The X server can control a user's access to an X server through the use of a magic cookie. This is essentially a machine-readable, randomly generated access code. Each X client must provide the same magic cookie value to the server before being allowed access. This value is stored in the file .Xauthority. It can be either created by the X Display Manager, or by the user, at the beginning of each session.

The xauth program is used for editing and displaying the user's magic cookie authorization information. Once the magic cookie is displayed in a human-readable form, it can be sent to a remote host. On that remote host, xauth is used again to merge the magic cookie into the user's .Xauthority file. Assuming a .rhosts file is set up for the user, pushing the authorization information to a remote host (let's say ahost.foo.org) can be done with one command:

xauth extract - $DISPLAY | rsh ahost.foo.org xauth merge -

The first command prints the magic cookie for the current host ($DISPLAY) to the standard output (the dash). This information is then piped to the remote shell command, which runs the xauth program on the machine ahost.foo.org. The magic cookie is then read from the standard input (again, the dash), and merged into the .Xauthority file. The result is that the user who executed this command can now run X clients on ahost.foo.org, and have them displayed on the X Server. It is important to have the permissions set correctly for the .Xauthority file. It should be readable/writable by the owner only (that is, set to "-rw-------"). Furthermore, beware of NFS exporting a home directory, even read-only! It may be mounted, allowing the .Xauthority file to be read.

Note the key improvement here. The user who ran this command is now the only user on ahost.foo.org who can connect an X client to their X server. All other users on ahost.foo.org are still blocked out of this X session.

xauth extract - $DISPLAY | ssh -v sunny /usr/X11R6/bin/xauth merge -

xauth extract - chaos:0