HP OpenVMS Systems Documentation

The X authority file is a binary data file that contains information used to authorize connections to the X server on a HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 system.

Each time an X Window System client application attempts to connect to the X server on a HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 system, the server references the current X authority file to determine the appropriate authorization key to apply in order to authenticate the connection. Each authorization key consists of the protocol name and token, which can be one of the following depending on the protocol in use:

• MIT-MAGIC-COOKIE-1 + random numeric code
• MIT-KERBEROS-5 + encrypted string (cached separately)

By default, an X authority file is created automatically the first time a user logs into a desktop on a HP DECwindows Motif for HP OpenVMS Alpha Version 1.3 system configured for MIT-MAGIC-COOKIE-1 or MIT-KERBEROS-5 authentication. The file is stored in that user's OpenVMS login directory (SYS$LOGIN:DECW$XAUTHORITY.DECW$XAUTH), or in the location specified by the DECW$XAUTHORITY logical. Each time the user subsequently logs into a desktop on that system, a new authorization key is generated, passed to the X server, and written to the user's X authority file. This key controls access to the X server during the DECwindows Motif session.

Similar to the capability provided by the access allowed file described in Section 2.6.3.1.1, a separate X authority file can be manually defined on a server level (using the DECW$SERVER_XAUTHORITY symbol) for those client applications that require access to the X server outside of the normal DECwindows Motif login process.

If the SECURITY extension is enabled, authentication keys can also be manually generated. Manually-generated keys can be used to further restrict server access. The generated key is stored in the X authority file for the server overwriting any value already present. The key can be passed around and used by clients to connect but can be revoked to stop later connections.

Generated keys are assigned an authorization ID that associates the key with the user who generated the key. As a result, only the user who generated the key can revoke, delete, or otherwise modify the key.

1.2.2.1.1 Format of an X Authority File Entry

display-name protocol token

display-name

Identifies the name of the X display to which you are authorizing access. The display name follows the format used by the X Window System:

[transport/][host][:]:server[.screen]

This format enables you use a single X authority file to grant varying levels of access to different X display servers and connection families.

For example, the following entries grant access to the local (:0) display server on node HUBBUB and the remote display server on node ZEPHYR via the DECnet transport:

local/HUBBUB:0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0 MIT-MAGIC-COOKIE-1 cfcc5ef98f9718f90154f355c0ae9f62

• transport/
  Identifies the network transport used to connect to an X display server. Valid values are TCPIP/, DECNET/, or LOCAL/. If a transport value is not specified, the default value is interpreted from the format of the remaining portions of the display-name entry, for example:
  • Host address and one colon (116.94.24.187:0) (TCP/IP)
  • No host name or address and two colons (::0) (DECnet)
  • No host name or address and one colon (:0) (local)
• host[:]
  Identifies the name of the host system where the X display server is located. A value of 0 is interpreted as the local host, which is the default. The type of host is determined by the transport value. The host name can be in the format of a recognized IP address, DECnet node specification, or local host identifier, as follows:
  • 116.94.24.187 (IP address)
  • ZEPHYR: (DECnet node)
  • 0 (local)
• :server
  Identifies the server. This value is required and must be preceded by a single colon (:). Typically the value for a single-server system is :0. If you are specifying a display on a multi-server system (such as when using a proxy server), additional values may apply depending on the number of servers in the configuration.
• .screen
  Identifies the screen. On OpenVMS Alpha systems, the screen value is not held in the X authority file and is ignored when included in a command. All screens on a single server have the same authorization.

protocol

Indicates the authentication protocol in use. Valid values are MIT-MAGIC-COOKIE-1 and MIT-KERBEROS-5.

token

A random alphanumeric string that functions as a password authorizing a server connection. The format of the token depends on the authentication scheme in use. MIT-MAGIC-COOKIE-1 uses a 128-bit string known as a magic cookie. MIT-KERBEROS-5 uses an encrypted string, which is cached separately.

1.2.2.1.2 Specifying an X Authority File

By default, the X authority file referenced by client applications and the xauth utility is defined as SYS$LOGIN:DECW$XAUTHORITY.DECW$XAUTH.

