InDepth: Configuring xdm
Have you ever wanted to access your workstation's desktop remotely? How about accessing your desktop on a server machine? That's just the sort of problem I needed to solve recently. I was responsible for setting up and managing a group of Linux servers. By the fifth trip to the lab to access a GUI console for various reasons (badge access, key codes, flights of stairs, etc.), it was time to find a solution that would allow me to use my workstation to access X desktops on various server machines.
Some may think that the standard X tools used to handle remote sessions would be sufficient to solve my problem—something like:
telnet host1 export DISPLAY=mywkstn:0 gnome-session
(or some other session manager).
However, the solution I was looking for needed to provide more than just basic functionality. It needed to be more administrable, appear more automatic and be easier to use for developers new to Linux. There are pitfalls associated with authentication, session management, etc., that require some knowledge of the way X works. For example, I often forget to type xhost +host1 when using remote X clients. I also have been on the receiving end of a puzzled look when trying to explain the xhost authentication scheme to a Linux newbie. Since this development project was not the time to teach developers the basics of X, I was looking for a solution that fulfilled all of these requirements.
A couple of solutions would allow me to manage the X sessions more easily. The solution I chose for this project was the X display manager, or xdm, although another popular solution is vnc. I chose xdm over vnc for two reasons. First, vnc has a server-side requirement to have a dæmon running for each shared desktop. Second, I already had X server software installed on all of the workstations and didn't see the need to install additional client software. Other choices are kdm and gdm, part of the KDE and GNOME packages, respectively.
X is the graphical support system used in most UNIX environments. If you are using GNOME or KDE on your Linux desktop, then you are making use of the X Window System. It is defined and maintained by the X Consortium (www.X.org). Most Linux users use an implementation of the X Window System offered by the XFree86 Project (www.xfree86.org). xdm is a display manager that enables flexible session management functionality. While xdm is usually thought of as “that GUI logon screen that auto-starts my X stuff”, it is actually much more powerful, as we will see.
In the X world, the terms client and server can get a little confusing. Specifically, an X server is the application that controls the keyboard, mouse and display resources. A client is an application that makes requests for the server to perform actions on its behalf (i.e., display a window with some set of specified characteristics). This is a little different for those of us used to thinking of applications running on our workstations as clients.
xdm uses the X Consortium's X display manager control protocol, XDMCP, to communicate with the X servers. This allows X servers to obtain session services from servers running xdm. Three types of queries can be sent by X servers:
Direct—asks the named host directly to display a login screen.
Broadcast—broadcasts a message to all hosts on the network, and the first to answer offers the login-processing services.
Indirect—contacts a named host running xdm and asks it about known hosts with which it may communicate. The xdm server will present a list of available servers willing to manage an X session. The X server will eventually end up communicating directly with the selected host to obtain login-processing services.
One of the initial reasons xdm was created was to allow for management of X terminals. These devices are basically a display, keyboard and mouse with embedded X server software; all intelligence is located on a server in the network. xdm was used to push login screens and manage sessions for these devices. Several years ago these devices were popular because access to UNIX workstations was limited. Users who wanted to access graphical desktops at their desks were either lucky enough to have a UNIX workstation at their desk or required one of these devices. Lately these devices have become less popular and are being replaced by PCs running X server software, such as Linux and other Unices (Solaris x86, xBSD, etc.) or Windows (running Hummingbird Exceed or the like).
When using xdm to manage these X sessions there are some configuration gotchas. At first glance, it may appear that if you configure xdm (in order to take advantage of XDMCP), you get either a local X server started (i.e., the console goes into graphical mode when xdm starts) or, if you disable the local display in xdm and use startx, it doesn't give you access to the chooser. The configuration described here allows any XDMCP client to access the Linux server desktops (subject to X security provisions, of course). It also demonstrates one way to configure xdm in order to get both a local X desktop and access to other server desktops from the workstation.
Security and access control are managed by xdm but are beyond the scope of this article. xdm should only be used in controlled environments. In addition, incoming port 177 should be blocked on all firewalls. If you're interested in X security issues, the following man pages are a good place to start: xdm(1), xauth(1), Xsecurity(7), lbxproxy(1)--Low Bandwidth X proxy, xfwp(1)--X Firewall Proxy, and ssh(1) and sshd(8) man pages, specifically regarding X11 port forwarding.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- The US Government and Open-Source Software
- New Container Image Standard Promises More Portable Apps
- Open-Source Project Secretly Funded by CIA
- AdaCore's SPARK Pro
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide