| IntroductionThe focus of this article is the setup and use of the X
							Display Manager. The X Display Manager runs as a daemon on a
							host machine and manages multiple X displays (remote or local)
							providing basic user session management analogous to init(8),
							getty(1) and login(1) on character based
							terminals. Also, xdm provides cleanup facilities for displays
							on which the X server is no longer running. One of the most
							valuable of xdm's features is it's ability to generate
							authorization information that can be used by the display
							server to control access based on host and account level
							schemes. Because of it's ability to spawn X session logins
							using standard authentication techniques, xdm is ideal for
							sites where a single machine is shared by multiple users
							running individually customized X sessions. 
							 Scope 
							 Although this column briefly addresses authorization under
							xdm, X Window security being a topic onto itself will be
							examined in more detail in next month's column. If you are
							interested in running xdm on a standalone system you can skip
							the XDMCP section and probably have a pretty decent canned
							setup that came with your distribution. If this is the case,
							you can most likely get by just checking out the customization
							and Running xdm sections as the rest of the article deals
							manly with networked environments and X terminal interaction.
							Also, if your are looking for a start to finish cookbook
							approach to setting up an X terminal environment I suggest
							referring to O' Reilly & Associates " The X Window
							System Administrators Guide" as it covers details of X
							terminal administration beyond the scope of this article. Session management under X In a traditional tty login a session is a user's login
							shell, under xdm a session is controlled by an arbitrary
							session manager; because in a windowing environment a user's
							login shell process does not necessarily have any
							terminal-like interface with which to connect. For session
							management in the X Windows environment we use the window
							manager as a "session manager" and when the window
							manager process terminates, so does the user's session. xdm basic concepts xdm is an Xclient that manages the first
							and last points of connection, control and coordination of a
							user's session. Xdm keeps track of which X servers are
							available for connection by reading the Xservers file and
							listening on the XDMCP port for other servers requesting
							management. When xdm is given management of an X server it
							sends a login box to the server display and waits for user
							input. Once a user enters a name and password they are
							authenticated using the same mechanisms as a standard tty
							login. Now, xdm executes a series of shell scripts that start
							the user's desired Xclients. Now a normal X session is in
							progress, when the user logs out of this session xdm closes
							all connections and resets the terminal back to the login
							state, ready for a new session. 
 
Why
							use xdm ?Besides the security features, remote capabilities and
							convenience, xinit is considered obsolete via the X Consortium
							( now The Open Group )
							with all new functionality being built in to xdm. Xdm provides
							a way for administrators to configure environments system
							wide. Also, xdm is the only way (that I'm aware of) to share a
							machine between multiple users without have to kill the X
							server and restart for each new user else, share a common
							desktop
					settings. 
 
Configurationxdm is configured through standard ASCII text files. Global
							files are traditionally located in /usr/lib/X11/xdm
							or /etc/xdm while local files are
							located (where else?) in each user's home directory. Of
							significant interest is the fact that the xmd-config
							file can state an alternate location for all other files and
							it's own location can be explicitly stated when executing xdm
							using the -config parameter, thus
							systems with a canned xdm setup can easily be modified leaving
							the stock installation in place. Below is a brief description
							of each file and a commented example (when appropriate). Global Files xdm-config This file specifies the location of all other configuration
							files ( if settings other than the default location are to be
							used) and sets commands for xdm setup, startup, reset and
							initial script. In the example below all additional files are
							specified as being located under /etc/X11/xdm
							so I can leave the default files in /usr/lib/X11/xdm
							unmodified. 
								DisplayManager.errorLogFile:
								/var/log/xdm-error.log
								DisplayManager.pidFile: /var/run/xdm.pid
								DisplayManager.keyFile:
								/etc/X11/xdm/xdm-keys
								DisplayManager.servers:
								/etc/X11/xdm/Xservers
								DisplayManager.accessFile:
								/etc/X11/xdm/Xaccess
								DisplayManager._0.authorize: true
								DisplayManager._1.authorize: true
								DisplayManager._0.setup:
								/etc/X11/xdm/Xsetup_0
								DisplayManager._0.startup:
								/etc/X11/xdm/GiveConsole
								DisplayManager._0.reset:
								/etc/X11/xdm/TakeConsole
								DisplayManager*resources:
								/etc/X11/xdm/Xresources
								DisplayManager*session:
								/etc/X11/xdm/Xsession
								DisplayManager*authComplain: false 
							
