1448 lines
56 KiB
C++
1448 lines
56 KiB
C++
.\" Copyright 1988, 1994, 1998 The Open Group
|
|
.\"
|
|
.\" Permission to use, copy, modify, distribute, and sell this software and its
|
|
.\" documentation for any purpose is hereby granted without fee, provided that
|
|
.\" the above copyright notice appear in all copies and that both that
|
|
.\" copyright notice and this permission notice appear in supporting
|
|
.\" documentation.
|
|
.\"
|
|
.\" The above copyright notice and this permission notice shall be included
|
|
.\" in all copies or substantial portions of the Software.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
|
.\" IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
|
.\" OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
|
.\" ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
|
.\" OTHER DEALINGS IN THE SOFTWARE.
|
|
.\"
|
|
.\" Except as contained in this notice, the name of The Open Group shall
|
|
.\" not be used in advertising or otherwise to promote the sale, use or
|
|
.\" other dealings in this Software without prior written authorization
|
|
.\" from The Open Group.
|
|
.\"
|
|
.\"
|
|
.TH XDM 1 __xorgversion__
|
|
.SH NAME
|
|
xdm \- X Display Manager with support for XDMCP, host chooser
|
|
.SH SYNOPSIS
|
|
.B xdm
|
|
[
|
|
.B \-config
|
|
.I configuration_file
|
|
] [
|
|
.B \-nodaemon
|
|
] [
|
|
.B \-debug
|
|
.I debug_level
|
|
] [
|
|
.B \-error
|
|
.I error_log_file
|
|
] [
|
|
.B \-resources
|
|
.I resource_file
|
|
] [
|
|
.B \-server
|
|
.I server_entry
|
|
] [
|
|
.B \-session
|
|
.I session_program
|
|
]
|
|
.SH DESCRIPTION
|
|
.I Xdm
|
|
manages a collection of X displays, which may be on the local host
|
|
or remote servers. The design of
|
|
.I xdm
|
|
was guided by the needs of X terminals as well as The Open Group standard
|
|
XDMCP, the \fIX Display Manager Control Protocol\fP.
|
|
.I Xdm
|
|
provides services similar to those provided by \fIinit\fP, \fIgetty\fP
|
|
and \fIlogin\fP on character terminals: prompting for login name and password,
|
|
authenticating the user, and running a ``session.''
|
|
.PP
|
|
A ``session'' is defined by the lifetime of a particular process; in the
|
|
traditional character-based terminal world, it is the user's login shell.
|
|
In the
|
|
.I xdm
|
|
context, it is an arbitrary session manager. This is because in a windowing
|
|
environment, a user's login shell process does not necessarily have any
|
|
terminal-like interface with which to connect.
|
|
When a real session manager is not available, a window manager or terminal
|
|
emulator is typically used as the ``session manager,'' meaning that
|
|
termination of this process terminates the user's session.
|
|
.PP
|
|
When the session is terminated, \fIxdm\fP
|
|
resets the X server and (optionally) restarts the whole process.
|
|
.PP
|
|
When \fIxdm\fP receives an Indirect query via XDMCP, it can run a
|
|
\fIchooser\fP process to
|
|
perform an XDMCP BroadcastQuery (or an XDMCP Query to specified hosts)
|
|
on behalf of the display and
|
|
offer a menu of possible hosts that offer XDMCP display management.
|
|
This feature is useful with X terminals that do not offer a host
|
|
menu themselves.
|
|
.PP
|
|
.I Xdm
|
|
can be configured to ignore BroadcastQuery messages from selected hosts.
|
|
This is useful when you don't want the host to appear in menus produced
|
|
by
|
|
.I chooser
|
|
or X terminals themselves.
|
|
.PP
|
|
Because
|
|
.I xdm
|
|
provides the first interface that users will see, it is designed to be
|
|
simple to use and easy to customize to the needs of a particular site.
|
|
.I Xdm
|
|
has many options, most of which have reasonable defaults. Browse through the
|
|
various sections of this manual,
|
|
picking and choosing the things you want to change.
|
|
Pay particular attention to the
|
|
.B "Session Program"
|
|
section, which will describe how to
|
|
set up the style of session desired.
|
|
.SH "OVERVIEW"
|
|
\fIxdm\fP is highly configurable, and most of its behavior can be
|
|
controlled by resource files and shell scripts. The names of these
|
|
files themselves are resources read from the file \fIxdm-config\fP or
|
|
the file named by the \fB\-config\fP option.
