All right, I'll admit it: Not all of my *nix hosts are running
the absolute latest release of every platform I run, adminster for,
or build for in our systems administration practice.
Solaris 2.6, SunOS 5, SGI Irix, HP-UX 10.20, Aix, Red Hat last stable major,
Red Hat Raw Hide and betas, Red Hat (Sparc) 6.2, Open BSD 2.9,
Open BSD 3.x, ... You get the idea.
The X Consortium addressed this long ago, with the XDMCP -- X Display
Manager Control Protocol:
bash-2.05a$ grep 177 /etc/services
xdmcp 177/tcp # X Display Mgr. Control Proto
xdmcp 177/udp
Listing 1
The Servers chatter about, among themselves through their xdm
instance (xdm, kdm, gdm are common implementations. We use GDM in our
example.) The xdm Servers also note who
else is chattering over that UDP port -- from man xdm: " XDMCP
uses the registered well-known UDP port 177"
This allows the xdmcp-aware daemon to build an inventory of X Servers,
willing to receive and provide
X services, and Session management (CDE, XFCE, FVWM, Gnome, KDE,
Enlightenment, TWM, ...)
to an array of X Clients to find and make their resources
available to one another. They compile listings of each
other, and advertise both their own and the availability of one another,
with no prior effort on the part of their clientele.
On the Client side, the client may be a slender TFTP booting LTSP or
hardware X Client, or a full blown installation of the latest X offerings
and X-window desktop content. By consulting the offerings compiled by a
well known server, the client can display (through the X chooser
mechanism), a listing of hosts willing to act as Servers of a Session.
Setting it up is straightforward -- We have highlighted items with
a red font when we have made an edit or want to
draw attention to something:
Before:
bash-2.05a$ grep X /etc/inittab
# 5 - X11
x:5:respawn:/etc/X11/prefdm -nodaemon
bash-2.05a$
Listing 2
After:
bash-2.05a$ grep X /etc/inittab
# 5 - X11
# x:5:respawn:/etc/X11/prefdm -nodaemon
x:5:respawn:/etc/X11/prefdm
# x:5:respawn:/etc/X11/prefdm -indirect localhost
x1:5:respawn:/usr/bin/X11/X -indirect localhost
bash-2.05a$
Listing 3
Our approach here is to look to the local host's own instance of the
XDM server -- This is because our network is lightly enough loaded
that we can tolerate the 'chatter' -- It is perfectly reasonable
to look instead to a central well-located and hogh capacity central
source for this information -- if it were called "xdmcentral":
x1:5:respawn:/usr/bin/X11/X -indirect xdmcentral
The end user selects a given server (Screenshots:
Red Hat 7.3,
Red Hat Beta), and a connection is established to
authenticate the user, and select a X-Window manager (through
the X login mechanism (Screenshots:
Red Hat 7.3 displaying on itself,
Red Hat 7.3 displaying on Red Hat BetaRed Hat Beta displaying on itself,
Red Hat Beta displaying on Red Hat 7.3
). Notice in the last two shots that a slightly different Local
authentication display is used than when it is remote. This is the
gdmlogin remotely, and gdmgreeter locally.
These options, with the gdm package
are set in /etc/X11/gdm/gdm.conf configuration file,
and are most easily manipulated with gdmconfig. There are a few
items to select:
bash-2.05a$ cat /etc/X11/gdm/gdm.conf
[daemon]
AutomaticLoginEnable=false
AutomaticLogin=
AlwaysRestartServer=true
Configurator=/usr/sbin/gdmconfig --disable-sound --disable-crash-dialog
GnomeDefaultSession=/usr/share/gnome/default.session
Chooser=/usr/bin/gdmchooser --disable-sound --disable-crash-dialog
DefaultPath=/bin:/usr/bin:/usr/bin/X11:/usr/local/bin:/usr/bin
DisplayInitDir=/etc/X11/gdm/Init
Greeter=/usr/bin/gdmlogin --disable-sound --disable-crash-dialog
Group=gdm
KillInitClients=true
LogDir=/var/log/gdm
PidFile=/var/run/gdm.pid
PostSessionScriptDir=/etc/X11/gdm/PostSession/
PreSessionScriptDir=/etc/X11/gdm/PreSession/
FailsafeXServer=
XKeepsCrashing=/etc/X11/gdm/XKeepsCrashing
XKeepsCrashingConfigurators=/usr/bin/X11/XF86Setup /usr/bin/X11/Xconfigurator
RootPath=/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11:/usr/local/bin:/usr/bin
ServAuthDir=/var/gdm
SessionDir=/etc/X11/gdm/Sessions/
SuspendCommand=
User=gdm
UserAuthDir=
UserAuthFBDir=/tmp
UserAuthFile=.Xauthority
TimedLoginEnable=false
TimedLogin=
TimedLoginDelay=30
HaltCommand=/sbin/shutdown -h now
RebootCommand=/sbin/shutdown -r now
[security]
AllowRoot=true
AllowRemoteRoot=true
AllowRemoteAutoLogin=true
RelaxPermissions=0
RetryDelay=1
UserMaxFile=65536
SessionMaxFile=524288
VerboseAuth=true
[xdmcp]
Enable=true
HonorIndirect=true
MaxPending=4
MaxPendingIndirect=4
MaxSessions=100
MaxWait=30
MaxWaitIndirect=30
Port=177
PingInterval=5
[gui]
GtkRC=/usr/share/themes/Raleigh/gtk/gtkrc
MaxIconWidth=128
MaxIconHeight=128
[greeter]
TitleBar=true
ConfigAvailable=true
Browser=false
DefaultFace=/usr/share/pixmaps/nobody.png
DefaultLocale=en_US
Exclude=bin,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,gdm,postgres,pvm
Font=-*-helvetica-bold-r-normal-*-*-180-*-*-*-*-*-*,*
GlobalFaceDir=/usr/share/faces/
Icon=/usr/share/pixmaps/gdm.xpm
LocaleFile=/etc/X11/gdm/locale.alias
Logo=/home/herrold/horsehead.jpg
Quiver=true
SystemMenu=true
Welcome=Welcome to %n
Welcome[es]=Bienvenido a %n
Welcome[de]=Willkommen auf %n
Welcome[fr]=Bienvenue sur %n
Welcome[cs]=Vítejte na %n
LockPosition=true
SetPosition=false
PositionX=0
PositionY=0
XineramaScreen=0
BackgroundType=1
BackgroundImage=/home/localuser/165351__yoda1_l.jpg
BackgroundScaleToFit=true
BackgroundColor=#4bf0f0
BackgroundRemoteOnlyColor=true
BackgroundProgram=/usr/bin/xsri --redhat-login --run
ShowGnomeChooserSession=true
ShowGnomeFailsafeSession=false
ShowXtermFailsafeSession=true
[chooser]
DefaultHostImg=/usr/share/pixmaps/nohost.png
HostImageDir=/usr/share/hosts/
ScanTime=3
Hosts=
Broadcast=true
[debug]
Enable=true
[servers]
0=/usr/bin/X11/X
Listing 4 -- Red Hat 7.3
desk ]$ cat /etc/X11/gdm/gdm.conf
# GDM Configuration file. You can use gdmsetup program to graphically
# edit this, or you can optionally just edit this file by hand. Note that
# gdmsetup does not tweak every option here, just the ones most users
# would care about. Rest is for special setups and distro specific
# tweaks. If you edit this file, you should send the USR1 signal to the
# daemon so that it restarts: (Assuming you have not changed PidFile)
# kill -USR1 ` cat /var/run/gdm.pid `
# (USR1 will make gdm not kill existing sessions and will only restart gdm
# after all users log out. You can use HUP if you want an immediate
restart.)
#
# Have fun! - George
[daemon]
AutomaticLoginEnable=false
AutomaticLogin=
# If you are having trouble with using a single server for a long time and
# want gdm to kill/restart the server, turn this on
AlwaysRestartServer=false
Configurator=/usr/sbin/gdmsetup --disable-sound --disable-crash-dialog
GnomeDefaultSession=/usr/share/gnome/default.session
Chooser=/usr/bin/gdmchooser
DefaultPath=/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin
DisplayInitDir=/etc/X11/gdm/Init
#
# NOTE the difference in greeters here, reflected in the
# photos
#
Greeter=/usr/bin/gdmgreeter
#Uncomment this for the regular greeter
#Greeter=/usr/bin/gdmlogin --disable-sound --disable-crash-dialog
RemoteGreeter=/usr/bin/gdmlogin
Group=gdm
HaltCommand=/usr/bin/poweroff
KillInitClients=true
LogDir=/var/log/gdm
PidFile=/var/run/gdm.pid
PostSessionScriptDir=/etc/X11/gdm/PostSession/
PreSessionScriptDir=/etc/X11/gdm/PreSession/
# Distributions: If you have some script that runs an X server in say
# VGA mode, allowing a login, could you please send it to me?
FailsafeXServer=
XKeepsCrashing=/etc/X11/gdm/XKeepsCrashing
RebootCommand=/sbin/shutdown -r now
RootPath=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
ServAuthDir=/var/gdm
SessionDir=/etc/X11/gdm/Sessions/
SuspendCommand=
User=gdm
UserAuthDir=
UserAuthFBDir=/tmp
UserAuthFile=.Xauthority
TimedLoginEnable=false
TimedLogin=
TimedLoginDelay=30
StandardXServer=/usr/X11R6/bin/X
FlexibleXServers=5
Xnest=/usr/X11R6/bin/Xnest -name Xnest -kb
[security]
# If any distributions ship with this one off, they should be shot
# this is only local, so it's only for say kiosk use, when you
# want to minimize possibility of breakin
AllowRoot=true
# If you want to be paranoid, turn this one off
AllowRemoteRoot=true
AllowRemoteAutoLogin=false
RelaxPermissions=0
RetryDelay=1
UserMaxFile=65536
SessionMaxFile=524388
[xdmcp]