 
 Xservers A list of servers to be managed by xdm. At minimum this
							file should include the local display server. NOTE - this file
							is only reread after a session terminates or xdm receives a
							SIGHUP signal. To send SIGHUP signal to xdm find it's pid and
							kill that process. I.E. # ps -a | grep xdm 2639 ? R 0:09 /usr/bin/X11/xdm # kill -9 2639 Below is an example of an Xservers file
							for use with a standalone machine... 
								# first line should be the local
								display 
								
								
:0 local /usr/X11R6/bin/X
								# :0 specifies console 
								
								# local denotes the X server is running
								on the locally 
								
								# /usr/X11R6/bin/X executable run at
								startup
								
# the syntax for X terminals is
								slightly different
								# since they run their X server from
								another machine
								# ONLY enter X terminals if they DO NOT
								support XDMCP
								
eng1:0 foreign NCD xterminal
								# eng1 is the name of the terminal 
								
								# :0 is the display to use on the
								terminal
								# foreign signifies the X server is
								running on a different machine
								# NCD xterminal are display class
								resources specific to this terminal
								# and aren't absolutely neccesary
								
eng2:0 foreign NCD xterminal
								eng3:0 foreign Visual xterminal 
							
 
 Xsession Initial startup script used by each X session. 
								#!/bin/sh
								
# following section enables failsafe
								logon when neccesary 
								
								# using <CTRL><RETURN> after
								password activates failsafe mode
								
case $# in
								1)
								case $1 in
								failsafe)
								exec xterm -geometry 80x24-0-0
								;;
								esac
								esac
								
# redirect errors to a file in
								user's home directory 
								
								for errfile in "$HOME/.xsession-errors"
								"${TMPDIR-/tmp}/xses-$USER" "/tmp/xses-$USER"
								do
								if ( cp /dev/null "$errfile"
								2> /dev/null )
								then
								chmod 600 "$errfile"
								exec > "$errfile" 2>&1
								break
								fi
								done
								
# use users local .xsession and
								.Xresources files if they exist
								startup=$HOME/.xsession
								resources=$HOME/.Xresources
								
if [ -x "$startup" ]; then
								exec "$startup"
								elif [ -x "$HOME/.Xclients" ];
								then
								exec "$HOME/.Xclients"
								elif [ -x /etc/X11/xinit/Xclients ];
								then
								exec /etc/X11/xinit/Xclients
								else
								if [ -f "$resources" ]; then
								xrdb -load "$resources"
								fi
								exec xsm
								fi
								
 
 Xresources 
							 Defines resources to be loaded via xrdb(1) for all
							servers managed by xdm. 
								# key settings to be used by Xlogin widget 
								
xlogin*login.translations:
								#override\
								# Ctrl R stops xdm from managing display
								
								
								Ctrl<Key>R: abort-display()\n\
								# F1 or Ctrl Return run a failsafe
								session
								# consisting of a single xterm window
								<Key>F1:
								set-session-argument(failsafe) finish-field()\n\
								Ctrl<Key>Return:
								set-session-argument(failsafe) finish-field()\n\
								<Key>Return:
								set-session-argument() finish-field()
								
# display setings for Xlogin widget
								to be displayed by xdm
								
xlogin*borderWidth: 3
								xlogin*greeting: CLIENTHOST
								xlogin*namePrompt: login:\040
								xlogin*fail: Sorry Try Again
								#ifdef COLOR
								xlogin*greetColor: CadetBlue
								xlogin*failColor: red
								*Foreground: black
								*Background: #fffff0
								#else
								xlogin*Foreground: black
								xlogin*Background: white
								#endif
								
# settings for xconsole client which
								is used when xdm connection on
								# local server is initialized. This
								keeps console messages sent between
								# logins from going everywhere across
								the screen
								
