VMS Help  —  XAUTH  X Authority Files
    The X authority file is a binary data file that contains
    information used to authorize connections to the X server on a
    system running DECwindows Motif Version 1.3 or higher.

    Each time a client application attempts to connect to an X
    server system that uses an authorization protocol, it references
    the current X authority file to determine the appropriate
    authorization key to apply in order to authenticate the
    connection. Each authorization key consists of the protocol name
    and token, which can be one of the following depending on the
    protocol in use:

    o  MIT-MAGIC-COOKIE-1 + random numeric code

    o  MIT-KERBEROS-5 + encrypted string (cached separately)

    By default, an X authority file is created automatically the
    first time a user logs into a desktop on a system configured
    for MIT-MAGIC-COOKIE-1 or MIT-KERBEROS-5 authentication.
    The file is stored in that user's OpenVMS login directory
    (SYS$LOGIN:DECW$XAUTHORITY.DECW$XAUTH). Each time the user
    subsequently logs into a desktop on that system, a new
    authorization key is generated, passed to the X server, and
    written to the user's X authority file. This key controls access
    to the X server during the DECwindows Motif session.

    A separate X authority file can be manually defined on a server
    level (using the DECW$SERVER_XAUTHORITY symbol) for those client
    applications that require access to the X server outside of the
    normal DECwindows Motif login process.

    If the SECURITY extension is enabled, authorization keys can also
    be manually generated. Manually-generated keys can be used to
    further restrict server access. The generated key is stored in
    the X authority file on the client system overwriting any value
    already present for the specified display server. The key can be
    distributed to different client systems to allow connections
    to a specific server and can be revoked to stop subsequent
    connections.

    Generated keys are assigned an authorization ID that associates
    the key with the user who generated the key. As a result, only
    the user who generated the key can revoke the key.

1  –  Format of File Entries

    Each entry in an X authority file corresponds to a particular X
    display server and is composed of three main components:

    display-name protocol token

1.1  –  display-name

    Identifies the name of the X display to which you are authorizing
    access. The display name follows the supported display name
    format:

    [transport/]host:[:]server[.screen]

    This format enables you to use a single X authority file to
    grant varying levels of access to different X display servers
    and connection families.

    For example, the following entries grant access to the local
    display server on node HUBBUB and the remote display server on
    node ZEPHYR via the DECnet transport:

 local/HUBBUB:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
 decnet/ZEPHYR::0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62

    o  [transport/]
       Identifies the network transport used to connect to an X
       display server. See the DECwindows Motif documentation for
       a list of the supported transport values. If a transport value
       is not specified, the default value is interpreted from the
       format of the remaining portions of the display-name entry,
       for example:

          Host address and one colon (116.94.24.187:0) (TCP/IP)
          Two colons (::0 or ZEPHYR::0) (DECnet)
          No host name or address and one colon (:0) (local)

    o  host[:]
       Identifies the name of the host system where the X display
       server is located. A value of 0 is interpreted as the local
       host, which is the default. The type of host is determined
       by the transport value. See the DECwindows documentation for
       examples of valid host name and address formats.

    o  :server
       Identifies the server. This value is required and must be
       preceded by a single colon (:). Typically the value for a
       single-server system is :0. If you are specifying a display
       on a multi-server system (such as when using a proxy server),
       additional values may apply depending on the number of servers
       in the configuration. If you have specified a display device
       (with the SET DISPLAY command), the server portion of the
       entry is assumed from the device specification.

    o  [.screen]
       Identifies the screen. On OpenVMS Alpha and OpenVMS I64
       systems, the screen value is not held in the X authority file
       and is ignored when included in a command. All screens on a
       single server have the same authorization.

1.2  –  protocol

    Indicates the authentication protocol in use. Valid values are
    MIT-MAGIC-COOKIE-1 and MIT-KERBEROS-5.

1.3  –  token

    A random alphanumeric string that functions as a password
    authorizing a server connection. The format of the token depends
    on the authorization scheme in use. MIT-MAGIC-COOKIE-1 uses a
    128-bit string known as a magic cookie. MIT-KERBEROS-5 uses an
    encrypted string to authorize server connections. This string
    is stored separately. The token entry in the X authority file
    represents the encoded location of the Kerberos keytab file and
    associated principal name, which is referenced by the server to
    locate the encrypted string.

2  –  Specifying an X Authority File

    By default, the X authority file referenced by client
    applications and the xauth utility is defined as
    SYS$LOGIN:DECW$XAUTHORITY.DECW$XAUTH. You can override this
    default and specify an alternate X authority file in either of
    the following ways:

    o  You can create alternate X authority files and switch between
       them using the DECW$XAUTHORITY logical. For example, the
       following command changes the X authority file in use for
       the current DECwindows Motif session to UNTRUSTED.DECW$AUTH:

       $  DEFINE DECW$XAUTHORITY-
       _$ SYS$MANAGER:[SYSMGR]UNTRUSTED.DECW$XAUTH

       The logical definition remains in use until it is
       redefined or an alternate value is specified using the SET
       DISPLAY/XAUTHORITY command.

    o  If a display device is used to create a client connection to
       an X server, you can specify an alternate X authority file
       using the SET DISPLAY/CREATE/XAUTHORITY command. Note that the
       file specified on this command line overrides both the default
       and any file referenced by the DECW$XAUTHORITY logical.
Close Help