Only one response to this, thanks to Spider Boardman
<spider_at_Orb.Nashua.NH.US>.
The wildcard support in the C2 ttys/devassign files/dbs only allows
wildcarding of the whole hostname/displayname. This means that if I want
to wildcard, I essentially have to allow all hosts and use Xaccess to
control access to the XDMCP server. Currently I can't do this because
Xaccess uses DNS reverse lookups and none of the PC's are DNS registered
(they are not allowed direct access to the internet), but this shouldn't
be an issue in itself (I hope) since X is blocked at the firewall.
Spider's response:
------------------
As regards the things which didn't work--First, the entry name
MUST MATCH the t_devname= field. Second, the only wildcarding is
for '*' and '*:*'.
If the PC's are not in DNS, then they should be. It's a DNS
configuration error for them not to be. Assuming the current
situation is related to DHCP, there's no reason not to have
'generic' back-translations of the form 'Hnnn.mmm.foo.com', with
matching A records to get consistent forward definitions.
Finally, note that you had to get the X connection in the first
place, before the settings in devassign and ttys.db matter. So,
you're probably being overly paranoid, in that the wildcard
entries for X terminals should still implicitly match only what
you can get through Xaccess.
------------------
my original question:
---------------------
I have a number of PC's with eXcursion X server software. I have been
asked to provide XDMCP access to our [DT]U servers. From the archive I
picked up an article describing how to create wildcard
/etc/auth/system/ttys and /etc/auth/system/devassign entries. Which
works ok, but since that matches against any host, what I really wanted
to do was to widcard given subnets.
The following works:
/tcb/bin/edauth -dt -s <<-\X
*\:*:\
:t_devname=*\:*:t_lock_at_:t_login_timeout#0:t_xdisplay:\
:chkent:
X
/tcb/bin/edauth -dv -s <<-\X
*\:*:\
:v_devs=*\:*:v_type=xdisplay:chkent:
X
Leaving the devassign entry as it is, I tried to use a more restrictive
ttys wildcard:
/tcb/bin/edauth -dt -s <<-\X
nnn.mmm.*\:*:\
:t_devname=nnn.mmm.*\:*:t_lock_at_:t_login_timeout#0:\
:t_xdisplay:chkent:
X
which edauth seems to accept, but then I get the notorious "Cannot
obtain database info" dialog.
I also tried:
/tcb/bin/edauth -dt -s <<-\X
nnn.mmm.*\:*:\
:t_devname=*\:*:t_lock_at_:t_login_timeout#0:\
:t_xdisplay:chkent:
X
Which edauth rejected.
I tried using Xaccess to restrict the hosts that could get a chooser,
but this only seems to work on hostnames and the PC's are not DNS
registered. I think it would be impractical to manage a hostname/IP
address list.
Any suggestions? (Am I being overly paranoid?), thanks,
---------------------
Thanks again to Spider,
Simon
--
Simon Greaves voice: (+679) 212114
Computer Centre fax: (+679) 304089
The University of the South Pacific email: Simon.Greaves_at_usp.ac.fj
Suva, Fiji
Received on Mon Mar 29 1999 - 21:23:26 NZST