XConsole.text.geometry: 480x130
								XConsole.verbose: true
								XConsole*iconic: true
								XConsole*font: fixed
								
Chooser*geometry: 700x500+300+200
								Chooser*allowShellResize: false
								Chooser*viewport.forceBars: true
								Chooser*label.font: *-new century
								schoolbook-bold-i-normal-*-240-*
								Chooser*label.label: XDMCP Host Menu
								from CLIENTHOST
								Chooser*list.font:
								-*-*-medium-r-normal-*-*-230-*-*-c-*-iso8859-1
								Chooser*Command.font: *-new century
								schoolbook-bold-r-normal-*-180-*
								
 
 xdm-pid File containing process id of xdm ( for informational
							purposes only, do not edit) xdm-errors Error log file for xdm. Xaccess Configures access control for XDMCP (X11R5 and later). This
							file only defines access permissions for XDMCP queries.This
							file will also allow you to define macros to logically group
							sets of related hosts. Server access control is set using the
							DisplayManager*authorize resource
							set in the xdm-config file. For more information on XDMCP
							setup and examples see the CHOOSER section below. GiveConsole A shell script utilized to change ownership of the console
							to the user. Unless you have a very good reason leave this and
							the take console scripts with the default settings as shown
							below 
								#!/bin/sh
								# Assign ownership of the console to the
								invoking user
								# $XConsortium: GiveConsole,v 1.2
								93/09/28 14:29:20 gildea Exp $
								#
								# By convention, both xconsole and xterm
								-C check that the
								# console is owned by the invoking user
								and is readable before attaching
								# the console output. This way a random
								user can invoke xterm -C without
								# causing serious grief.
								#
								chown $USER /dev/console
								
 
 Take Console A shell script that changes ownership of the console back
							to root (X11R5 and later). Once again leave this one at the
							original settings 
								#!/bin/sh
								# Reassign ownership of the console to
								root, this should disallow
								# assignment of console output to any
								random users's xterm
								# $XConsortium: TakeConsole,v 1.2
								93/09/28 14:30:29 
								
								#
								chmod 622 /dev/console
								chown root /dev/console
								
 
 Xsetup_0 A shell script used for display setup for local console
							server. (X11R5 and latter) Sets up the xconsole which is a
							terminal window that displays system generated messages
							between logins. 
								#!/bin/sh
								# $XConsortium: Xsetup_0,v 1.3 93/09/28
								14:30:31 
								
								/usr/X11R6/bin/xconsole -geometry
								480x130-0-0 -daemon -notify -verbose -fn fixed -exitOnFail 
								 
							
 
 Local Files ~/.xsession User-specific startup script called from the global
							Xsession script. Unlike ~/.xinit this
							can be written in any shell (~/.xinit must
							be a Bourne or Bash shell script) ~/.Xresources User-specific resources read by the global Xsession script. ~/.xsession-errors Error log file for users individual X session. ~/.Xauthority Contains authorization information for users server. XDMCP
							
