ORC Owl Logo 2  

Owl River Company

  Your IP is:

Setting up the XDM chooser for the local network - XDMCP

Original at: http://www.owlriver.com/tips/gdm-setup/

All right, I'll admit it: Not all of my *nix hosts are running the absolute latest release of every platform I run, adminster for, or build for in our systems administration practice. Solaris 2.6, SunOS 5, SGI Irix, HP-UX 10.20, Aix, Red Hat last stable major, Red Hat Raw Hide and betas, Red Hat (Sparc) 6.2, Open BSD 2.9, Open BSD 3.x, ... You get the idea.

The X Consortium addressed this long ago, with the XDMCP -- X Display Manager Control Protocol:
bash-2.05a$ grep 177 /etc/services xdmcp 177/tcp # X Display Mgr. Control Proto xdmcp 177/udp Listing 1 The Servers chatter about, among themselves through their xdm instance (xdm, kdm, gdm are common implementations. We use GDM in our example.) The xdm Servers also note who else is chattering over that UDP port -- from man xdm: " XDMCP uses the registered well-known UDP port 177"

This allows the xdmcp-aware daemon to build an inventory of X Servers, willing to receive and provide X services, and Session management (CDE, XFCE, FVWM, Gnome, KDE, Enlightenment, TWM, ...) to an array of X Clients to find and make their resources available to one another. They compile listings of each other, and advertise both their own and the availability of one another, with no prior effort on the part of their clientele.

On the Client side, the client may be a slender TFTP booting LTSP or hardware X Client, or a full blown installation of the latest X offerings and X-window desktop content. By consulting the offerings compiled by a well known server, the client can display (through the X chooser mechanism), a listing of hosts willing to act as Servers of a Session.

Setting it up is straightforward -- We have highlighted items with a red font when we have made an edit or want to draw attention to something:

bash-2.05a$ grep X /etc/inittab # 5 - X11 x:5:respawn:/etc/X11/prefdm -nodaemon bash-2.05a$ Listing 2 After:
bash-2.05a$ grep X /etc/inittab # 5 - X11 # x:5:respawn:/etc/X11/prefdm -nodaemon x:5:respawn:/etc/X11/prefdm # x:5:respawn:/etc/X11/prefdm -indirect localhost x1:5:respawn:/usr/bin/X11/X -indirect localhost bash-2.05a$ Listing 3
Our approach here is to look to the local host's own instance of the XDM server -- This is because our network is lightly enough loaded that we can tolerate the 'chatter' -- It is perfectly reasonable to look instead to a central well-located and hogh capacity central source for this information -- if it were called "xdmcentral":
x1:5:respawn:/usr/bin/X11/X -indirect xdmcentral
The end user selects a given server (Screenshots: Red Hat 7.3, Red Hat Beta), and a connection is established to authenticate the user, and select a X-Window manager (through the X login mechanism (Screenshots: Red Hat 7.3 displaying on itself, Red Hat 7.3 displaying on Red Hat Beta Red Hat Beta displaying on itself, Red Hat Beta displaying on Red Hat 7.3 ). Notice in the last two shots that a slightly different Local authentication display is used than when it is remote. This is the gdmlogin remotely, and gdmgreeter locally.

These options, with the gdm package are set in /etc/X11/gdm/gdm.conf configuration file, and are most easily manipulated with gdmconfig. There are a few items to select:
bash-2.05a$ cat /etc/X11/gdm/gdm.conf [daemon] AutomaticLoginEnable=false AutomaticLogin= AlwaysRestartServer=true Configurator=/usr/sbin/gdmconfig --disable-sound --disable-crash-dialog GnomeDefaultSession=/usr/share/gnome/default.session Chooser=/usr/bin/gdmchooser --disable-sound --disable-crash-dialog DefaultPath=/bin:/usr/bin:/usr/bin/X11:/usr/local/bin:/usr/bin DisplayInitDir=/etc/X11/gdm/Init Greeter=/usr/bin/gdmlogin --disable-sound --disable-crash-dialog Group=gdm KillInitClients=true LogDir=/var/log/gdm PidFile=/var/run/gdm.pid PostSessionScriptDir=/etc/X11/gdm/PostSession/ PreSessionScriptDir=/etc/X11/gdm/PreSession/ FailsafeXServer= XKeepsCrashing=/etc/X11/gdm/XKeepsCrashing XKeepsCrashingConfigurators=/usr/bin/X11/XF86Setup /usr/bin/X11/Xconfigurator RootPath=/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11:/usr/local/bin:/usr/bin ServAuthDir=/var/gdm SessionDir=/etc/X11/gdm/Sessions/ SuspendCommand= User=gdm UserAuthDir= UserAuthFBDir=/tmp UserAuthFile=.Xauthority TimedLoginEnable=false TimedLogin= TimedLoginDelay=30 HaltCommand=/sbin/shutdown -h now RebootCommand=/sbin/shutdown -r now [security] AllowRoot=true AllowRemoteRoot=true AllowRemoteAutoLogin=true RelaxPermissions=0 RetryDelay=1 UserMaxFile=65536 SessionMaxFile=524288 VerboseAuth=true [xdmcp] Enable=true HonorIndirect=true MaxPending=4 MaxPendingIndirect=4 MaxSessions=100 MaxWait=30 MaxWaitIndirect=30 Port=177 PingInterval=5 [gui] GtkRC=/usr/share/themes/Raleigh/gtk/gtkrc MaxIconWidth=128 MaxIconHeight=128 [greeter] TitleBar=true ConfigAvailable=true Browser=false DefaultFace=/usr/share/pixmaps/nobody.png DefaultLocale=en_US Exclude=bin,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,gdm,postgres,pvm Font=-*-helvetica-bold-r-normal-*-*-180-*-*-*-*-*-*,* GlobalFaceDir=/usr/share/faces/ Icon=/usr/share/pixmaps/gdm.xpm LocaleFile=/etc/X11/gdm/locale.alias Logo=/home/herrold/horsehead.jpg Quiver=true SystemMenu=true Welcome=Welcome to %n Welcome[es]=Bienvenido a %n Welcome[de]=Willkommen auf %n Welcome[fr]=Bienvenue sur %n Welcome[cs]=Vítejte na %n LockPosition=true SetPosition=false PositionX=0 PositionY=0 XineramaScreen=0 BackgroundType=1 BackgroundImage=/home/localuser/165351__yoda1_l.jpg BackgroundScaleToFit=true BackgroundColor=#4bf0f0 BackgroundRemoteOnlyColor=true BackgroundProgram=/usr/bin/xsri --redhat-login --run ShowGnomeChooserSession=true ShowGnomeFailsafeSession=false ShowXtermFailsafeSession=true [chooser] DefaultHostImg=/usr/share/pixmaps/nohost.png HostImageDir=/usr/share/hosts/ ScanTime=3 Hosts= Broadcast=true [debug] Enable=true [servers] 0=/usr/bin/X11/X Listing 4 -- Red Hat 7.3 desk ]$ cat /etc/X11/gdm/gdm.conf # GDM Configuration file. You can use gdmsetup program to graphically # edit this, or you can optionally just edit this file by hand. Note that # gdmsetup does not tweak every option here, just the ones most users # would care about. Rest is for special setups and distro specific # tweaks. If you edit this file, you should send the USR1 signal to the # daemon so that it restarts: (Assuming you have not changed PidFile) # kill -USR1 ` cat /var/run/gdm.pid ` # (USR1 will make gdm not kill existing sessions and will only restart gdm # after all users log out. You can use HUP if you want an immediate restart.) # # Have fun! - George [daemon] AutomaticLoginEnable=false AutomaticLogin= # If you are having trouble with using a single server for a long time and # want gdm to kill/restart the server, turn this on AlwaysRestartServer=false Configurator=/usr/sbin/gdmsetup --disable-sound --disable-crash-dialog GnomeDefaultSession=/usr/share/gnome/default.session Chooser=/usr/bin/gdmchooser DefaultPath=/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin DisplayInitDir=/etc/X11/gdm/Init # # NOTE the difference in greeters here, reflected in the # photos # Greeter=/usr/bin/gdmgreeter #Uncomment this for the regular greeter #Greeter=/usr/bin/gdmlogin --disable-sound --disable-crash-dialog RemoteGreeter=/usr/bin/gdmlogin Group=gdm HaltCommand=/usr/bin/poweroff KillInitClients=true LogDir=/var/log/gdm PidFile=/var/run/gdm.pid PostSessionScriptDir=/etc/X11/gdm/PostSession/ PreSessionScriptDir=/etc/X11/gdm/PreSession/ # Distributions: If you have some script that runs an X server in say # VGA mode, allowing a login, could you please send it to me? FailsafeXServer= XKeepsCrashing=/etc/X11/gdm/XKeepsCrashing RebootCommand=/sbin/shutdown -r now RootPath=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin ServAuthDir=/var/gdm SessionDir=/etc/X11/gdm/Sessions/ SuspendCommand= User=gdm UserAuthDir= UserAuthFBDir=/tmp UserAuthFile=.Xauthority