You can create alternate X authority files and switch between them using the DECW$XAUTHORITY logical. For example, the following command changes the X authority file in use for the current DECwindows Motif session to UNTRUSTED.DECW$AUTH:

$  DEFINE DECW$XAUTHORITY SYS$MANAGER:[SYSMGR]UNTRUSTED.DECW$XAUTH

The logical definition remains in use until it is redefined or an alternate value is specified using the SET DISPLAY/XAUTHORITY command.

1.2.2.2 Invoking xauth and Entering Commands

You can choose to enter commands interactively from DCL, or enter the utility and issue commands from the xauth command line.

For example, the following sets of commands each invoke xauth and display the current entries in the default X authority file:

From DCL:

$ XAUTH LIST
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62

From the xauth command line:

$ XAUTH
Using authority file SYS$SYSROOT:[SYSMGR]DECW$XAUTHORITY.DECW$XAUTH
xauth> LIST
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
xauth>EXIT
$

Note that SYS$LOGIN:DECW$XAUTHORITY.DECW$XAUTH is the default X authority file. If you want to work with an alternate file, use the -f option on the command line to specify the filename, as follows:

$ XAUTH -f SYS$SYSROOT:[SYSMGR]UNTRUSTED.DECW$XAUTH
Using authority file SYS$SYSROOT:[SYSMGR]UNTRUSTED.DECW$XAUTH
xauth>

Tips and Shortcuts

• If you are working with an X authority file other than the default, and plan to enter a series of commands, use the XAUTH -f command to enter the utility; then issue the subsequent commands from the utility command line. Otherwise, you will need to reenter the fully-qualified filename with each xauth command issued from the DCL command line.
• When adding a file entry, you can specify a period (.) in place of the value MIT-MAGIC-COOKIE-1. The period is replaced by the name of the authentication protocol.

To display a brief list of the available xauth commands or a summary of their function, issue either the XAUTH ? or XAUTH HELP command.

1.2.2.4 Creating an X Authority File

Use the XAUTH -f ADD command to manually create an X authority file. You must manually create an X authority file for the server when enabling authentication outside of a DECwindows Motif session. You can also choose to create additional user X authority files to store alternate authentication settings, such as for authorizing untrusted network connections.

An X authority file name can consist of any characters currently supported by OpenVMS Alpha; however, the file extension is restricted to a maximum of 37 characters and version numbers are not allowed.

The -f option specifies the name of the X authority file, and the ADD command creates the file by adding an entry. If you do not enter a fully-qualified filename, the new X authority file is written to the current directory by default.

For example, the following command creates a new X authority file UNTRUSTED.DECW$XAUTH to be used to authorize untrusted network connections:

$ XAUTH -f UNTRUSTED.DECW$XAUTH ADD :0 .
cfcc5ef98f9718f90154f355c0ae9f62

To assist with debugging file access and write issues, xauth includes a command that displays summary information about a particular X authority file. Use the XAUTH INFO command to display information about an X authority file, such as the current lock status and change history.

For example, the following command displays summary information about the X authority file UNTRUSTED.DECW$XAUTH:

$  XAUTH -f SYS$SYSROOT:[SYSMGR]UNTRUSTED.DECW$XAUTH INFO
Authority file:      SYS$SYSROOT:[SYSMGR]UNTRUSTED.DECW$XAUTH
File new:            no
File locked:         yes
Number of entries:   2
Changes honored:     yes
Changes made:        no
Current input:       command line

Each X authority file assumes the default protections of the account and directory in which it resides. If you have the appropriate privileges, you can view or edit the contents of an X authority file. To ensure the appropriate level of security, access to this file is typically limited to either the local SYSTEM account, the file owner, or both.

Displaying File Entries

Use the XAUTH LIST command to display the contents of an X authority file. Entries are displayed in the order in which they were added to the file (most recent, last).

For example, the following XAUTH command displays the entries in the X authority file UNTRUSTED.DECW$XAUTH:

$  XAUTH -f UNTRUSTED.DECW$XAUTH LIST
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
116.94.24.187:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62

To limit the list to entries related to a particular display, enter the display name at the end of the XAUTH LIST command, as follows:

$ XAUTH -f UNTRUSTED.DECW$XAUTH LIST ZEPHYR::0
decnet/ZEPHYR::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62

Adding and Removing File Entries

Use the XAUTH ADD and XAUTH REMOVE commands to add entries to or delete entries from an X authority file.

