This section provides basic information about Security, how connections are allowed or denied:
Xauth Cookie authorization is based on MIT-MAGIC-COOKIE-1 (also known as magic cookie method), in which the UNIX program Xauth views and transfers cookies.
The X-server obtains the cookie, which is a 16-byte random number. When the X-application connects, it sends the cookie. If the 16 bytes sent by the application are the same as the bytes in the X-server, the client is authorized.
How the magic cookie is dependent on whether or not the connection method for session is XDMCP.
With XDMCP - The xdm program on the UNIX system generates the random number, sends it to the X server in an XDMCP packet, and saves it in an .Authority file in the home directory. When running X-applications, the remote UNIX system reads the .Xauthority file and sends the cookie to the X-server, where the cookie is compared to the one in the X-server 's memory.
Without XDMCP and the Xauth option is selected - The X-server generates the cookie itself, using a random number generator.
The Xauth cookie is a file named Xauthority that is stored in your home directory.
This file is a password for the X-Win display - do not assign that file group or world read or write permissions. The correct permissions for this file are read and write, only for the local user (you).
By default, X11 Forwarding is enabled with the SSH connection method, which handles setting the XAuth cookie.
If X11 Forwarding is disabled, the display command is manually entered. An example follows.
xterm -ls -display @DISPLAY@
-display @DISPLAY@ represents the argument for xterm -ls
Alternatively, which is recommended, is to enable Send Xauth and then submit the following command. An example follows.
xauth merge - ; xterm -ls -display @DISPLAY@
This feature allows specified hosts to connect to the local workstation. If no hosts are listed, hosts that attempt to connect will not be allowed. If Allow by Prompt is selected (see the section below), a request for approval will be made for each attempt to connect - this includes contact attempted by hosts that were specified in session configurations
When a client is not authorized via Xauth, Address, or SSH with X11 forwarding, a request will occur with each connection attempt - allow or deny that connection.