My original question was unclear, everybody thought I needed to know
how to enter terminals into the ttys file. I dealt with this some time
ago but I appreciate the responders who offered help and good examples:
Jon Trulson <trulsonj_at_clem.mscd.edu>
Igor Natanzon <sysadmin_at_homer.bus.miami.edu>
Juergen Bock <bock_at_dbf.ddb.de>
SYSTEM SUPPORT <SYSTEM_SF_at_unode2.nswc.navy.mil>
SYSTEM SUPPORT sent me the DEC document on this subject from which I
extracted the following tidbit (the complete doc follows this thread).
oooooooooooooooooooooooooooooooooooooooooooooooooooo
SYMPTOM:
If a system is running ENHANCED security mode, users on Xterminals
are not able to login. The Digital logo appears followed by
an information dialog box that states:
'Cannot obtain database information on this terminal'
When the acknowledge button is pressed, the logo disappears. Telnet
terminal windows, as on a VXT Xterminal, work without a problem.
oooooooooooooooooooooooooooooooooooooooooooooooooooo
I have certain Xterms that should *not* have access to certain hosts.
Consequently, I do not put them in the ttys file. If a user inadvertantly
chooses one of the hosts for which the xterm is not authorized (off our
large chooser list), pressing the acknowledge button does not cause the
logo to disappear (as stated above), it is an infinite loop. This behavior
is disconcerting to our users, who simply give up using the terminal and
try to find another one, leaving the 'Cannot obtain database information
on this terminal' widget on the display. Obviously an xterm reboot will
fix this but we do not want to encourage our users to reboot xterms:
indiscriminate reboots (during sessions) cause runaway processes.
I have reported this to DEC as a bug.
oooooooooooooooooooooooooooooooooooooooooooooooooooo
Though my question wasn't answered, this topic is a FAQ. I'll include
the answers for any managers that are searching this topic.
oooooooooooooooooooooooooooooooooooooooooooooooooooo
>From SYSTEM SUPPORT <SYSTEM_SF_at_unode2.nswc.navy.mil>:
TITLE: [dUNIX] How To Enable Xterminal Logins W/ Enhanced Security
Copyright (c) Digital Equipment Corporation 1994, 1995. All rights
reserved.
PRODUCT: Digital UNIX[R], Versions 2.0 and above
COMPONENT: X Display Manager (XDM)
SOURCE: Digital Equipment Corporation
OVERVIEW:
Digital UNIX V2.0 has two security levels that can be enabled. The
BASE security level is the default and closely corresponds to what is
generally known as BSD security. The ENHANCED security level is a
C2-compliant security level that implements a much higher level of
security.
Among the operations affected by the ENHANCED security mode are
Xterminal login. This article describes how to:
o Detect if ENHANCED security is installed on a Digital UNIX
system
o Detect if ENHANCED security is enabled
o Toggle between the two security modes
o Enable Xterminal login when in ENHANCED security mode
SYMPTOM:
If a system is running ENHANCED security mode, users on Xterminals
are not able to login. The Digital logo appears followed by
an information dialog box that states:
'Cannot obtain database information on this terminal'
When the acknowledge button is pressed, the logo disappears. Telnet
terminal windows, as on a VXT Xterminal, work without a problem.
SOLUTION:
All operations listed below assume the use of the root (superuser)
account.
1) To determine if ENHANCED security is INSTALLED, issue the
following command:
# /usr/sbin/setld -i | grep -i secur
OSFC2SEC200 installed C2-Security (System Administration)
OSFXC2SEC200 installed C2-Security GUI (System Administration)
2) The following command helps determine which security level is
enabled:
# grep -i secur /etc/rc.config
Command Response Security Level Enabled
================ ======================
(no response) BASE
SECURITY="BASE" BASE
export SECURITY
SECURITY="ENHANCED" ENHANCED
export SECURITY
3) To toggle between the two security modes, use the secsetup
utility.
# /usr/sbin/secsetup
Enter security level(BASE ENHANCED ?)[ENHANCED]: <RETURN>
ENHANCED security will take effect on the next reboot.
Do you wish to run the audit setup utility (yes no ?)[yes]: NO
Do you wish to disable segment sharing(yes no ?)[no]: NO
There is additional information on the secsetup utility in the
man pages under secsetup(8).
4) To enable login at an Xterminal that has ENHANCED security
enabled:
1. Edit the ttys file used in ENHANCED mode, which is located
in /etc/auth/system.