For example, the following X authority file has a single entry for the LOCAL transport on node ZEPHYR. To use the same authorization key for the DECnet transport and to allow remote access to HUBBUB, you could add the following entries to the X authority file UNTRUSTED.DECW$XAUTH:

$  XAUTH -f UNTRUSTED.DECW$XAUTH
Using authority file untrusted.decw$xauth
xauth>  LIST
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
xauth>  ADD ::0 . cfcc5ef98f9718f90154f355c0ae9f62
xauth>  ADD HUBBUB::0 . cfcc5ef98f9718f90154f355c0ae9f62
xauth>  LIST
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
decnet/HUBBUB::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
xauth> EXIT
Writing X authority file untrusted.decw$xauth

To discontinue remote access to HUBBUB, you could use the XAUTH REMOVE command to remove the entry, as follows:

$  XAUTH -f UNTRUSTED.DECW$XAUTH
Using authority file untrusted.decw$xauth
xauth> REMOVE HUBBUB::0
1 entries removed
xauth> LIST
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
decnet/ZEPHYR::0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
xauth> EXIT
Writing X authority file untrusted.decw$xauth

Copying Entries Between X Authority Files

Use one or more of the following XAUTH commands to copy entries for a particular display from one X authority file to another.

This enables you to use an existing entry to grant another user access to a particular display or to obtain access to a remote host from the current display device.

• EXTRACT -- Creates a new X authority file whose entries match those in the original file.
• MERGE -- Appends the contents of one file to another, replacing entries for the same display name or adding entries for different names.
• NEXTRACT and NMERGE -- These commands are designed to be used with the PIPE command. NEXTRACT extracts file entries in a text format that can then be used as input for the NMERGE command.
  For example, the following command extracts the X authority file entry for the local transport (:0) from the file UNTRUSTED.DECW$XAUTH and adds it to a new X authority file NEW_XAUTHORITY.DECW$XAUTH:

  $ PIPE XAUTH -f UNTRUSTED.DECW$XAUTH NEXTRACT SYS$OUTPUT :0 | - _$ XAUTH -f NEW_XAUTHORITY.DECW$XAUTH NMERGE SYS$INPUT

These commands can also be used with the rsh command to copy entries from an X authority file on an OpenVMS host to an X authority file on a remote UNIX system. For example, the following command extracts the entry for TCP/IP access (TCPIP/0:0) and adds it to the current file for user SMITH on the remote Tru64 UNIX system FLOPSY:

$  PIPE XAUTH -f UNTRUSTED.DECW$XAUTH NEXTRACT - TCPIP/0:0 | -
_$ rsh/user=smith/password=secret flopsy "xauth nmerge -"

If the SECURITY and XC-APPGROUP extensions are enabled, additional authorization keys can be created during a session. These keys can then be used to further restrict server access. Generated keys can be revoked individually, set to timeout, and restrict operations performed over the connection.

Use the XAUTH GENERATE command to produce a new authorization key. For example, the following commands generate and display a new key for the local display and write the key to the UNTRUSTED.DECW$XAUTH:

$  XAUTH -f UNTRUSTED.DECW$XAUTH
Using authority file untrusted.decw$xauth
xauth> LIST :0
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc5ef98f9718f90154f355c0ae9f62
xauth> GENERATE :0
xauth> LIST :0
local/ZEPHYR:0  MIT-MAGIC-COOKIE-1  cfcc4ff77f3709c46222c355f0ea1c93
xauth> EXIT
Writing X authority file untrusted.decw$xauth

The Keyboard Compiler utility (xkbcomp) compiles X Keyboard source files into loadable X Keyboard layout (.XKM) files. Using xkbcomp, you can customize the standard layouts provided with the X Window System by creating or modifying the component source files.

To run this utility, define xkbcomp as a foreign command:

$ xkbcomp == "$SYS$SYSTEM:DECW$XKBCOMP"

The command format for xkbcomp is as follows:

$ xkbcomp [-options...] input-file [output-file]

The X server maintains a database of keyboard components and common keyboard mappings. When combined, these components provide a complete description of a keyboard and its behavior.

The server loads the database from the compiled keymap file specified by the DECW$SERVER_XKEYBOARD_MAP parameter. This file is located in the directory defined by the DECW$SERVER_XKEYBOARD_COMPILED_DIR parameter. If the compiled keymap file does not exist, the server runs xkbcomp to compile the file from its component sources.

