Thank you to
Corinne Haesaerts
Marie-Thérèse Jonnaert
and
Phillip Brown.
Below is the interesting Phillip Brown's mail :
==============================
You're using C2 security? Try this:
Among the operations affected by the ENHANCED security mode are Xterminal
and PC Xserver login. By default, the local console is the only X display
enabled in ENHANCED security mode. So, you'll need to do the following:
1. Add the xdisplay terminal to terminal files /etc/auth/system/ttys:
echo
'local\:0|local\:0.0:t_devname=local\:0:t_xdisplay:t_login_timeout#0:chkent:
' |
/tcb/bin/edauth -s -dt
2 Add xdisplay type to /etc/auth/system/devassign:
echo
'local\:0|local\:0.0:v_devs=local\:0,local\:0.0:v_type=xdisplay:chkent:' |
/tcb/bin/edauth -s -dv
Notes: The -d option specifies the database:
The -dt creates info in /etc/auth/system/ttys.db
The -dv creates info in /ext/auth/system/devassign
t_login_timeout:
This field specifies the login time-out value in seconds. If a login attempt
is initiated by entering a user name at the login prompt but successful
authentication is not completed within the time-out interval specified, the
login attempt is aborted.
t_xdisplay:
This field indicates that the entry is an X window display managed by xdm,
rather than a terminal device. You can check your work with edauth as well:
# edauth -dt -g | grep xdisplay
# edauth -dt -g | grep xdisplay.
You can find the following in the Security Manual under "Creating and
Modifying Secure Devices". (The manual details the wildcard way of doing
this.)
Section 8.2 of the "Digital UNIX Security Manual" discusses the procedure
for editing the ttys and devassign databases and is included below.
--------------------------------------------------------
8.2 Updating Security Databases
When you assign device defaults or device-specific parameters, the system
updates the following security databases: The system defaults database,
/etc/auth/system/default, contains the default values (for example, default
control parameters) for all system devices.
The device assignment database, /etc/auth/system/devassign, contains
device-specific values for system devices. The terminal control database,
/etc/auth/system/ttys.db, contains device-specific values for authentication
(for example, the number of failed login attempts).
Each device to be used in your secure configuration must have an entry in
the device assignment database. This database centralizes information about
the security characteristics of all system devices. It includes the device
pathname and type. By default a wildcard entry exists for terminals (but not
X displays) in the /etc/auth/system/ttys.db and /etc/auth/system/devassign
databases.
The X display entries shipped on the system have :t_login_timeout#0: entries
in them, in case a site changes its system default login timeout. If
wildcard X display entries are needed, they can be created with the two
commands that follow:
# echo \
'*\:*:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:' \
| /tcb/bin/edauth -s -dt
The above command will send the quoted string to the edauth utility. The -s
on the edauth command will cause the existing entry to be overwritten, and
the -dt will apply the changes to the ttys database. The backslash (\) at
the end of the line is a continuation. The backslash within the quoted
string says to pass the next character as is without conversion.
# echo '*\:*:v_type=xdisplay:chkent:' | /tcb/bin/edauth -s -dv
The above command will send the quoted string to the edauth utility. The -s
will cause the existing entry to be overwritten, and the -dv will apply the
changes to the devassign database.
NOTE:
The online and hardcopy versions of this document contain a typographical
error (an extra backslash after the text ":chkent:"). The error has been
removed from this article.
----------------------------- end of document --------------------------
If you wish, you can substitute specific Xterminal or PC Xserver node names
for the wildcards noted above. For example, say you have an xterminal
registered on the network as node 'foo'. To add this node to your databases,
take the examples above and substitute the name of the xterminal for the
astericks as follows:
# echo \
'foo\:0:t_devname=foo\:0:t_login_timeout#0:t_xdisplay:chkent:' \
| /tcb/bin/edauth -s -dt
# echo 'foo\:0:v_type=xdisplay:chkent:' | /tcb/bin/edauth -s -dv
In the event of continuing problems starting X window logins after following
the above steps, the following troubleshooting technique may be used:
Check the entries in /etc/auth/system/devassign.db and ttys.db using
/tcb/bin/edauth -g -dt and -g -dv (man 8 edauth) to be sure that they
exactly match the entry in the /var/adm/sialog. If the file /var/adm/sialog
does not exist then create it by doing the following:
- Login as root
- Type 'touch /var/adm/sialog'
- Type 'chmod 664 /var/adm/sialog'
- Try to login again and the file will contain the computed display name.
The computed display name, in this case 'foo', must be an exact match with
the entries in the /etc/auth/system/ttys.db and
/etc/auth/system/devassign.db files (as shown by edauth). If it is not,
modify the files with edauth and perform another test.
==========================
My Orginal mail :
Hello,
Since my alphaserver is in Tru64 UNIX V5.1, xdmcp from eXcursion cannot see
the machine.
No problem with machines in Tru64 UNIX V4.0F
What should I do to be able to connect thru eXcursion XDMCP ?
Update :
As I cannot do any rexec commande either, I think I have missed some
configuration on this V5.1 alpha server.
Does anyone knows ?
Claudine Berthoud
Proxis-Services
Z.I. du Bois de l'Epine
11, avenue Joliot Curie
BP 202
91007 Evry Cedex
Tel : 01 69 77 95 27
e-mail : cberthoud_at_proxis-services.fr
Received on Mon Jun 18 2001 - 07:14:10 NZST