2. Make a copy of the following line:
local\:0|local\:0.0:t_devname=local\:0:t_xdisplay:t_login_timeout#0:\
:chkent:
3. Replace all the references to "local" with the IP hostname
of the Xterminal in the copied line. In the following
example, vxt2000 is the name of the terminal:
vxt2000\:0|vxt2000\:0.0:t_devname=vxt2000\:0:t_xdisplay:t_login_timeout#0:\
:chkent:
Any errors in the ttys file will produce an error popup
when xdm tries to display with the message:
Error in terminal setup
4. Add a line in /etc/auth/system/devassign. For the
terminal vxt2000 the line reads:
vxt2000\:0:v_devs=vxt2000:0:v_type=xdisplay:chkent:
5. If the login is to be as root add 'vxt2000:0' to the list
in /etc/securettys
In the event of continuing problems starting Xsessions after following
the above steps, the following troubleshooting technique may be used:
Check the entries in /etc/auth/system/devassign and
/etc/auth/system/ttys to be sure that they exactly match the string in
the xdm debugged outputs value of the "Computed display name:"
To find the "Computed display name:" do the following:
1. Stop and restart the xdm daemon with the debug switch on with
the following commands:
# ps -A |grep xdm
1486 ?? S 0:00.04 /usr/bin/X11/xdm -config
/usr/lib/X11/xdm/xdm-co
1492 ?? S 0:00.54 -:0 (xdm)
1518 ttyp0 S + 0:00.02 grep xdm
2. The next steps will kill xdm, and allow you to run it with
the debugger.
CAUTION: This will wipe out the console if it is a
workstation, so have the user log out of their
Xsessions on the console.
# kill -9 1486
OR
# cd /sbin/init.d
# ./xdm stop
# ps -A|grep xdm
1601 ttyp0 S + 0:00.02 grep xdm
3. Create an unique file named xdm-testing. Run the xdm daemon
interactively and store its output to the xdm-testing file.
The following commands set up the file and start the daemon:
# touch /usr/lib/X11/xdm/xdm-testing
# /usr/bin/X11/xdm -config /usr/lib/X11/xdm/xdm-config -debug 9 >
/usr/lib/X11/xdm/xdm-testing
4. Try to start an IP-X session from the xterminal. When it fails
search for the "Computed display name:" in the output file:
# grep Computed /usr/lib/X11/xdm/xdm-testing
Computed display name: vxtxxxx:0
The computed display name, in this case vxtxxxx must be an exact match
with the entries in the /etc/auth/system/ttys and the
/etc/auth/system/devassign files. If it is not, modify the files and
perform another test:
# grep vxtxxxx /etc/auth/system/ttys
vxtxxxx\:0|vxtxxxx\:0.0:t_devname=vxtxxxx\:0:t_xdisplay:t_login_timeout#0:chken
t
# grep vxtxxxx /etc/auth/system/devassign
vxtxxxx\:0|vxtxxxx\:0.0:v_devs=vxtxxxx\:0,vxtxxxx\:0.0:v_type=xdisplay:chkent:
Once the problem is solved, the following steps return the system to
normal operating mode:
If you ran the xdm daemon in the foreground, ^c stop and use the
following commands to restart it:
# ps -A |grep xdm
# cd /sbin/init.d
# ./xdm start
# ps -A |grep xdm
1542 ?? S 0:00.04 /usr/bin/X11/xdm -config
/usr/lib/X11/xdm/xdm-co
1548 ?? R 0:00.44 -:0 (xdm)
1572 ttyp0 S + 0:00.02 grep xdm
REFERENCES:
Man pages for ttys, securettys, secsetup, and setld under
Digital UNIX Version 2.0.
[R] UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Ltd.
oooooooooooooooooooooooooooooooooooooooooooo
Igor Natanzon <sysadmin_at_homer.bus.miami.edu> WROTE:
2. X-windows also truncates the full hostname stripping off the domain.
So you'll have oak instead of oak.oakland.edu
That, however, doesn't work for TTYS which means you'll need to turn off
that feature of xdm. (Putting the truncated hostname in ttys doesn't work)
So edit the file /var/X11/xdm/xdm-config and either add or replace the
line that deals with hostnames:
This is what you need to have in the file to turn off truncation.
DisplayManager.removeDomainname: false
It is very possible that this step is uncessesary but that's what worked
for me.
--
---------------------------------------------------------------------------
Ted Asocks tra_at_ucolick.org
Systems Administrator VOICE: (408)459-4020
UCO/Lick Observatory FAX: (408)454-9863
Received on Thu Nov 30 1995 - 18:33:45 NZDT