							 The X Display Manager Control Protocol
							was first introduced in X11 release 4 to solve various
							problems between xdm and X terminals. Prior to XDMCP the only
							way xdm was aware of servers available for management was
							through reading the Xservers file. Since the Xservers file is
							only read at xdm's startup problems developed when X terminals
							where powered off then back on. Basically anytime n X terminal
							was powered up after being off it required a SysAdmin forcing
							xdm to re-read the Xservers file by sending the SIGHUP signal
							to xdm via it's process id. 
							 XDMCP allows servers to talk to xdm
							without it have explicit prior knowledge of the server. Under
							XDMCP the host listens for requests (in any of the three
							supported communication modes) on the XDMCP port and when it
							receives a management requests it spawns a copy of itself and
							transmits the login screen to the terminal. 
							 Communication Modes XDMCP allows three modes of
							communication to servers requesting management that are not
							explicitly listed in the Xservers file; these methods are
							DIRECT, INDIRECT, or BROADCAST. DIRECT mode a server is making a
							non-specific request for management on the network. The first
							xdm process to respond to a DIRECT query becomes the server's
							manager. An INDIRECT query results in the X terminal receiving
							a chooser box which list all host available for connection and
							lets the user decide which host should provide management.
							INDIRECT mode is especially useful in a multiple host
							environment. To implement INDIRECT mode you need to use the
							CHOOSER keyword when setting resources in the Xaccess file.
							Another way to implement the chooser is to use BROADCAST mode
							in conjunction with the CHOOSER resource which sends a
							broadcast message to all hosts on the network and allows the
							user to choose among them. 
							 Chooser When using X terminals that do not offer
							a host menu at startup the chooser programs can be used in
							conjunction with BROADCAST or INDIRECT modes. To enable the
							chooser program use CHOOSER as the first entry in the indirect
							host list of the Xaccess file. eng*.odhs.dsd.com CHOOSER BROADCAST allows all engineering terminals at
							odhs.dsd.com to use a chooser box listing all other hosts
							available. A more likely scenario would be that all the
							terminals in the engineering department have a set list of
							hosts they should be allowed to connect to, this could be
							better accompolished by utilizing the INDIRECT mode. eng*.odhs.dsd.com
							CHOOSER dsdapps.odhs.dsd.com dbsrv.odhs.dsd.com
							test.odhs.dsd.com The above setting would allow all
							terminals in the engineering department to access the
							application, database and test servers via a chooser menu. The Xaccess file will also allow you to
							define macros lo logically group related hosts. Following is
							an example using macros with the previously used settings for
							the engineering depatment. %ENGHOSTS dsdapps.odhs.dsd.com
							dbsrv.odhs.dsd.com test.odhs.dsd.com eng*.odhs.dsd.com CHOOSER %ENGHOSTS The chosers visual settings can be set
							by modifying it's defaults in Xresources file(s). 
 
 Running
							xdmTo test your xdm setup without rebooting, from the console
							issue try $ init 5 this should launch the system to run level 5. xdm is
							usually set up to start automatically when the system enters
							run level 5. If switching to run level 5 does not start xdm
							take a look at /etc/inittab it should tell you which run level
							on your system starts xdm ( Slackware distributions sometimes
							use run level 4 for xdm but most other distributions I've used
							tend to stick with 5). You should now see the xlogin widget
							requesting account name and password and be able to login and
							test your various settings. If you are certain you are at the
							correct run level and xdm still does not respond as expected
							skim through the troubleshooting section below. Otherwise,
							from this point you can tweak the individual settings (check
							out the customization section below). Once you have xdm
							configured, you can modify the /etc/initab file to change the
							default run level at bootup to 5 (or equivalent run level for
							xdm on your system). The modification on my machine is as
							simple as changing #/etc/inittab id:3:initdefault: to id:5:initdefault: 
							 this starts Linux
							in run level 5 by default which in
							turn automatically starts xdm each
							time the system boots up. Troubleshooting xdm If xdm is not functioning as expected
							the first place to look is ~/.xsession-errors.
							This local error log contains errors generated only under your
							account and is therefore more specific than the system logs.
							Below I've outlined some potential "gotcha's" and
							they're potential fixes. Login box doesn't appear on screen This is most likely an error in the
							configuration files, you are testing this before making it the
							default system run level, right? You login successfully and the login
							box reappears Your .xsession
							file may not be executable. Try logging in end but, press
							CTRL-RETURN after your password instead of enter. This
							will bypass the .xsession script
							and give you a single terminal window from which you should 
							 # chmod +x .xsession and try again. After logging on, the screen flickers
							and the login box reappears Use the method stated in the above
							scenario to bypass your .xsession file during login and make
							sure the last command in your .xsession
							file starts in the foreground. 
 
 Conclusion I hope this article has convinced you of the power and
							extensibilty of the X Display Manager. If you're looking for
							more in depth information regarding xdm please check out the
							links below for additional information. Next issue we'll delve
							into the oft overlooked topic of X Window security. Please
							feel free to mail any questions and comments to
							jmccarty@theshop.net 
 |