TimedLoginEnable=false TimedLogin= TimedLoginDelay=30 StandardXServer=/usr/X11R6/bin/X FlexibleXServers=5 Xnest=/usr/X11R6/bin/Xnest -name Xnest -kb [security] # If any distributions ship with this one off, they should be shot # this is only local, so it's only for say kiosk use, when you # want to minimize possibility of breakin AllowRoot=true # If you want to be paranoid, turn this one off AllowRemoteRoot=true AllowRemoteAutoLogin=false RelaxPermissions=0 RetryDelay=1 UserMaxFile=65536 SessionMaxFile=524388 [xdmcp] # Distributions: Ship with this off. It is never a safe thing to leave # out on the net. Alternatively you can set up /etc/hosts.allow and # /etc/hosts.deny to only allow say local access. Enable=true HonorIndirect=true MaxPending=4 MaxPendingIndirect=4 MaxSessions=16 MaxWait=15 MaxWaitIndirect=15 DisplaysPerHost=1 Port=177 # Willing script, none is shipped and by default we'll send # hostname system id Willing=/etc/X11/gdm/Xwilling [gui] GtkRC=/usr/share/themes/Bluecurve/gtk-2.0/gtkrc MaxIconWidth=128 MaxIconHeight=128 [greeter] TitleBar=false ConfigAvailable=true Browser=false DefaultFace=/usr/share/pixmaps/nobody.png DefaultLocale=en_US # These are things excluded from the face browser, not from logging in Exclude=nfsnobody MinimalUID=500 GlobalFaceDir=/usr/share/faces/ Icon=/usr/share/pixmaps/gdm.xpm LocaleFile=/etc/X11/gdm/locale.alias Logo= ## nice RH logo for the above line: /usr/share/pixmaps/redhat/shadowman-200.png Quiver=true SystemMenu=true # Note to distributors, if you wish to have a different Welcome string # and wish to have this translated you can have entries such as # Welcome[cs]=Vitejte na %n # Just make sure the string is in utf-8 Welcome=Welcome to %n LockPosition=true SetPosition=false PositionX=0 PositionY=0 XineramaScreen=0 #Type can be 0=None, 1=Image, 2=Color BackgroundType=1 BackgroundImage= BackgroundScaleToFit=true BackgroundColor=#1d7ed9 BackgroundRemoteOnlyColor=true BackgroundProgram=/usr/bin/xsri --redhat-login --run # if this is true then the background program is run always, otherwise # it is only run when the BackgroundType is 0 (None) RunBackgroundProgramAlways=false ShowGnomeChooserSession=false ShowGnomeFailsafeSession=false ShowXtermFailsafeSession=false Use24Clock=true UseCirclesInEntry=false # These two keys are for the new greeter. Circles is the standard # shipped theme GraphicalTheme=circles GraphicalThemeDir=/usr/share/gdm/themes/ [chooser] DefaultHostImg=/usr/share/pixmaps/nohost.png HostImageDir=/usr/share/hosts/ ScanTime=3 Hosts= Broadcast=true [debug] # This will enable debugging into the syslog, usually not neccessary # and it creates a LOT of spew of random stuff to the syslog Enable=false [servers] 0=Standard #1=Standard #Note: If you want to make sure X runs on a specific virtual console on linux, # you can use the following (for console 7). However this can cause # problems for some users. Be careful about this, getting this wrong # can lead to an unusable console. Best solution is to make sure gdm # starts as the last thing, and that will make it not neccessary to # do hacks like this. #0=Standard vt7 # #Note: If you want to run an X terminal you could add an X server such as this #0=Terminal -query serverhostname # or for a chooser (optionally serverhostname could be localhost) #0=Terminal -indirect serverhostname [server-Standard] name=Standard server command=/usr/X11R6/bin/X flexible=true # To use this server type you should add -query host or -indirect host # to the command line [server-Terminal] name=Terminal server # Add -terminate to make things behave more nicely command=/usr/X11R6/bin/X -terminate # Make this not appear in the flexible servers (we need extra params # anyway, and terminate would be bad for xdmcp) flexible=false # Not local, we do not handle the logins for this X server handled=false desk ]$ Listing 5 -- Red Hat Beta following their version 7.3
These edits are done in part with gdmconfig, and in part manually. The variant in the Red Hat Beta following Red Hat 7.3 is less obvious to reach these results (Screenshots: Red Hat Beta following Red Hat 7.3 - we enable XDMCP; Red Hat 7.3 - we enable XDMCP; Red Hat 7.3 - we set the X server to restart after each session).

Security notice: This use of X is inherently not encrypted absent special effort -- the XDM process is UDP based (and thus easily spoofed), and unless tunnelled through an encrypting VPN transport, is able to be 'sniffed' and the content within exposed (userid and passwords). It should also be wrappered, and blocked at any external network interface boundries in port filtering rules blocking port 177 (UCP and TDP -- although we are unaware of a TCP variant in use.)

See also:

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Sat, 15 Feb 2003 20:19:16 -0500