Purpose: Help with the error message:
X server insecure (must use xauth-style authorization)
for those users who are launching X themselves and need either a display manager or some good means of generating session keys.
Does anyone who uses the console use non-X11 graphic applications? (Using the console as a dumb terminal doesn't count.)
Yes.
No.
You use startx, x11start or xinit and don't want to use xdm
PT writes: To secure your X server you need to do two things. First you need a pair of unique and reasonably unguessable cookies in your Xauthorisation file. The cookies themselves are just 32 hex digit numbers. You can generate a reasonable one using 'date +%s%s%s%s | cut -c-32' or you can get the mitcookie program from http://www.zsplat.freeserve.co.uk/progs/mitcookie.c
You need to issue
cookie=`mitcookie` or cookie=`date +%s%s%s%s|cut -c-32` xauth add unix:0.0 MIT-MAGIC-COOKIE-1 $cookie xauth add `hostname -f`:0.0 MIT-MAGIC-COOKIE-1 $cookie
assuming hostname -f gives you your fully qualified domain name. These commands set up your X authorisation file. Now you need to start your X server and have it use these values. This is done by causing X to be run with -auth ${HOME}/.Xauthority.
There are a number of ways to do this depending on how you begin your X session. One would be
xinit /usr/X11R6/bin/twm -- /usr/X11R6/bin/X :0.0 -auth ~/.Xauthority
but a more normal method is to execute the startx script. You should add the -auth parameters to the $serverargs variable and place the xauth commands just before the invocation of xinit to get everything working.
Once the above has been done then xhost should tell you that no-one is permitted to connect and that X authorisation is in use. Of course you now have to pass this cookie to your X client's machine. One way is to use ssh as it'll handle this transparently. So
ssh -f unixbox 'xterm -dispay workstation:0.0'
should run xterm for you.
Another way using rsh would be:
xauth extract - $HOSTNAME:0.0 | rsh unixbox '/usr/X11R6/bin/xauth merge -'
although this is pretty insecure.
Another way would be to use a terminal session and paste the cookie value obtained by the xauth list command into the remote session.