|
|
.PP
|
|
\fIxdm\fP offers display management two different ways. It can manage
|
|
X servers running on the local machine and specified in
|
|
\fIXservers\fP, and it can manage remote X servers (typically X
|
|
terminals) using XDMCP (the XDM Control Protocol)
|
|
as specified in the \fIXaccess\fP file.
|
|
.PP
|
|
The resources of the X clients run by \fIxdm\fP outside the user's
|
|
session, including \fIxdm\fP's own login window, can be
|
|
affected by setting resources in the \fIXresources\fP file.
|
|
.PP
|
|
For X terminals that do not offer a menu of hosts to get display
|
|
management from, \fIxdm\fP can collect willing hosts and run the
|
|
\fIchooser\fP program to offer the user a menu.
|
|
For X displays attached to a host, this step is typically not used, as
|
|
the local host does the display management.
|
|
.PP
|
|
After resetting the X server, \fIxdm\fP runs the \fIXsetup\fP script
|
|
to assist in setting up the screen the user sees along with the
|
|
\fIxlogin\fP widget.
|
|
.PP
|
|
The \fIxlogin\fP widget, which \fIxdm\fP presents,
|
|
offers the familiar login and password prompts.
|
|
.PP
|
|
After the user logs in, \fIxdm\fP runs the \fIXstartup\fP script as
|
|
root.
|
|
.PP
|
|
Then \fIxdm\fP runs the \fIXsession\fP script as the user. This
|
|
system session file may do some additional startup and typically runs
|
|
the \fI.xsession\fP script in the user's home directory.
|
|
When the \fIXsession\fP script exits, the session is over.
|
|
.PP
|
|
At the end of the session, the \fIXreset\fP script is run to clean up,
|
|
the X server is reset, and the cycle starts over.
|
|
.PP
|
|
The file \fI XDMLOGDIR/xdm.log\fP will contain error
|
|
messages from
|
|
.I xdm
|
|
and anything output to stderr by \fIXsetup, Xstartup, Xsession\fP
|
|
or \fIXreset\fP.
|
|
When you have trouble getting
|
|
.I xdm
|
|
working, check this file to see if
|
|
.I xdm
|
|
has any clues to the trouble.
|
|
.SH OPTIONS
|
|
.PP
|
|
All of these options, except \fB\-config\fP itself,
|
|
specify values that can also be specified in the configuration file
|
|
as resources.
|
|
.IP "\fB\-config\fP \fIconfiguration_file\fP"
|
|
Names the configuration file, which specifies resources to control
|
|
the behavior of
|
|
.I xdm.
|
|
.I XDMDIR/xdm-config
|
|
is the default.
|
|
See the section \fBConfiguration File\fP.
|
|
.IP "\fB\-nodaemon\fP"
|
|
Specifies ``false'' as the value for the \fBDisplayManager.daemonMode\fP
|
|
resource.
|
|
This suppresses the normal daemon behavior, which is for
|
|
.I xdm
|
|
to close all file descriptors, disassociate itself from
|
|
the controlling terminal, and put
|
|
itself in the background when it first starts up.
|
|
.IP "\fB\-debug\fP \fIdebug_level\fP"
|
|
Specifies the numeric value for the \fBDisplayManager.debugLevel\fP
|
|
resource. A non-zero value causes
|
|
.I xdm
|
|
to print lots of debugging statements to the terminal; it also disables the
|
|
\fBDisplayManager.daemonMode\fP resource, forcing
|
|
.I xdm
|
|
to run synchronously. To interpret these debugging messages, a copy
|
|
of the source code for
|
|
.I xdm
|
|
is almost a necessity. No attempt has been
|
|
made to rationalize or standardize the output.
|
|
.IP "\fB\-error\fP \fIerror_log_file\fP"
|
|
Specifies the value for the \fBDisplayManager.errorLogFile\fP resource.
|
|
This file contains errors from
|
|
.I xdm
|
|
as well as anything written to stderr by the various scripts and programs
|
|
run during the progress of the session.
|
|
.IP "\fB\-resources\fP \fIresource_file\fP"
|
|
Specifies the value for the \fBDisplayManager*resources\fP resource. This file
|
|
is loaded using
|
|
.IR xrdb (__appmansuffix__)
|
|
to specify configuration parameters for the
|
|
authentication widget.
|
|
.IP "\fB\-server\fP \fIserver_entry\fP"
|
|
Specifies the value for the \fBDisplayManager.servers\fP resource.
|
|
See the section
|
|
.B "Local Server Specification"
|
|
for a description of this resource.