The following keyboard component source files comprise the database and are used to produce the loadable keymap files:

• Keymap source files -- These are the upper-level source files that are specified as input files on the xkbcomp command line. These files are stored in the KEYMAP.DIGITAL subdirectory of the root directory specified by the DECW$SERVER_XKEYBOARD_DIRECTORY parameter. There is one keymap file for each supported language variant, for example:
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.KEYMAP.DIGITAL]US
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.KEYMAP.DIGITAL]JAPANESE
  
  The keymap source files reference the following component source files during the compilation to produce complete, loadable keymap (.XKM) file.
• Keycode component source files -- These files specify the range and interpretation of the raw keycodes reported by the input device. They set the keycode symbolic names, the minimum and maximum legal keycodes for the keyboard, and the symbolic name for each key.
  The keycode files can also contain aliases for keys, symbolic names for indicators, and a description of which indicators are physically present.
  The keycode component source files are stored in the KEYCODES.DIGITAL subdirectory of the root directory specified by the DECW$SERVER_XKEYBOARD_DIRECTORY parameter, for example:
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.KEYCODES.DIGITAL]LK
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.KEYCODES.DIGITAL]PC
• Types Source Files -- These files specify the layout types that can be associated with the various keyboard keys. They affect the types symbolic name and the list of layout types associated with the keyboard.
  The types component can also contain real modifier bindings and symbolic names for one or more virtual modifiers.
  These files are stored in the TYPES subdirectory under the root directory specified by the DECW$SERVER_XKEYBOARD_DIRECTORY parameter, for example:
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.TYPES]BASIC
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.TYPES]DEFAULT
• Compatibility Map Source Files -- These files specify the rules used to assign actions to keyboard symbols (keysyms) based on the XKB capability (aware or unaware) between the client and server. The XKB capability is determined through the following compatibility transformations:
  • XKB extension state to core state
  • Core keyboard mapping to XKB keyboard mapping
  • XKB keyboard mapping to C core keyboard mapping
  
  The compatibility map component affects the compatibility symbolic name, the symbol compatibility map, and the group compatibility map. This component can also specify maps for indicators, as well as real modifier bindings and symbolic names of some virtual modifiers.
  The compatibility map source files are stored in the COMPAT subdirectory under the root directory specified by the DECW$SERVER_XKEYBOARD_DIRECTORY parameter, for example:
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.COMPAT]BASIC
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.COMPAT]DEFAULT
• Symbols Source Files -- These files specify the symbols bound to each keyboard key. They affect the symbols symbolic name, a key symbol mapping for each key, the keyboard modifier mapping, and the symbolic names for the keyboard symbol groups. The symbols component can also contain explicit actions and behaviors for some keys, or the real modifier bindings and symbolic names for some virtual modifiers.
  The symbols source files are stored in the SYMBOLS and SYMBOLS.DIGITAL subdirectories under the root directory specified by the DECW$SERVER_XKEYBOARD_DIRECTORY parameter, for example:
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.SYMBOLS]US
  • DECW$SYSCOMMON:[SYS$KEYMAP.XKB.SYMBOLS.DIGITAL]SWISS_FRENCH
• Geometry Source Files -- These files define the geometry of the keyboard. They define the geometry symbolic name and the keyboard geometry description. The geometry component can also contain aliases for keys or symbolic names for indicators and might affect the set of indicators that are physically present. Key aliases defined in the geometry component of a keyboard mapping override those defined in the keycodes component.
  These files are stored in the GEOMETRY subdirectory under the root directory specified by the DECW$SERVER_XKEYBOARD_DIRECTORY parameter, for example:
  • DECW$SYSCOMMON: [SYS$KEYMAP.XKB.GEOMETRY.DIGITAL]LK
  • DECW$SYSCOMMON: [SYS$KEYMAP.XKB.GEOMETRY.DIGITAL]PC
• Other Directories -- The SEMANTICS subdirectory of the base directory DECW$SERVER_XKEYBOARD_DIRECTORY contains a set of files that define the default semantics for keyboard types and compatibility components.
  Files in the base directory DECW$SERVER_XKEYBOARD_DIRECTORY and in subdirectories TMP and RULES are used by the server and should not be modified.