There is a host S, and a client L, S has start X Window, and L doesn't. now I do this:
L$ xclock -display S:0 &
The window will be shown at S.

Then:
S# xhost -
to enable contrl list, the L will be refused the next time because it isn't on the list.

At last I want make a user on L could do this:
S$ xauth extract - $DISPLAY | ssh -l USER L /usr/X11R6/bin/xauth merge -
But it still be refused. What's wrong? Is there any problem of my understanding?

thank you.

I don't think that your initial statement is correct. A computer or terminal needs to have the x11r6 server running to be able to display the output on the screen. Also, without even a simple window manager, you will not have borders or menus displayed. ( I am referring to computer S now. ) The role of server/client is different than what many expect. The X11 server is what displays things on the screen, so it is the terminal machine running the server. The program running on the different machine is the client. Techically, both may need the server program running, but the remote machine doesn't need a window manager if it doesn't display anything.

There are security policies which may control the usage of xauth. Try reading /usr/share/doc/packages/pam/README.pam_xauth as well as the xauth man and info pages.
There is also a readme on x-windows access in the www.tldp.org web site. The NSA site has an x-windows security how-to that you could probably find using google.

I know what you mean.

But here I just want to test the authorization mechanism of X, in this condition, X11 Server is on host S(in fact i have start Gnome), and the client program xclock is on L, and L does not start X.

Now I can run xclock at L but display the window on S, is that OK? But this make every user on L could access S's X server, How can I make that only one user on L could do this?

Thank you.

You need to read up on how your system controls this. For many distro's the use of xauth is controlled by PAM. I already refered to the readme document for this. Other distro's such as Slackware do not use PAM. Here you would need to manually merge the magic cookie from ~/.Xauthority on host L to the ~/.Xauthority on host S.

A user's .Xauthority file is only readable by the owner.

This howto may help.
http://www.xs4all.nl/~zweije/xauth-6.html#ss6.2

A better way may be to use ssh with x-forwarding. The handing of the X-auth cookies and setting of $DISPLAY is handled in the background. I've only used ssh to run programs remotely. I have rarely pushed an output like that. I think I just did it once as an experiment. However, I've used ssh on my laptop to run a program on my desktop, while displaying the program on the laptop.

If you also want sound to be played on the remote rather than the local machine, there may be more work and setup for this.

Here is another link.
http://www.linuxgazette.com/node/2231

It explains what may need to be edited to your startx scripts to allow using xauth.

/usr/bin/X11/xauth add :0 . $(dd if=/dev/urandom count=2 2> /dev/null | md5sum)

exec /usr/bin/X11/X -dpi 100 -nolisten tcp -auth $HOME/.Xauthority

The highlighted portions are new. This is based on a debian distro, but probably would apply closely to your situation ( unless your setup already has this in place )

"merge the magic cookie from ~/.Xauthority on host L to the ~/.Xauthority on host S", but when I do this on console:
L$ xauth nextract - $DISPLAY
xauth: (argv):1: bad "nextract" command line

Then I run X and xterm on L:
xterm$ xauth nextract - $DISPLAY
No matches found, authority file "-" not written

xterm$ xauth nextract ~/.Xauthority $DISPLAY
No matches found, authority file "/home/USER/.Xauthory" not written

What's wrong?

Still thank you, jschiwal

You may have better luck following these instructions. I don't think you are transfering the cookie information from the S host to the L host.
http://acs.ucsd.edu/info/xauth.php