[ale] Need an "X" fix.

Dow Hurst dhurst at kennesaw.edu
Thu Apr 18 16:43:55 EDT 2002 

>From the man page of xauth:

EXAMPLE
The most common use for xauth is to extract the entry for the current
display, copy it to another machine, and merge it into the user's
authority file on the remote machine:

%  xauth extract - $DISPLAY | rsh otherhost xauth merge -


So your right about the Xserver key having to be in the possession of
Almost.  However, Almost does present the key to Chinaberry's Xserver
when the xterm client requests service by Chinaberry's Xserver.  What I
meant by my earlier posts about xhost versus xauth is that all the
common Linux distros, that I have used, default to xauth authentication
not xhost.  You can change that in the Xserver config, however, IRIX
ships default with xhost authentication not xauth, which must be enabled
in the Xserver config.
Dow


Jim Lynch wrote:
> 
> Are you sure?  Chinaberry is the server.  The 'master' xauthority key is
> generated by and kept on the server.  For a client to connect to the
> server it must pass the key to the server, hence the server distributes
> the keys for its display to the clients, not the other way around.  What
> good would security be if it was controlled by the client?
> 
> Anyone else?
> 
> Thanks,
> Jim.
> 
> Dow Hurst wrote:
> >
> > First off, xhost is the mechanism used by IRIX, however, it isn't used
> > by Linux.  Xauth is used by Linux.  So the xhost isn't necessary.  The
> > permission for X display is on the Chinaberry Linux system side since it
> > is the Xserver.  You need to have the Xauth key from Almost merged into
> > your Chinaberry side of the connection.  The xterm is the client and the
> > Xserver is running on Chinaberry and requires the proper authorization
> > from Almost.
> > Dow
> >
> > PS.  sorry for "cross-replying" incorrectly.  thought I had the right
> > email displayed when I clicked on reply!
> >
> > Jim Lynch wrote:
> > >
> > > I've pulled most of my hair out trying to figure this one out but I'm
> > > stumped.  Perhaps someone here can help.
> > >
> > > This is the output from a Linux system I'm trying to run Xvfb on to
> > > provide a dummy X session.
> > >
> > > <chinaberry 154> ./start.sh
> > > + export DISPLAY=chinaberry.peachtree.sgi.com:5
> > > + Xvfb :5
> > > + DISPLAY=chinaberry.peachtree.sgi.com:5
> > > + xhost +
> > > access control disabled, clients can connect from any host
> > > + xauth generate chinaberry.peachtree.sgi.com:5 .
> > > xauth:  creating new authority file /home/jwl/.Xauthority
> > > + xauth extract - chinaberry.peachtree.sgi.com:5
> > > + rsh -l guest almost.csd.sgi.com /usr/bin/X11/xauth merge -
> > > /usr/bin/X11/xauth:  creating new authority file
> > > /usr/people/guest/.Xauthority
> > > <chinaberry 155> xauth list
> > > chinaberry.peachtree.sgi.com:5  MIT-MAGIC-COOKIE-1
> > > 1668367a2c5c1f194b77413947551b77
> > >
> > > Start.sh, as you can see, cranks up Xvfb on display 5.  I also attempted
> > > to open up the access via the xhost command.  It says it works, but it
> > > lies.
> > >
> > > almost 55% xauth list
> > > chinaberry.peachtree.sgi.com:5  MIT-MAGIC-COOKIE-1
> > > 1668367a2c5c1f194b77413947551b77
> > > almost 57% setenv DISPLAY chinaberry.peachtree.sgi.com:5
> > > almost 58% echo $DISPLAY
> > > chinaberry.peachtree.sgi.com:5
> > > almost 59% xterm
> > > Xlib: connection to "chinaberry.peachtree.sgi.com:5.0" refused by server
> > > Xlib: Invalid MIT-MAGIC-COOKIE-1 key
> > > Error: Can't open display: chinaberry.peachtree.sgi.com:5
> > >
> > > I did the same exercise without the .Xauthority files in place.  With
> > > out all the details I get:
> > >
> > > almost 61% xterm
> > > Xlib: connection to "chinaberry.peachtree.sgi.com:5.0" refused by server
> > > Xlib: Client is not authorized to connect to Server
> > > Error: Can't open display: chinaberry.peachtree.sgi.com:5
> > >
> > > even though xhost + said "access control disabled, clients can connect
> > > from any host".
> > >
> > > almost.csd is an Irix system.  I've tried the same tests between two
> > > Linux systems with the same results.  Chinaberry is running a Debian
> > > dist. kernel 2.2.19.  The other Linux box was a Red Hat installation.
> > >
> > > Anyone got any ideas?
> > >
> > > Thanks,
> > > Jim.
> > >
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > > sent to listmaster at ale dot org.
> >
> > --
> > __________________________________________________________
> > Dow Hurst                   Office: 770-499-3428
> > Systems Support Specialist  Fax:    770-423-6744
> > 1000 Chastain Rd.
> > Chemistry Department SC428  Email:dhurst at kennesaw.edu
> > Kennesaw State University         Dow.Hurst at mindspring.com
> > Kennesaw, GA 30144
> > *********************************
> > *Computational Chemistry is fun!*
> > *********************************
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list