SUMMARY: restricting PC eXceed users

From: Roger Spaulding (ras@loveland.ramtron.com)
Date: Thu Feb 13 1997 - 09:27:21 CST


        Hi gang,

        Here's my original posting.

>
> I am trying to restrict some of my PC users access to xdm running
> on one of my SPARCs. The PCs are running eXceed X11 software from
> Hummingbird Communications Ltd.
>
> According to what I've been able to glean from O'Reilly's "X Window
> System Administrator's Guide" there should be a way to do this.
>
> First, as a sanity check, here's what I want to do. I wish to
> restrict certain PCs from getting a login prompt, from a certain
> SPARC, on their monitor while using eXceed.
>
> As I understand the discussion in section 3.5.3 in the O'Reilly
> book I should be able to restrict access of XDMCP queries by
> using the /usr/lib/X11/xdm/Xaccess. I have experimented with
> adding PCs to be restricted to this file.
>
> Flipping over to section 4.1.1, O'Reilly states that "The
> /etc/Xn.hosts file contains a list of systems that are allowed to
> access local server n." So I tried using this file, as described
> in the text, to restrict PC access.
>
> To date neither of these methods work for me.
>
> What am I missing here?
>
> Please advise, any tips or suggested alternatives would be
> appreciated. TIA.
>
> Particulars: SPARSstation 10 running SunOS 4.1.4 and X11R5 pl 23.
> The PCs are laboring under Win95 and eXceed V5.13.
>

        A hearty round of applause goes out to: William T. Reckas
                                                Dave Haut
                                                Dan Pritts
                                                Christian Masopust

        My critical error was to misunderstand the semantics of server
        restriction in the /usr/lib/X11/xdm/Xaccess file. Apparently
        an *, which allow unrestricted server access, is not overridden
        by a entry that begins with an exclamation. E.g:

                                *
                                  !deepthought

        This entry in the Xaccess file will NOT deny server access to
        deepthought. If I remove the '*' and then HUP xdm, deepthought is
        then prevented from receiving a server login screen from the
        Sun host.

        Also, the following entry must be in /usr/lib/X11/xdm/xdm-config:

                DisplayManager*authorize: true

        Many thanks to this group. It is a fabulous resource.

        Roger Spaulding
        Network System Administrator
        Ramtron International Corporation
        1850 Ramtron Drive
        Colorado Springs, CO 80921
        ras@ramtron.com

        "History teaches us that man learns nothing from history." -- Hegel

        Individual replies follow:
===============================================================================
Roger,

It sounds like you have delved into this problem more than I have, but
what we are doing is creating a /usr/X11R5/lib/xdm/Xstartup file
that is executed for each xdm login session which performs various
things for us. Amongst these items are 1) create a log entry of
users that have logged in (this goes to stderr, which is captured
by the xdm logfile), 2) prevent "root" from logging in via xdm, and
3) to not allow logins during certain periods of time. You could
modify this script to restrict user access dependent upon their
login usernames. I'd imagine you would want to create a list of
valid users in a separate file and then have Xstartup validate the
username against the entries in this file.

I have included part of our "Xstartup" file below :

#!/bin/sh
#
# Xstartup
#
# This program is run as root after the user is verified
#
echo "
`date` LOGIN : $USER $DISPLAY
" >&2

# Don't allow root to login through xdm
#
if [ "$USER" = "root" ] ; then
     exit 1
fi

#
# If nologin allowed, don't let user in
#
if [ -f /etc/nologin ]; then
   exit 2

fi

Good luck.

Regards.

William T. Reckas

"I wish there was a knob on the TV to turn up the intelligence. There's
 a knob called 'brightness', but it doesn't work."
                -- Gallagher

===============================================================================

Roger,

In eXceed, in configuration, I think you can specify what kind of xdmcp queries
to do. That is either do a broadcast and "bind" to the first xdm server that
answers, or do a "direct" query to a specific xdm server where you specify
what xdm server to bind to.

Hope this helps ...

---------------------------------
  _ /| Dave Haut
  \,o.O'
  =(___)=
     U
        
===============================================================================

On Wed, 5 Feb 1997, Roger Spaulding wrote:
> As I understand the discussion in section 3.5.3 in the O'Reilly
> book I should be able to restrict access of XDMCP queries by
> using the /usr/lib/X11/xdm/Xaccess. I have experimented with
> adding PCs to be restricted to this file.

This file should contain the hostnames of the PCs that you want to
allow to get login windows

make sure you configure exceed to do "direct xdmcp" not "query xdmcp"
(unless you have turned on query access in Xaccess)

as an experiment suggest that you just put a "*" in Xaccess to see
if it works, then work on access control; if you didn't link your
x build with the proper libraries you may have to put the pc hostnames
in /etc/hosts or the NIS hosts map if you run NIS.

> Flipping over to section 4.1.1, O'Reilly states that "The
> /etc/Xn.hosts file contains a list of systems that are allowed to
> access local server n." So I tried using this file, as described
> in the text, to restrict PC access.

i have never run across this but probably it is dealing with the
local (to the Sun) x server, ie, not what you want.

dan pritts
===============================================================================

> As I understand the discussion in section 3.5.3 in the O'Reilly
> book I should be able to restrict access of XDMCP queries by
> using the /usr/lib/X11/xdm/Xaccess. I have experimented with
> adding PCs to be restricted to this file.
>

Hi Roger,

maybe I'm to late, but...

Have you had a look at xdm.config for the section 'DisplayManager*authorize:' ??
Must be set to 'true'.

Hope this helps,
Chris

--
  Christian Masopust                               |    _    |
                                                  _|___/v\___|_ 
                                             -====(~)=(.*.)=(~)====-
                                                       `-'           



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:46 CDT