My initial posting had two questions that I wanted to have answered.
1) Xwindow Terminals were locked out after implementing C2 Security
on DU 3.2. I got an error saying "Cannot obtain database
information on this terminal." I got a lot of answers, and will
paste the answer from DEC directly who sent excellent documentation.
2) Implementing a banner message when someone connects via a
Xwindows Terminal
----------------------------------------------------------------------
(1) Answer from DEC (Kym Schwartz)
[dUNIX] How To Enable Xterminal Logins W/ Enhanced Security
COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation.
ALL RIGHTS RESERVED. No distribution except as provided under contract.
Copyright (c) Digital Equipment Corporation 1994, 1995. All rights
reserved.
PRODUCT: Digital UNIX[R], Versions 2.0 and above
COMPONENT: X Display Manager (XDM)
SOURCE: Digital Equipment Corporation
OVERVIEW:
Digital UNIX V2.0 has two security levels that can be enabled. The BASE
security level is the default and closely corresponds to what is generally
known as BSD security. The ENHANCED security level is a C2-compliant
security level that implements a much higher level of security.
Among the operations affected by the ENHANCED security mode are Xterminal
login. This article describes how to:
o Detect if ENHANCED security is installed on a Digital UNIX
system
o Detect if ENHANCED security is enabled o Toggle between the two security
modes
o Enable Xterminal login when in ENHANCED security mode
SYMPTOM:
If a system is running ENHANCED security mode, users on Xterminals are not
able to login. The Digital logo appears followed by
an information dialog box that states:
'Cannot obtain database information on this terminal'
When the acknowledge button is pressed, the logo disappears. Telnet
terminal windows, as on a VXT Xterminal, work without a problem.
SOLUTION:
All operations listed below assume the use of the root (superuser) account.
1) To determine if ENHANCED security is INSTALLED, issue the
following command:
# /usr/sbin/setld -i | grep -i secur
OSFC2SEC200 installed C2-Security (System Administration) OSFXC2SEC200
installed C2-Security GUI (System Administration)
2) The following command helps determine which security level is
enabled:
# grep -i secur /etc/rc.config
Command Response Security Level Enabled ================
======================
(no response) BASE
SECURITY="BASE" BASE
export SECURITY
SECURITY="ENHANCED" ENHANCED export SECURITY
3) To toggle between the two security modes, use the secsetup
utility.
# /usr/sbin/secsetup
Enter security level(BASE ENHANCED ?)[ENHANCED]: <RETURN> ENHANCED security
will take effect on the next reboot.
Do you wish to run the audit setup utility (yes no ?)[yes]: NO Do you wish
to disable segment sharing(yes no ?)[no]: NO
There is additional information on the secsetup utility in the man pages
under secsetup(8).
4) To enable login at an Xterminal that has ENHANCED security
enabled:
1. Edit the ttys file used in ENHANCED mode, which is located
in /etc/auth/system.
2. Make a copy of the following line:
local\:0|local\:0.0:t_devname=local\:0:t_xdisplay:t_login_timeout#0:\
:chkent:
3. Replace all the references to "local" with the IP hostname
of the Xterminal in the copied line. In the following example, vxt2000 is
the name of the terminal:
vxt2000\:0|vxt2000\:0.0:t_devname=vxt2000\:0:t_xdisplay:t_login_timeout#0:\
:chkent:
Any errors in the ttys file will produce an error popup when xdm tries to
display with the message:
Error in terminal setup
4. Add a line in /etc/auth/system/devassign. For the
terminal vxt2000 the line reads:
vxt2000\:0:v_devs=vxt2000:0:v_type=xdisplay:chkent:
5. If the login is to be as root add 'vxt2000:0' to the list
in /etc/securettys
In the event of continuing problems starting Xsessions after following the
above steps, the following troubleshooting technique may be used:
Check the entries in /etc/auth/system/devassign and /etc/auth/system/ttys
to be sure that they exactly match the string in the xdm debugged outputs
value of the "Computed display name:"
To find the "Computed display name:" do the following:
1. Stop and restart the xdm daemon with the debug switch on with
the following commands:
# ps -A |grep xdm
1486 ?? S 0:00.04 /usr/bin/X11/xdm -config
/usr/lib/X11/xdm/xdm-co
1492 ?? S 0:00.54 -:0 (xdm) 1518 ttyp0 S + 0:00.02
grep xdm
2. The next steps will kill xdm, and allow you to run it with
the debugger.
CAUTION: This will wipe out the console if it is a
workstation, so have the user log out of their Xsessions on the console.
# kill -9 1486
OR
# cd /sbin/init.d
# ./xdm stop
# ps -A|grep xdm
1601 ttyp0 S + 0:00.02 grep xdm
3. Create an unique file named xdm-testing. Run the xdm daemon
interactively and store its output to the xdm-testing file. The following
commands set up the file and start the daemon:
# touch /usr/lib/X11/xdm/xdm-testing
# /usr/bin/X11/xdm -config /usr/lib/X11/xdm/xdm-config -debug 9 >
/usr/lib/X11/xdm/xdm-testing
4. Try to start an IP-X session from the xterminal. When it fails
search for the "Computed display name:" in the output file:
# grep Computed /usr/lib/X11/xdm/xdm-testing Computed display name:
vxtxxxx:0
The computed display name, in this case vxtxxxx must be an exact match with
the entries in the /etc/auth/system/ttys and the /etc/auth/system/devassign
files. If it is not, modify the files and perform another test:
# grep vxtxxxx /etc/auth/system/ttys
vxtxxxx\:0|vxtxxxx\:0.0:t_devname=vxtxxxx\:0:t_xdisplay:t_login_timeout#0:c
hkent
# grep vxtxxxx /etc/auth/system/devassign
vxtxxxx\:0|vxtxxxx\:0.0:v_devs=vxtxxxx\:0,vxtxxxx\:0.0:v_type=xdisplay:chke
nt:
Once the problem is solved, the following steps return the system to normal
operating mode:
If you ran the xdm daemon in the foreground, ^c stop and use the following
commands to restart it:
# ps -A |grep xdm
# cd /sbin/init.d
# ./xdm start
# ps -A |grep xdm
1542 ?? S 0:00.04 /usr/bin/X11/xdm -config
/usr/lib/X11/xdm/xdm-co
1548 ?? R 0:00.44 -:0 (xdm) 1572 ttyp0 S + 0:00.02
grep xdm
REFERENCES:
Man pages for ttys, securettys, secsetup, and setld under Digital UNIX
Version 2.0.
[R] UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Ltd.
----------------------------------------------------------------------
(2): Thanks to Rob Peters for this information
Basically you just need to compile "xmotd" for whatever platform you are
running on (You can get it from ftp.x.org). After you build and install
it, you must edit the "Xsession" (or equivalent file for your environment)
to include a call to have xmotd display the contents of one or more files
before going on and running the user's ".xsession" or whatever X startup
files you use.
The following is the line that I inserted into the
/usr/lib/X11/xdm/Xsession file:
"/usr/local/bin/xmotd -always -geo +100+20 /etc/issue /etc/motd"
This results in two popup windows that appear immediately after logon. The
first one displays the contents of the /etc/issue file and waits for you to
click on the "Next Message" button and then the /etc/motd file is
displayed. After this, normal startup is resumed.
Received on Tue Jul 23 1996 - 19:44:00 NZST