Thanks to everyone who replied:
Jon Buchanan <Jonathan.Buchanan_at_ska.com>
Joe Spanicek <joe_at_resptk.bhp.com.au>
Andrew Greer <Andrew.Greer_at_vuw.ac.nz>
Jacek Skorupski <jsk_at_it.pw.edu.pl>
jem_at_unxaxp.iso.dec.com
I would like to post the whole answer jem wrote to me. It is a very
complete summary. Here it is:
Among the operations affected by the ENHANCED security mode are
Xterminal login. This article describes how to:
o Detect if ENHANCED security is installed on a Digital UNIX
system
o Detect if ENHANCED security is enabled
o Toggle between the two security modes
o Enable Xterminal login when in ENHANCED security mode
SYMPTOM:
If a system is running ENHANCED security mode, users on Xterminals
are not able to login. The Digital logo appears followed by
an information dialog box that states:
'Cannot obtain database information on this terminal'
When the acknowledge button is pressed, the logo disappears. Telnet
terminal windows, as on a VXT Xterminal, work without a problem.
SOLUTION:
All operations listed below assume the use of the root (superuser)
account.
1) To determine if ENHANCED security is INSTALLED, issue the
following command:
# /usr/sbin/setld -i | grep -i secur
OSFC2SEC200 installed C2-Security (System Administration)
OSFXC2SEC200 installed C2-Security GUI (System Administration)
2) The following command helps determine which security level is
enabled:
# grep -i secur /etc/rc.config
Command Response Security Level Enabled
================ ======================
(no response) BASE
SECURITY="BASE" BASE
export SECURITY
SECURITY="ENHANCED" ENHANCED
export SECURITY
3) To toggle between the two security modes, use the secsetup
utility.
# /usr/sbin/secsetup
Enter security level(BASE ENHANCED ?)[ENHANCED]: <RETURN>
ENHANCED security will take effect on the next reboot.
Do you wish to run the audit setup utility (yes no ?)[yes]: NO
Do you wish to disable segment sharing(yes no ?)[no]: NO
There is additional information on the secsetup utility in the
man pages under secsetup(8).
4) To enable login at an Xterminal that has ENHANCED security
enabled:
1. Edit the ttys file used in ENHANCED mode, which is located
in /etc/auth/system.
2. Make a copy of the following line:
local\:0|local\:0.0:t_devname=local\:0:t_xdisplay:t_login_timeout#0:\
:chkent:
3. Replace all the references to "local" with the IP hostname
of the Xterminal in the copied line. In the following
example, vxt2000 is the name of the terminal:
vxt2000\:0|vxt2000\:0.0:t_devname=vxt2000\:0:t_xdisplay:t_login_timeout#0:\
:chkent:
Any errors in the ttys file will produce an error popup
when xdm tries to display with the message:
Error in terminal setup
4. Add a line in /etc/auth/system/devassign. For the
terminal vxt2000 the line reads:
vxt2000\:0:v_devs=vxt2000:0:v_type=xdisplay:chkent:
5. If the login is to be as root add 'vxt2000:0' to the list
in /etc/securettys
In the event of continuing problems starting Xsessions after following
the above steps, the following troubleshooting technique may be used:
Check the entries in /etc/auth/system/devassign and
/etc/auth/system/ttys to be sure that they exactly match the string in
the xdm debugged outputs value of the "Computed display name:"
To find the "Computed display name:" do the following:
1. Stop and restart the xdm daemon with the debug switch on with
the following commands:
# ps -A |grep xdm
1486 ?? S 0:00.04 /usr/bin/X11/xdm -config
/usr/lib/X11/xdm/xdm-co
1492 ?? S 0:00.54 -:0 (xdm)
1518 ttyp0 S + 0:00.02 grep xdm
2. The next steps will kill xdm, and allow you to run it with
the debugger.
CAUTION: This will wipe out the console if it is a
workstation, so have the user log out of their
Xsessions on the console.
# kill -9 1486
OR
# cd /sbin/init.d
# ./xdm stop
# ps -A|grep xdm
1601 ttyp0 S + 0:00.02 grep xdm
3. Set xdm output to go to a unique file named 'touch':
# touch /usr/lib/X11/xdm/xdm-testing
Or use the xdm-errors via the -error switch:
# /usr/bin/X11/xdm -config /usr/lib/X11/xdm/xdm-config -debug 9 >
/usr/lib/X11/xdm/xdm-testing
4. Try to start an IP-X session from the xterminal and search
for the "Computed display name:" in the output file:
# grep Computed /usr/lib/X11/xdm/xdm-testing
Computed display name: vxtxxxx:0
The computed display name, in this case vxtxxxx must be an exact match
with the entries in the /etc/auth/system/ttys and the
/etc/auth/system/devassign files. If it is not, modify the files and
perform another test:
# grep vxtxxxx /etc/auth/system/ttys
vxtxxxx\:0|vxtxxxx\:0.0:t_devname=vxtxxxx\:0:t_xdisplay:t_login_timeout#0:chkent
# grep vxtxxxx /etc/auth/system/devassign
vxtxxxx\:0|vxtxxxx\:0.0:v_devs=vxtxxxx\:0,vxtxxxx\:0.0:v_type=xdisplay:chkent:
Once the problem is solved, the following steps return the system to
normal operating mode:
If you ran the xdm daemon in the foreground, ^c stop and use the
following commands to restart it:
# ps -A |grep xdm
# cd /sbin/init.d
# ./xdm start
# ps -A |grep xdm
1542 ?? S 0:00.04 /usr/bin/X11/xdm -config
/usr/lib/X11/xdm/xdm-co
1548 ?? R 0:00.44 -:0 (xdm)
1572 ttyp0 S + 0:00.02 grep xdm
REFERENCES:
Man pages for ttys, securettys, secsetup, and setld
Received on Thu Aug 31 1995 - 20:05:48 NZST