Hi, If you look at the output of "xauth list" on you favourite OpenBSD machine you might get a bit scared, especially if you have an IPv6 enabled network or if you used to travel and connect to various networks.
Most of the lines are there to allow TCP connexions to the IP adresss of the machine by the time you log into xenodm. But tcp connexions are disabled by default in the X server since a few years now, so those authorizations are useless. Also the recent discussion about dhcpleased and its asynchronous nature make it clear that there is no way that the IP addresses known at xenodm startup will not change during the lifetime of the session. The diff below tells xenodm to not add authorizations for tcp connexions, unless it's explicitely configured. Only the authorization for the local unix socket connections is created. To test, apply to /usr/xenocara/app/xenodm (note that you need the very recent commits I did earlier today) and run : make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper clean make -f Makefile.bsd-wrapper doas make -f Makefile.bsd-wrapper install Then remove the old ~/.Xauthority file, full of useless lines and reboot. Once logged in check the contents of xauth list again. Comments ? ok ? Index: include/dm.h =================================================================== RCS file: /cvs/xenocara/app/xenodm/include/dm.h,v retrieving revision 1.16 diff -u -p -u -r1.16 dm.h --- include/dm.h 8 Mar 2021 17:54:28 -0000 1.16 +++ include/dm.h 8 Mar 2021 20:05:11 -0000 @@ -123,6 +123,7 @@ struct display { unsigned short *authNameLens; /* authorization protocol name lens */ char *clientAuthFile;/* client specified auth file */ int authComplain; /* complain when no auth for XDMCP */ + int listenTcp; /* assume server is listening on TCP */ /* information potentially derived from resources */ int authNameNum; /* number of protocol names */ Index: man/xenodm.man =================================================================== RCS file: /cvs/xenocara/app/xenodm/man/xenodm.man,v retrieving revision 1.12 diff -u -p -u -r1.12 xenodm.man --- man/xenodm.man 8 Mar 2021 17:54:28 -0000 1.12 +++ man/xenodm.man 8 Mar 2021 20:05:11 -0000 @@ -582,6 +582,21 @@ to occur, during which time the new auth The default is .Cm false , which will work for all MIT servers. +.It Ic DisplayManager. Ns Ar DISPLAY Ns Ic .listenTcp +If set to +.Cm true , +enable the +.Ic listen Ic tcp +option for the given X server. +When this setting is set to +.Cm false , +.Nm +will only generate authorizations for the local (ie Unix socket) +transport mechanism. +Otherwise full authorization for all possible transport mechanisms +will be generated. +The default is +.Cm false . .El .Sh CONFIGURATION FILE First, the Index: xenodm/auth.c =================================================================== RCS file: /cvs/xenocara/app/xenodm/xenodm/auth.c,v retrieving revision 1.16 diff -u -p -u -r1.16 auth.c --- xenodm/auth.c 8 Mar 2021 17:54:28 -0000 1.16 +++ xenodm/auth.c 8 Mar 2021 20:05:11 -0000 @@ -736,13 +736,14 @@ setAuthNumber (Xauth *auth, char *name) } static void -writeLocalAuth (FILE *file, Xauth *auth, char *name) +writeLocalAuth (FILE *file, Xauth *auth, char *name, int listenTcp) { Debug ("writeLocalAuth: %s %.*s\n", name, auth->name_length, auth->name); setAuthNumber (auth, name); #ifdef TCPCONN - DefineSelf (file, auth); + if (listenTcp) + DefineSelf (file, auth); #endif DefineLocal (file, auth); } @@ -762,8 +763,21 @@ SetUserAuthorization (struct display *d, struct stat statb; int i; int magicCookie; + char **arg; + int foundListen = 0; Debug ("SetUserAuthorization\n"); + for (arg = d->argv; *arg!= NULL; arg++) { + if (strcmp(*arg, "tcp") == 0 && foundListen) { + Debug("setUserAuthorization: found listenTcp \n"); + d->listenTcp = 1; + break; + } + if (strcmp(*arg, "-listen") == 0) + foundListen = 1; + else + foundListen = 0; + } auths = d->authorizations; if (auths) { home = getEnv (verify->userEnviron, "HOME"); @@ -813,7 +827,7 @@ SetUserAuthorization (struct display *d, !strncmp (auths[i]->name, "MIT-MAGIC-COOKIE-1", 18)) { magicCookie = i; - writeLocalAuth (new, auths[i], d->name); + writeLocalAuth (new, auths[i], d->name, d->listenTcp); break; } } @@ -893,7 +907,7 @@ RemoveUserAuthorization (struct display initAddrs (); doWrite = 0; for (i = 0; i < d->authNum; i++) - writeLocalAuth (new, auths[i], d->name); + writeLocalAuth (new, auths[i], d->name, d->listenTcp); doWrite = 1; if (old) { if (fstat (fileno (old), &statb) != -1) Index: xenodm/resource.c =================================================================== RCS file: /cvs/xenocara/app/xenodm/xenodm/resource.c,v retrieving revision 1.6 diff -u -p -u -r1.6 resource.c --- xenodm/resource.c 8 Mar 2021 17:54:28 -0000 1.6 +++ xenodm/resource.c 8 Mar 2021 20:05:11 -0000 @@ -169,6 +169,8 @@ struct displayResource serverResources[] "" }, { "autoLogin", "AutoLogin", DM_STRING, boffset(autoLogin), "" }, +{ "listenTcp", "ListenTcp", DM_BOOL, boffset(listenTcp), + "false" }, }; #define NUM_SERVER_RESOURCES (sizeof serverResources/\ Index: xenodm/server.c =================================================================== RCS file: /cvs/xenocara/app/xenodm/xenodm/server.c,v retrieving revision 1.4 diff -u -p -u -r1.4 server.c --- xenodm/server.c 11 Jul 2018 14:35:46 -0000 1.4 +++ xenodm/server.c 8 Mar 2021 20:05:11 -0000 @@ -86,6 +86,8 @@ StartServerOnce (struct display *d) snprintf (arg, sizeof(arg), "-auth %s", d->authFile); argv = parseArgs (argv, arg); } + if (d->listenTcp) + argv = parseArgs(argv, "-listen tcp"); if (!argv) { LogError ("StartServer: no arguments\n"); sleep ((unsigned) d->openDelay); -- Matthieu Herrb