xauth
Published on 07 Jun 2004Tags #Linux #SSH #X11
When trying to run a graphical program under a different user than the X server, this is not permitted on a properly configured system. often xhost
is used to allow the local host or a limited number of remote hosts access to the local X server. unfortunately, this mechanism does not differentiate between users and introduces a security risk because all users on such a machine are allowed to use the X server.
Often xhost +local:
is used to restrict the availability of the X server to local non-networked connection but on a multi-user system, this does not enhance security very much.
A more secure approach is the use of magic cookies that authenticate the X client with the server. If the foreign user has obtained the magic cookies from you, he is able to connect a client to the X server. other users that do not have access to the cookie are denied the access.
To transfer a cookie to another remote account, use the following command:
xauth nextract - ${DISPLAY} | ssh USER@HOST xauth nmerge -
See also Pipes over SSH