Bug 2598

Summary: xauth doesn't work (and I can't use xhost)
Product: [Retired] Red Hat Linux Reporter: david.airlie
Component: XFree86Assignee: Michael Fulbright <msf>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: scooper
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-08-23 17:47:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description david.airlie 1999-05-06 13:37:52 UTC
gdm as my login manager, I login as user, and I used to call
the following after login to copy my Xauth key to my Sun
workstations so I that could run things from them,

xauth extract - rowan:0.0 | ssh oak xauth merge -

rowan is my machine, oak is my Sun server,
This no longer works and neither does passing :0.0 or
rowan.ece.ul.ie:0.0 (my FQDN)...

I don't like using xhost as this causes security problems I
would rather not deal with ...

Comment 1 Bill Nottingham 1999-05-06 14:54:59 UTC
try xauth extract - :0

Comment 2 david.airlie 1999-05-06 15:04:59 UTC
I think its a bit more difficult than that ...

rowan (airlied)% xauth extract - :0 | ssh oak xauth merge -
rowan (airlied)% xon oak -debug
Xlib: connection to "rowan.ece.ul.ie:0.0" refused by server
Xlib: Client is not authorized to connect to Server
xterm Xt error: Can't open display: rowan.ece.ul.ie:0

Comment 3 Preston Brown 1999-06-14 20:35:59 UTC
Are there xauth problems with gdm that you know about, Dr. Mike?

Comment 4 Michael Fulbright 1999-07-06 15:59:59 UTC
I don't know of any issues with xauth. The only problem I've
seen isn't really a gdm bug. If you change your hostname while
in X (and have an xauth key already), then you cannot create
new clients because the hostname doesn't match the xauth record

Comment 5 david.airlie 1999-07-07 14:26:59 UTC
Okay that comment about gdm sparked another thought .. I've switched
to xdm and it works fine, but gdm doesn't ...

If I rm my .Xauthority and log in with xdm I get three keys
rowancoax:0  MIT-MAGIC-COOKIE-1  xxxxxxxxxxxxxxxxxxxxxxxx
rowan.ece.ul.ie:0  MIT-MAGIC-COOKIE-1  xxxxxxxxxxxxxxxxxxxxxxx
rowan/unix:0  MIT-MAGIC-COOKIE-1  xxxxxxxxxxxxxxxxxxxxxxxx

where my machine has 2 netcards, rowancoax and rowan.ece.ul.ie,

with gdm I only get the last one the rowan/unix:0 key ...

So does this help any?

Comment 6 Preston Brown 1999-07-15 19:07:59 UTC
Dr. Mike -- perhaps gdm should also insert the FQDN(s) when you are
logging in?

Comment 7 j.pelan 1999-07-19 01:15:59 UTC
I too see this problem. I can say that it isn't a problem re:FQDN as
my .Xauthority *is* fully qualified. I have checked the obvious, i.e.
cookies in .Xauthority vs. /var/gdm/:0.xauth appear the same.

I cranked up X server to -auth 4 but it doesn't spill much - I'd like
to see what it gets as a cookie.

Comment 8 j.pelan 1999-07-19 01:17:59 UTC
That should be "-audit 4" of course (It's 2am!).

Comment 9 j.pelan 1999-07-20 16:28:59 UTC
Doh ! It's obvious when one starts with an empty .Xauthority file.
It only contains a *single* entry for the host, i.e. one for the unix
sockets but not the TCP connections. Add the entrywith xauth and it
works !

A quick look at gdm bugtrack.... and lo ... Gnome ticket report logs -
#1396 gdm does not create TCP xauth cookie

Comment 10 Preston Brown 1999-08-23 17:47:59 UTC
will be fixed in the next release.

Comment 11 Anonymous 1999-08-25 15:45:59 UTC
I have just (25 Aug 1999) received e-mail from Martin K. Petersen
<mkp@mkp.net> himself who says;

"gdm is broken by design and no longer maintained. It is only
supported to the extent that some distributors are willing to patch

I will ask the bugs.gnome.org maintainer to remove gdm from the
system as it confuses people that it is still there.

Please try the gdm2 module from CVS. Beta2 is due out this week."

Perhaps RedHat should ditch "gdm" and move with "gdm2". It would
certainly avoid significant amounts of patching.