|
|
.IP "\fB\-udpPort\fP \fIport_number\fP"
|
|
Specifies the value for the \fBDisplayManager.requestPort\fP resource. This
|
|
sets the port-number which
|
|
.I xdm
|
|
will monitor for XDMCP requests. If set to 0, xdm will not listen
|
|
for XDMCP or Chooser requests. As XDMCP uses the registered well-known
|
|
UDP port 177, this resource should not be changed to a value other than 0,
|
|
except for debugging.
|
|
.IP "\fB\-session\fP \fIsession_program\fP"
|
|
Specifies the value for the \fBDisplayManager*session\fP resource. This
|
|
indicates the program to run as the session after the user has logged in.
|
|
.IP "\fB\-xrm\fP \fIresource_specification\fP"
|
|
Allows an arbitrary resource to be specified, as in most
|
|
X Toolkit applications.
|
|
.SH RESOURCES
|
|
At many stages the actions of
|
|
.I xdm
|
|
can be controlled through the use of its configuration file, which is in the
|
|
X resource format.
|
|
Some resources modify the behavior of
|
|
.I xdm
|
|
on all displays,
|
|
while others modify its behavior on a single display. Where actions relate
|
|
to a specific display,
|
|
the display name is inserted into the resource name between
|
|
``DisplayManager'' and the final resource name segment.
|
|
.PP
|
|
For local displays, the resource name and class are as read from the
|
|
\fIXservers\fP file.
|
|
.PP
|
|
For remote displays, the resource name is what the network address of
|
|
the display resolves to. See the \fBremoveDomain\fP resource. The
|
|
name must match exactly; \fIxdm\fP is not aware of
|
|
all the network aliases that might reach a given display.
|
|
If the name resolve fails, the address is
|
|
used. The resource class is as sent by the display in the XDMCP
|
|
Manage request.
|
|
.PP
|
|
Because the resource
|
|
manager uses colons to separate the name of the resource from its value and
|
|
dots to separate resource name parts,
|
|
.I xdm
|
|
substitutes underscores for both dots and colons when generating the resource
|
|
name.
|
|
For example, \fBDisplayManager.expo_x_org_0.startup\fP is the name of the
|
|
resource which defines the startup shell file for the ``expo.x.org:0'' display.
|
|
.\"
|
|
.IP "\fBDisplayManager.servers\fP"
|
|
This resource either specifies a file name full of server entries, one per
|
|
line (if the value starts with a slash), or a single server entry.
|
|
See the section \fBLocal Server Specification\fP for the details.
|
|
.IP "\fBDisplayManager.requestPort\fP"
|
|
This indicates the UDP port number which
|
|
.I xdm
|
|
uses to listen for incoming XDMCP requests. Unless you need to debug the
|
|
system, leave this with its default value of 177.
|
|
.IP "\fBDisplayManager.errorLogFile\fP"
|
|
Error output is normally directed at the system console. To redirect it,
|
|
set this resource to a file name. A method to send these messages to
|
|
.I syslog
|
|
should be developed for systems which support it; however, the
|
|
wide variety of interfaces precludes any system-independent
|
|
implementation. This file also contains any output directed to stderr
|
|
by the \fIXsetup, Xstartup, Xsession\fP and \fIXreset\fP files,
|
|
so it will contain descriptions
|
|
of problems in those scripts as well.
|
|
.IP "\fBDisplayManager.debugLevel\fP"
|
|
If the integer value of this resource is greater than zero,
|
|
reams of
|
|
debugging information will be printed. It also disables daemon mode, which
|
|
would redirect the information into the bit-bucket, and
|
|
allows non-root users to run
|
|
.I xdm,
|
|
which would normally not be useful.
|
|
.IP "\fBDisplayManager.daemonMode\fP"
|
|
Normally,
|
|
.I xdm
|
|
attempts to make itself into a daemon process unassociated with any terminal.
|
|
This is
|
|
accomplished by forking and leaving the parent process to exit, then closing
|
|
file descriptors and releasing the controlling terminal. In some
|
|
environments this is not desired (in particular, when debugging). Setting
|
|
this resource to ``false'' will disable this feature.
|
|
.IP "\fBDisplayManager.pidFile\fP"
|
|
The filename specified will be created to contain an ASCII
|
|
representation of the process-id of the main
|
|
.I xdm
|
|
process.
|
|
.I Xdm
|
|
also uses file locking on this file
|
|
to attempt to eliminate multiple daemons running on
|
|
the same machine, which would cause quite a bit of havoc.
