information to your display: 

barbie% xhost + twister
To allow all hosts to access your display (NOT recommended - "xhost -" reverses this once done): 
barbie% xhost +
To get a list of those hosts that currently have access to display information to your display: 
barbie% xhost
To remove a host from your current access list 
barbie% xhost - twister

XAUTH

Advantages: Secure.
Disadvantages: Somewhat cumbersome to use. Machines must be configured to support it.
Using xauth

Before doing anything with xauth, you should set your DISPLAY environment variable correctly to the name of your display/workstation:0.0. Do not set it to just :0.0 or unix:0.0. Xauth controls access using a secret password ("magic cookie") which is automatically generated when you log into a workstation or X terminal and is stored in the file .Xauthority in your home directory. In order to allow your programs running on remote machines to display to your workstation/terminal, you must let them know what the current "magic cookie" is. There are basically two ways to do this:

1) Copy your .Xauthority file to the remote machine. This is most easily done using rcp (remote copy) but that requires you to have set up an appropriate .rhosts file. If you do not have an appropriate .rhosts file, you can transfer the .Xauthority file using standard ftp and binary transfer mode. An example is given here of my using rcp to allow access to my current workstation (barbie in the example) from a remote host (twister): 

barbie% rcp .Xauthority twister:~aarondf/.
barbie% rsh twister xterm -display $DISPLAY &

2) The above way works but is not the recommended way to use xauth. The recommended practice is to use the xauth command to extract the "cookie" from your current machine's .Xauthority file and then merge it into the .Xauthority file on the remote machine. This approach basically requires that you have set up an appropriate .rhosts file. An example is given here of using this approach to, as above, allow access to my current workstation (barbie in the example) from a remote host (twister): 

barbie% xauth extract - $DISPLAY | rsh twister xauth merge -
barbie% rsh twister xterm -display $DISPLAY &

Note that xauth looks for the .Xauthority file in the location $HOME/.Xauthority so if your $HOME environment variable is not set correctly or you are running an application which changes it, xauth will not work correctly.

Additional Help/Documentation

Another help page on X Terminal Security is available on ACS. Also, there are man pages on both xhost and xauth.
Document Name: access_control
Author/Maintainer: Aaron D. Fuegi (aarondf@bu.edu)
Executable: /usr/bin/X11/xhost, /usr/bin/X11/xauth
Keywords: access, control, xhost, xauth, security
Machines List: SCV Systems
Related Man Pages: xhost, xauth
Related Help Pages: X Terminal Security on ACS
Created May 24, 1995; Last Revised August 28, 2002; Last Modified 16:14 25-Feb-04
URL of this document: http://scv.bu.edu/documentation/software-help/system-usage/access_ctrl.html
Go up to SCV Help Pages
Boston University
Boston University
 
OIT | CCS | September 21, 2007  
Scientific Computing & Visualization Boston University home page Boston University home page