The xauth list command displays the authorization entries, often referred to as "magic cookies," that are currently stored in a user's X authority file. This file, typically located at ~/.Xauthority, contains the credentials required for X clients (applications) to connect securely to the X server (display).
Understanding X Authority and xauth
The xauth command is a utility designed to manage authorization information used when connecting to an X server. It allows users to edit and display these authorization records. Its broader utility includes extracting authorization records from one machine and merging them into another, which is particularly useful for scenarios involving remote logins or granting access to other users for their X displays.
X authorization relies on a "magic cookie" system, where a unique string of characters is shared between the X server and authorized X clients. If a client presents the correct cookie, it is granted access to the display.
How xauth list Works
When you execute xauth list, the command reads the contents of your default X authority file (or a specified file using the -f option) and prints each authorization entry. Each entry typically includes:
- The display name (e.g.,
:0,localhost:10.0,remotehost:0.0), which specifies the X server it pertains to. - The authorization protocol (e.g.,
MIT-MAGIC-COOKIE-1). - The magic cookie itself, represented as a hexadecimal string.
Example Output:
yourhost/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789
yourhost:10.0 MIT-MAGIC-COOKIE-1 fedcba9876543210fedcba9876543210In this example, two entries are shown: one for a local Unix domain socket connection to display :0, and another for a TCP connection to display :10.0 on yourhost.
Why Use xauth list?
Using xauth list is beneficial for several reasons:
- Troubleshooting X Connection Issues: If you're having trouble launching X applications or connecting to an X display (e.g., receiving "cannot open display" errors),
xauth listcan help you verify if the necessary authorization records exist for the target display. - Verifying Authorization: It provides a quick way to see what displays your current user is authorized to access and with which specific cookies.
- Security Auditing: While not a primary security tool, it can help in understanding which display authorizations are active for your user.
- Remote Access Context: When setting up X forwarding over SSH or managing authorization for remote X sessions,
xauth listallows you to confirm that thexauthentries have been correctly added or propagated, ensuring secure access to remote X servers. This directly relates toxauth's capability to extract and merge authorization records for remote logins.
Practical Scenarios
- Debugging SSH X Forwarding: If you connect via
ssh -X user@remotehostand your X applications fail to launch, you can runxauth liston the remote host. You should see an entry for a display likelocalhost:10.0(or similar), indicating thatsshhas created and added a temporary authorization cookie. If it's missing, it points to an issue with X forwarding setup (e.g.,X11Forwarding yesnot enabled insshd_config). - Manually Granting X Access: In rare cases where you might need to manually grant another user or process access to your X display, you could use
xauth extractto pull a cookie, andxauth listwould then confirm its presence.
Related xauth Commands
While xauth list is for viewing, other xauth subcommands provide more functionality:
xauth add <displayname> <protocol> <hexkey>: Manually adds a new authorization entry.xauth remove <displayname>: Deletes an authorization entry.xauth extract <filename> <displayname>...: Extracts authorization entries for specified displays into a file.xauth merge <filename>: Merges authorization entries from a specified file into the current X authority file.
