|
|||
Department of Engineering | |
University of Cambridge > Engineering Department > computing help |
Other relevant man pages are xhost, xauth, and xdm.
The X clients are programs that make use of the X server, for example xterm, xclock and emacs. They identify the server by means of the $DISPLAY environment variable, or the -display command-line argument.
It is the server that polices security, by deciding which clients are allowed to connect to it. There are two mechanisms you are likely to come across: MIT- MAGIC-COOKIE-1 and Host Access.
In addition to the server and client is the machine I will refer to as the local host; this is the computer that runs xdm (the program that logs you in) and is responsible for managing your collection of windows. If your X server is a workstation then it will be that; if your server is an X-terminal then it will be some other computer. It is the computer that presents a window inviting you to login. Your server documentation will refer to XDMCP; this is the protocol used to communicate with xdm.
The cookie is generated by xdm and stored in your home directory in the file .Xauthority. This file is maintained by the xauth program.
There are three stages to setting up magic cookie authorisation:
Many X servers by default perform no checks at all on which clients are allowed to connect. The details of reconfiguration depend on your server, but usually what you have to do is enable host access control but supply an empty list of allowable hosts. Sometimes it is necessary to include at least one host in the list; use something safe (e.g. the name of the server).
Some servers allow you to use the xhost command on the local host to adjust the configuration. The Bourne/Korn shell commands
xhost - for h in `xhost | tail +2` ; do xhost -$h; donewill enable security and remove all entries from the access list. They can conveniently be included in your .xsession file, or whatever the equivalent is for your particular local host; both are needed. Unfortunately they do not work for PCs running Vista eXceed.
See section 5 for server-specific information.
Once xdm is configured correctly, every time you login it will insert the magic cookie into your file ~/.Xauthority on the local host. You can check this by typing
xauth listand verifying there is an entry for your current display.
If your home directory is shared with the remote machine by NFS then no copying is needed and clients can be started without further ado. But in the more general case it must be transferred.
If the remote machine trusts the local one (type "man hosts.equiv" for details about this), you can use
xauth extract - $DISPLAY | remsh remhost xauth merge -to extract the magic cookie from the local .Xauthority and incorporate it in the remote one.
If xauth is not found on the remote machine then try the full path name (/usr/bin/X11/xauth, perhaps). If remsh isn't found on the local machine, try rsh.
Once the magic cookie has been copied you can start the X client on the remote machine. Either start it with remsh, rsh, xon or use rlogin to login and then start it. Unless you're using xon you must ensure that the DISPLAY environment variable is set correctly.
It works by you configuring your server to allow X connections from ALL users on a specified list of machines. The configuration can be done by
xhost +zx81.rummidge.ac.uk
allows any user on the zx81 machine to run an X client connecting to your X server.
The xhost command without any parameters lists the current access list. If it reportsaccess control disabled, clients can connect from any hostthen security is disabled and you are asking for serious trouble.
xhost -will make you safe (for the current session).
We don't recommend using xhost to authorise the CUED machines.
xserver-access-control-enabled = on xserver-access-control-enabled-default = on xserver-access-control-list = {} exec-access-control-enabled = true exec-access-control-list = {} config-access-control-enabled = true config-access-control-list = {}These values can also be set on the Access Control section of the Setup menu, but they will be lost when the terminal is rebooted.
(a) Select 'Set X parameters'. (b) Toggle 'Host access control' to 'Enabled'. (c) Set 'Initial access host' to the numeric Internet address of your terminal (if you don't know it look in /etc/hosts). (d) Set 'Retain X settings on recycle' to 'No'. (e) Select 'Save/restore configuration parameters'. (f) Select 'Save current changes to NVRAM'.
(a) Create file /etc/X0.hosts containing single character '-' (b) Check for lines 'xhost +' in /usr/lib/X11/xdm/Xsession-remote, /usr/lib/X11/xdm/Xsession and /usr/lib/X11/xdm/Xsession.dt ; replace them with 'xhost -'. Repeat this whenever you upgrade the operating system. (c) Change /usr/lib/X11/xdm/xdm-config so that 'DisplayManager*authorize' is set to 'true'.
(a) Click on XConfig program and select 'Access' option. (b) Select 'Edit'. You are now editing a configuration file (access.src), which should include detailed instructions. Insert a line containing /SECURITY and make sure there are no lines containing /ACCESS (c) Save the file, exit from the editor and then select 'Compile'.If using version 3.0.1 of Vista eXceed the format of the file access.src is different; it is simply a list of hosts which are allowed access. Unfortunately you are not allowed to create an empty list, so you have to include one safe host. The safest one is the IP name of your PC; this must correspond with the name in the hosts file, which you can see by selecting 'Communication' in the XConfig/W window and then 'Edit hosts file'. After changing the access rules (either version) you need to logoff and login again in order for them to take effect.
Get whoever looks after the machine to check that the system configuration files enable the Xauthority mechanism (see earlier sections)
If you're using Xwin see the X-Win32 configuration page.
If you have the same directory on all the machines you use (in particular, if you only use the Teaching System) then all you have to do to use remote X clients is to set the DISPLAY on the remote machine or use xon. See the Frequently Asked Questions for details.
However, if you use distinct systems then you have to get the per-session information put in .Xauthority at the start of each session from the local machine to the remote one, so that programs run remotely can pick up the per-session "password". The Teaching System's xon program has an option that supports this, (e.g. "xon remote-host -passxauth xclock") as long as your .rhosts on the distant machine is ok (see below).
If this doesn't work, or you're not on the Teaching System, you may have to try copying the whole file over, or transfering only the relevant information by doing
xauth extract - $DISPLAY | remsh remote-host xauth merge -
at the start of each session. This line might fail for at least 3 reasons
... remsh remote-host /usr/bin/X11/xauth ...
instead.
Bob Vickers (Systems Group, ULCC) UNIVERSITY OF LONDON COMPUTER CENTRE 20 Guilford Street London WC1N 1DZ Tel: +44 171-405 8400
The localisation was done by Tim Love (CUED)
| computing help | |