# Distributions: Ship with this off. It is never a safe thing to leave
# out on the net. Alternatively you can set up /etc/hosts.allow and
# /etc/hosts.deny to only allow say local access.
Enable=true
HonorIndirect=true
MaxPending=4
MaxPendingIndirect=4
MaxSessions=16
MaxWait=15
MaxWaitIndirect=15
DisplaysPerHost=1
Port=177
# Willing script, none is shipped and by default we'll send
# hostname system id
Willing=/etc/X11/gdm/Xwilling
[gui]
GtkRC=/usr/share/themes/Bluecurve/gtk-2.0/gtkrc
MaxIconWidth=128
MaxIconHeight=128
[greeter]
TitleBar=false
ConfigAvailable=true
Browser=false
DefaultFace=/usr/share/pixmaps/nobody.png
DefaultLocale=en_US
# These are things excluded from the face browser, not from logging in
Exclude=nfsnobody
MinimalUID=500
GlobalFaceDir=/usr/share/faces/
Icon=/usr/share/pixmaps/gdm.xpm
LocaleFile=/etc/X11/gdm/locale.alias
Logo=
## nice RH logo for the above line:
/usr/share/pixmaps/redhat/shadowman-200.png
Quiver=true
SystemMenu=true
# Note to distributors, if you wish to have a different Welcome string
# and wish to have this translated you can have entries such as
# Welcome[cs]=Vitejte na %n
# Just make sure the string is in utf-8
Welcome=Welcome to %n
LockPosition=true
SetPosition=false
PositionX=0
PositionY=0
XineramaScreen=0
#Type can be 0=None, 1=Image, 2=Color
BackgroundType=1
BackgroundImage=
BackgroundScaleToFit=true
BackgroundColor=#1d7ed9
BackgroundRemoteOnlyColor=true
BackgroundProgram=/usr/bin/xsri --redhat-login --run
# if this is true then the background program is run always, otherwise
# it is only run when the BackgroundType is 0 (None)
RunBackgroundProgramAlways=false
ShowGnomeChooserSession=false
ShowGnomeFailsafeSession=false
ShowXtermFailsafeSession=false
Use24Clock=true
UseCirclesInEntry=false
# These two keys are for the new greeter. Circles is the standard
# shipped theme
GraphicalTheme=circles
GraphicalThemeDir=/usr/share/gdm/themes/
[chooser]
DefaultHostImg=/usr/share/pixmaps/nohost.png
HostImageDir=/usr/share/hosts/
ScanTime=3
Hosts=
Broadcast=true
[debug]
# This will enable debugging into the syslog, usually not neccessary
# and it creates a LOT of spew of random stuff to the syslog
Enable=false
[servers]
0=Standard
#1=Standard
#Note: If you want to make sure X runs on a specific virtual console on
linux,
# you can use the following (for console 7). However this can cause
# problems for some users. Be careful about this, getting this wrong
# can lead to an unusable console. Best solution is to make sure gdm
# starts as the last thing, and that will make it not neccessary to
# do hacks like this.
#0=Standard vt7
#
#Note: If you want to run an X terminal you could add an X server such as
this
#0=Terminal -query serverhostname
# or for a chooser (optionally serverhostname could be localhost)
#0=Terminal -indirect serverhostname
[server-Standard]
name=Standard server
command=/usr/X11R6/bin/X
flexible=true
# To use this server type you should add -query host or -indirect host
# to the command line
[server-Terminal]
name=Terminal server
# Add -terminate to make things behave more nicely
command=/usr/X11R6/bin/X -terminate
# Make this not appear in the flexible servers (we need extra params
# anyway, and terminate would be bad for xdmcp)
flexible=false
# Not local, we do not handle the logins for this X server
handled=false
desk ]$
Listing 5 -- Red Hat Beta following their version 7.3
These edits are done in part with gdmconfig, and in part
manually. The variant in the Red Hat Beta following Red Hat 7.3
is less obvious to reach these results (Screenshots:
Red Hat
Beta following Red Hat 7.3 - we enable XDMCP;
Red Hat
7.3 - we enable XDMCP;
Red Hat
7.3 - we set the X server to restart after each session).
Security notice: This use of X is inherently not encrypted
absent special effort -- the XDM process is UDP based (and thus easily
spoofed), and unless tunnelled through an encrypting VPN transport,
is able to be 'sniffed' and the content within exposed (userid and
passwords). It should also be wrappered, and blocked at any external network
interface boundries in port filtering rules blocking port 177 (UCP and TDP --
although we are unaware of a TCP variant in use.)
See also:
