Linux-Based X Terminals with XDMCP
The display manager login screen and chooser interface are fully customizable. If you are running gdm, you may use the graphical setup utility gdmsetup or modify the text file /etc/X11/gdm/gdm.conf. If you are running kdm, modify /etc/X11/xdm/kdmrc. If you are running xdm, start with modifying /etc/X11/xdm/Xresources. If you don't find everything you want to customize in these files, look at the other files in /etc/X11/xdm/, for example, XSetup_0 or xdm-config. I expect most people choose to use gdm or kdm, so I won't go into details on xdm customization. Also, because gdm offers a graphical customization tool, I scratch only the surface of customizations, focusing on kdm customization under Red Hat only.
Regardless of which display manager you run, you may want to consider customizing a few things. For example, you may want your own background image and your own welcome message to appear on the login screen, and you definitely want to prevent users from shutting down the server through the login window. For kdm users, the background image is presented on the login screen by an auxiliary program called xsri. Under Red Hat, the script /etc/X11/xdm/XSetup_0 checks for the existence of the program and the associated file /etc/X11/xsrirc. If both exist, xsri is run and the graphic indicated in /etc/X11/xsrirc is displayed on the login screen. So, if you want to change the background image, simply change the graphic file listed in /etc/X11/xsrirc. To change the welcome message, find the GreetString option under the [X-*-Greeter] section of the file kdmrc. You may set this string equal to anything you like, but long messages may not display fully or may distort the appearance of the login window. Macros may be used in the GreetString too. For example, the default greeting is "Welcome to %s at %n" where %s is expanded into the operating system and %n is expanded into the node name (usually the hostname without domain name). Other macros are available and are listed above the GreetString line in kdmrc.
Finally, and most importantly, you need to keep regular users from shutting down the server. Allowing them to shut down is dangerous because they may shut it down while other users are working on the same machine. Again, inside the file kdmrc, find the AllowShutdown option under both the [X-*-Core] section and the [X-:*-Core] section and set them both to Root. This change requires the root password in order to shut down the machine from the login window. Additionally, when a user logs out of a session, the shutdown option does not appear in the ensuing dialog box. However, you may prefer to set these options to None, in which case the shutdown button will not appear at all in the login window.
Multiple servers may be set up in exactly the manner described in the section on configuring a server, and they can be accessed by X terminals in exactly the manner described in the section on configuring an X terminal. However, this requires the user to pick a server to login to and to know its name or IP address. A more effective method of managing multiple servers is to run a chooser and have users of X terminals submit indirect queries.
To begin, configure each server as described previously. Then, pick one machine to run a chooser. On this machine, modify the file /etc/X11/xdm/Xaccess in one of two ways. The easiest way is to uncomment the line * CHOOSER BROADCAST. When an indirect query is received, the chooser sends out a broadcast query and displays a list of machines that responded to the query. The X terminal user then may select to log in to one of these machines. This setup does not work in all environments, however, and you may not want to give users access to all servers on your network.
To be selective as to which servers are reported by the chooser, comment out the line * CHOOSER BROADCAST by putting a # at the beginning and uncomment the lines #%hostlist host-a host-b and #* CHOOSER %hostlist. Then, replace host-a host-b with a space-separated list of all hosts that you wish to appear in the chooser. This way, the chooser can send direct queries to each machine in the list and report the results to the chooser.
Finally, to see the chooser from an X terminal, run X with the option -indirect my.XDMCP.chooser, where my.XDMCP.chooser is the name of the machine configured to supply a chooser. Under UNIX, remember the command to run X is X and under Cygwin it is XWin.exe.
Advantages: the main advantages of running XDMCP are clear from the goal you wish to meet by running it. However, there are some disadvantages, one big one being the lack of security. Additionally, access to the X terminal's sound card, floppy drive, CD-ROM drive, scanner and any other local hardware besides the keyboard, mouse and monitor is difficult at best. I do not have a reasonable solution to offer on this issue. Perhaps someone can offer one in a future article.
Security: as stated earlier, XDMCP is an insecure protocol. However, if you require X terminal services over an insecure network, there is at least one option. Instead of setting up your server to run XDMCP, configure it as an SSH (secure shell) server. Then, from the X terminal, start an X session running nothing but an xterm, not even a window manager. From this xterm, issue the command ssh -X firstname.lastname@example.org, where ssh.server is the name or IP address of the ssh server and loginname is your login on the server. The -X enables X11 forwarding over the secure connection. After logging in, issue startkde to begin a KDE session or gnome-session to begin a GNOME session. Alternatively, you may run a full blown desktop environment on the X terminal, run an xterm there and issue the command ssh -X email@example.com command where command is the command/program you wish to run. This allows you to run a single program at a time on the remote machine rather than on a desktop environment.
Installing and running an SSH server and client should be straightforward. For example, Red Hat ships with an optional sshd (server) package and the client is installed by default. For Cygwin, an OpenSSH client is an optional package. For more information than you probably care to know about SSH, see www.openssh.org or read the man pages on SSH and sshd.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- New Container Image Standard Promises More Portable Apps
- The Humble Hacker?
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- The US Government and Open-Source Software
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide