There are already good tools for setting up keys and passing them around. xdm sets up keys. xrsh passes them to remote clients. Host-based authorization isn't the only revokable access method. Anything that has principals, rather than passwords, has this advantage. In X11R6 there are two such schemes, MIT-KERBEROS-5 and SUN-DES-1. (SUN-DES-1 was also in R5.) So while you can't take an MIT-MAGIC-COOKIE away from someone, you can deny KRB:gildea@x.org further connection rights. See the Xsecurity(1) manual page for details. Note that none of these methods allow you to revoke the authorization of an already-connected client. < Stephen X Consortium