#!/bin/sh # ~jhs/bin/.sh/xauth.sh # http://www.berklix.com/~jhs/bin/.sh/xauth.sh # Installed to /site/usr/local/bin/xauth.sh by: # cd ~/public_html/bin/.sh ; touch xauth.sh; make install # Executed from /usr/local in case ~jhs is not mounted. # ln -s /site/usr/local/bin/xauth.sh /usr/local/bin/xauth.sh # This script exports X server display xauth permission to trusted client hosts. # Can be called manually, but as it is now called by .xsession, # one only needs to call it manually to export to remote hosts that have # powered up since your xsession started on the display server. # More Debuging 2021-12: See ~jhs/bin/.sh/xxdbg # Debuging 9.2-RELEASE console X display wth 2018-current client apps: # xauth.sh invokes: cat $tmp | ( rsh -t 200 $i xauth merge - ) # Test with: rsh lapr who # If local fails with select: protocol failure in circuit setup # Check if lapr /etc/inetd.conf has: # login stream tcp nowait root /usr/libexec/rlogind rlogind -D # Or # login stream tcp nowait root /usr/local/sbin/rlogind rlogind -D # & if inetd was just recently updated with # kill -HUP `cat /var/run/inetd.pid` # Check these remote executes succeed from both fire & lapr: # echo 1 2 + p | ssh fire dc # echo 1 2 + p | ssh lapr dc # rlogin fire # rlogin fire.js.berklix.net # rlogin lapr # rlogin lapr.js.berklix.net # rlogin localhost # rsh fire who # rsh lapr who # rsh localhost who # if rsh lapr errors "rsh: can't exec /usr/bin/rlogin" # then, as rlogin & rsh were moved in newer FreeBSD from src/ # cd /usr/ports/net/bsdrcmds; make install # ln -s /usr/local/bin/rlogin /usr/bin/rlogin # ln -s /usr/local/bin/rsh /usr/bin/rsh if [ "$#.x" != "0.x" ]; then # Arguments were supplied, so assume them to be a list of host names. hosts="$*" else # No arguments were supplied, so use a standard list of host names. # domain=hostname | sed s/`hostname -s`.// hfull=`hostname` hshort=`hostname -s` domain=`echo $hfull | sed s/$hshort.//` if [ "$domain" = "bsn.com" ]; then # { hosts="tower.berklix.org cebulon gast" elif [ "$domain" = "js.berklix.net" ]; then # }{ hosts="`~jhs/private/bin/.sh/hosts`" # with path, else .xsession calling xauth.sh complains # to .xsession-errors : # /home/jhs/bin/.sh/xauth.sh: hosts: not found elif [ "$domain" = "berklix.org" ]; then # }{ hosts="slim land" elif [ "$domain" = "xx.berklix.net" ]; then # }{ laptop returning hosts="fire" elif [ "$domain" = "no.berklix.net" ]; then # }{ laptop roaming exit 1 # Avoid .xsession with lapr.no.berklix.net complaining # xauth: (argv):1: bad display name "lapr.no.berklix.net:0" # in "extract" command else # default }{ echo "No domain recognised by $0" hosts="" fi #} # echo "Hosts: $hosts" fi # Extract a record. # ( This fails to extract, if X was started by hand with xinit rather # than from xdm, probably because only xdm calls X with -auth as here: # /usr/local/bin/X -auth \ # /usr/local/lib/X11/xdm/authdir/authfiles/A:0-GiG361 # whereas xinit does not. # ) # Example of display server authorising client host lapr # rsh lapr xauth list # rsh lapr xauth remove fire.js.berklix.net:0 # xauth extract - `hostname`:0 | rsh -t 8 lapr xauth merge - # Extract screen authority, tmp=$HOME/tmp/.xauth.sh.$$ # xauth extract - `printenv DISPLAY` > $tmp # Line above works on ncd, but not if using a local host as display. # After a new X starts on host=fire 9.2-RELEASE: xauth list # fire.js.berklix.net:0 MIT-MAGIC-COOKIE-1 ................................ # name.js.berklix.net:0 MIT-MAGIC-COOKIE-1 ................................ # fire.js.berklix.net/unix:0 MIT-MAGIC-COOKIE-1 ................................ # fire.js.berklix.net:0 XDM-AUTHORIZATION-1 ................................ # name.js.berklix.net:0 XDM-AUTHORIZATION-1 ................................ # fire.js.berklix.net/unix:0 XDM-AUTHORIZATION-1 ................................ # Why are there no: # name.js.berklix.net/unix:0 XDM-AUTHORIZATION-1 # name.js.berklix.net/unix:0 MIT-MAGIC-COOKIE-1 # 6 Above Come From: # ifconfig -a # inet 192.168.91.41 netmask 0xffffff00 broadcast 192.168.91.255 # inet 192.168.91.11 netmask 0xffffffff broadcast 192.168.91.11 # /site/domain/js.berklix.net/etc/namedb/master/js.berklix.net.rev # 11 IN PTR name.js.berklix.net. # 41 IN PTR fire.js.berklix.net. # After a new X starts on host=fire 12.2-RELEASE: xauth list # fire.js.berklix.net:0 MIT-MAGIC-COOKIE-1 ................................ # name.js.berklix.net:0 MIT-MAGIC-COOKIE-1 ................................ # [fe80::1]:0 MIT-MAGIC-COOKIE-1 ................................ # fire.js.berklix.net/unix:0 MIT-MAGIC-COOKIE-1 ................................ # Note missing: XDM-AUTHORIZATION-1 # 4 Above Come From: ifconfig -a # rl0: flags=8843 metric 0 mtu 1500 # inet 192.168.91.41 netmask 0xffffff00 broadcast 192.168.91.255 # inet 192.168.91.11 netmask 0xffffffff broadcast 192.168.91.11 # lo0: flags=8049 metric 0 mtu 16384 # inet6 ::1 prefixlen 128 # inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 # inet 127.0.0.1 netmask 0xff000000 # xauth extract - `hostname`:0 > t # If the above reports: # No matches found, authority file "-" not written # Then all entries have been removed with commands such as # xauth remove fire.js.berklix.net/unix:0 # xauth remove fire.js.berklix.net:0 # xauth remove name.js.berklix.net:0 xauth extract - `hostname`:0 > $tmp # Line above works on local hosts, but not if using the ncd:0.0 X terminal. chroot=/chroot if [ -d `dirname $chroot$tmp` ]; then # {{ # echo "Doing cd $chroot$tmp" cp $tmp $chroot/$tmp echo "Suggestion within $chroot do:" echo " cat $tmp | xauth merge -" else # }{ # echo "no $chroot$tmp" fi # }} # ls -l $tmp for i in $hosts do # echo START $i # Export screen access authority to each trusted host. # cat $tmp | ( rsh -t 200 $i xauth merge - ) 2> /dev/null & cat $tmp | ( ssh $i xauth merge - ) 2> /dev/null & # echo -n "$i " # 2> To hide EG sunx: Operation timed out # '&': Speeds up the results, and avoids hanging # on some host that may be powered off. # Brackets: Avoids subsequent hosts not being run, after a # previous host rsh fails, perhaps from an # rsh related permission problem. # rsh -t 200: Change the wait per host (default ~75 seconds). # If name $i is slow to resolve, EG if # named is misconfigured, it can take 120 seconds # just to do "rsh wall who". # Race Conditions: # This: # ( cat $tmp | rsh $i xauth merge - ) & # is no longer used, as I saw failures where the rm # would run before the asynchronous process completed. # This also failed sometimes: # (rsh $i xauth merge - < $tmp > /dev/null ) & # Failures: # If "ssh john true" produces "Password:" # cd /host/john/home/jhs/.ssh ; # cat /host/fire/home/jhs/.ssh/*.pub >> authorized_keys # If "rsh lapr who" produces "select: protocol failure in circuit setup" # tail /host/lapr/var/log/messages # cannot execute /usr/libexec/rshd # FreeBSD butchers removed /usr/bin/rlogin etc so # cd /usr/ports/net/bsdrcmds; make ; make install # ln -s /usr/local/sbin/rshd /usr/libexec/rshd # ln -s /usr/local/bin/rlogin /usr/bin/rlogin # echo Finishing $i # FreeBSD 12.1-RELEASE: man rsh: deprecated, use /usr/ports/net/bsdrcmds # /usr/local/bin/rcp # /usr/local/bin/rlogin # /usr/local/bin/rsh # /usr/local/sbin/rlogind # /usr/local/sbin/rshd done # echo "" # Clear the line after printing host names. # ( wait ; rm -f $tmp ) ( sleep 60 ; rm -f $tmp ) & ( sleep 300 ; rm -f $chroot$tmp ) & # longer as prior usage is manual