MAN page from Fedora 28 xorg-x11-xauth-1.0.9-11.fc28.i686.rpm


Section: User Commands (1)
Updated: xauth 1.0.9


xauth - X authority file utility 


xauth[ -f authfile ] [ -vqibn ] [ command arg ... ] 


The xauth program is used to edit and display the authorizationinformation used in connecting to the X server. This program is usuallyused to extract authorization records from one machine and merge them in onanother (as is the case when using remote logins or granting access toother users). Commands (described below) may be entered interactively,on the xauth command line, or in scripts. Note that this programdoes not contact the X server except when the generate command is used.Normally xauth is not used to create the authority file entry inthe first place; the program that starts the X server (often xdmor startx) does that. 


The following options may be used with xauth. They may be givenindividually (e.g., -q -i) or may combined (e.g., -qi).
-f authfile
This option specifies the name of the authority file to use. By default,xauth will use the file specified by the XAUTHORITY environment variableor .Xauthority in the user's home directory.
This option indicates that xauth should operate quietly and not printunsolicited status messages. This is the default if an xauth commandis given on the command line or if the standard output is not directed to aterminal.
This option indicates that xauth should operate verbosely and printstatus messages indicating the results of various operations (e.g., how manyrecords have been read in or written out). This is the default if xauthis reading commands from its standard input and its standard output isdirected to a terminal.
This option indicates that xauth should ignore any authority filelocks. Normally, xauth will refuse to read or edit any authority filesthat have been locked by other programs (usually xdm or anotherxauth).
This option indicates that xauth should attempt to break any authorityfile locks before proceeding. Use this option only to clean up stale locks.
This option indicates that xauth should not attempt to resolve anyhostnames, but should simply always print the host address as stored inthe authority file.
This option shows the version number of the xauth executable.


The following commands may be used to manipulate authority files:
add displayname protocolname hexkey
An authorization entry for the indicated display using the given protocoland key data is added to the authorization file. The data is specified asan even-lengthed string of hexadecimal digits, each pair representingone octet. The first digit of each pair gives the most significant 4 bitsof the octet, and the second digit of the pair gives the least significant 4bits. For example, a 32 character hexkey would represent a 128-bit value.A protocol name consisting of just asingle period is treated as an abbreviation for MIT-MAGIC-COOKIE-1.

generate displayname protocolname [trusted|untrusted]
[timeout seconds] [group group-id] [data hexdata]

This command is similar to add. The main difference is that insteadof requiring the user to supply the key data, it connects to theserver specified in displayname and uses the SECURITY extensionin order to get the key data to store in the authorization file. Ifthe server cannot be contacted or if it does not support the SECURITYextension, the command fails. Otherwise, an authorization entry forthe indicated display using the given protocol is added to theauthorization file. A protocol name consisting of just a singleperiod is treated as an abbreviation for MIT-MAGIC-COOKIE-1.

If the trusted option is used, clients that connect using thisauthorization will have full run of the display, as usual. Ifuntrusted is used, clients that connect using this authorizationwill be considered untrusted and prevented from stealing or tamperingwith data belonging to trusted clients. See the SECURITY extensionspecification for full details on the restrictions imposed onuntrusted clients. The default is untrusted.

The timeout option specifies how long in seconds thisauthorization will be valid. If the authorization remains unused (noclients are connected with it) for longer than this time period, theserver purges the authorization, and future attempts to connect usingit will fail. Note that the purging done by the server does notdelete the authorization entry from the authorization file. Thedefault timeout is 60 seconds.

The group option specifies the application group that clientsconnecting with this authorization should belong to. See theapplication group extension specification for more details. Thedefault is to not belong to an application group.

The data option specifies data that the server should use togenerate the authorization. Note that this is not the same datathat gets written to the authorization file. The interpretation ofthis data depends on the authorization protocol. The hexdata isin the same format as the hexkey described in the add command.The default is to send no data.

[n]extract filename displayname...
Authorization entries for each of the specified displays are written to theindicated file. If the nextract command is used, the entries are writtenin a numeric format suitable for non-binary transmission (such as secureelectronic mail). The extracted entries can be read back in using themerge and nmerge commands. If the filename consists ofjust a single dash, the entries will be written to the standard output.
[n]list [displayname...]
Authorization entries for each of the specified displays (or all if nodisplays are named) are printed on the standard output. If the nlistcommand is used, entries will be shown in the numeric format used bythe nextract command; otherwise, they are shown in a textual format.Key data is always displayed in the hexadecimal format given in thedescription of the add command.
[n]merge [filename...]
Authorization entries are read from the specified files and are merged intothe authorization database, superseding any matching existing entries. Ifthe nmerge command is used, the numeric format given in the descriptionof the extract command is used. If a filename consists of just a singledash, the standard input will be read if it hasn't been read before.
remove displayname...
Authorization entries matching the specified displays are removed from theauthority file.
source filename
The specified file is treated as a script containing xauth commandsto execute. Blank lines and lines beginning with a sharp sign (#) areignored. A single dash may be used to indicate the standard input, if ithasn't already been read.
Information describing the authorization file, whether or not any changeshave been made, and from where xauth commands are being readis printed on the standard output.
If any modifications have been made, the authority file is written out (ifallowed), and the program exits. An end of file is treated as an implicitexit command.
The program exits, ignoring any modifications. This may also be accomplishedby pressing the interrupt character.
This command shows the version number of the xauth executable.
help [string]
A description of all commands that begin with the given string (or allcommands if no string is given) is printed on the standard output.
A short list of the valid commands is printed on the standard output.


Display names for the add, [n]extract, [n]list,[n]merge, and remove commands use the same format as theDISPLAY environment variable and the common -display command lineargument. Display-specific information (such as the screen number)is unnecessary and will be ignored.Same-machine connections (such as local-host sockets,shared memory, and the Internet Protocol hostname localhost) arereferred to as hostname/unix:displaynumber so thatlocal entries for different machines may be stored in one authority file. 


The most common use for xauth is to extract the entry for thecurrent display, copy it to another machine, and merge it into theuser's authority file on the remote machine:

        %  xauth extract - $DISPLAY | ssh otherhost xauth merge -

The following command contacts the server :0 to create anauthorization using the MIT-MAGIC-COOKIE-1 protocol. Clients thatconnect with this authorization will be untrusted.

        %  xauth generate :0 .


This xauth program uses the following environment variables:
to get the name of the authority file to use if the -f option isn'tused.
to get the user's home directory if XAUTHORITY isn't defined.


default authority file if XAUTHORITY isn't defined.


X(7), Xsecurity(7), xhost(1),Xserver(1), xdm(1), startx(1),Xau(3). 


Users that have unsecure networks should take care to use encryptedfile transfer mechanisms to copy authorization entries between machines.Similarly, the MIT-MAGIC-COOKIE-1 protocol is not very useful inunsecure environments. Sites that are interested in additional securitymay need to use encrypted authorization mechanisms such as Kerberos.

Spaces are currently not allowed in the protocol name. Quoting could beadded for the truly perverse. 


Jim Fulton, MIT X Consortium




This document was created byman2html,using the manual pages.