|
|
.IP "\fBDisplayManager.lockPidFile\fP"
|
|
This is the resource which controls whether
|
|
.I xdm
|
|
uses file locking to keep multiple display managers from running amok.
|
|
On System V, this
|
|
uses the \fIlockf\fP library call, while on BSD it uses \fIflock.\fP
|
|
.IP "\fBDisplayManager.authDir\fP"
|
|
This names a directory under which
|
|
.I xdm
|
|
stores authorization files while initializing the session. The
|
|
default value is \fI XDMXAUTHDIR.\fP
|
|
Can be overridden for specific displays by
|
|
DisplayManager.\fIDISPLAY\fP.authFile.
|
|
.IP \fBDisplayManager.autoRescan\fP
|
|
This boolean controls whether
|
|
.I xdm
|
|
rescans the configuration, servers, access control and authentication keys
|
|
files after a session terminates and the files have changed. By default it
|
|
is ``true.'' You can force
|
|
.I xdm
|
|
to reread these files by sending a SIGHUP to the main process.
|
|
.IP "\fBDisplayManager.removeDomainname\fP"
|
|
When computing the display name for XDMCP clients, the name resolver will
|
|
typically create a fully qualified host name for the terminal. As this is
|
|
sometimes confusing,
|
|
.I xdm
|
|
will remove the domain name portion of the host name if it is the same as the
|
|
domain name of the local host when this variable is set. By default the
|
|
value is ``true.''
|
|
.IP "\fBDisplayManager.keyFile\fP"
|
|
XDM-AUTHENTICATION-1 style XDMCP authentication requires that a private key
|
|
be shared between
|
|
.I xdm
|
|
and the terminal. This resource specifies the file containing those
|
|
values. Each entry in the file consists of a display name and the shared
|
|
key. By default,
|
|
.I xdm
|
|
does not include support for XDM-AUTHENTICATION-1, as it requires DES which
|
|
is not generally distributable because of United States export restrictions.
|
|
.IP \fBDisplayManager.accessFile\fP
|
|
To prevent unauthorized XDMCP service and to allow forwarding of XDMCP
|
|
IndirectQuery requests, this file contains a database of hostnames which are
|
|
either allowed direct access to this machine, or have a list of hosts to
|
|
which queries should be forwarded to. The format of this file is described
|
|
in the section
|
|
.B "XDMCP Access Control."
|
|
.IP \fBDisplayManager.exportList\fP
|
|
A list of additional environment variables, separated by white space,
|
|
to pass on to the \fIXsetup\fP,
|
|
\fIXstartup\fP, \fIXsession\fP, and \fIXreset\fP programs.
|
|
.IP \fBDisplayManager.randomFile\fP
|
|
A file to checksum to generate the seed of authorization keys.
|
|
This should be a file that changes frequently.
|
|
The default is \fI/dev/mem\fP.
|
|
#ifdef DEV_RANDOM
|
|
.IP \fBDisplayManager.randomDevice\fP
|
|
A file to read 8 bytes from to generate the seed of authorization keys.
|
|
The default is \fI DEV_RANDOM \fP. If this file cannot be read, or if a
|
|
read blocks for more than 5 seconds, xdm falls back to using a checksum
|
|
of \fBDisplayManager.randomFile\fP to generate the seed.
|
|
#endif
|
|
#if !defined(ARC4_RANDOM)
|
|
.IP \fBDisplayManager.prngdSocket\fP
|
|
.IP \fBDisplayManager.prngPort\fP
|
|
A UNIX domain socket name or a TCP socket port number on local host on
|
|
which a Pseudo-Random Number Generator Daemon, like EGD
|
|
(http://egd.sourceforge.net) is listening, in order to generate the
|
|
autorization keys. Either a non null port or a valid socket name must
|
|
be specified. The default is to use the Unix-domain socket
|
|
\fI/tmp/entropy\fP.
|
|
.PP
|
|
On systems that don't have such a daemon, a fall-back entropy
|
|
gathering system, based on various log file contents hashed by the MD5
|
|
algorithm is used instead.
|
|
#endif
|
|
.IP \fBDisplayManager.greeterLib\fP
|
|
On systems that support a dynamically-loadable greeter library, the
|
|
name of the library. The default is
|
|
\fI XDMDIR/libXdmGreet.so\fP.
|
|
.IP \fBDisplayManager.choiceTimeout\fP
|
|
Number of seconds to wait for display to respond after user has
|
|
selected a host from the chooser. If the display sends an XDMCP
|
|
IndirectQuery within this time, the request is forwarded to the chosen
|
|
host. Otherwise, it is assumed to be from a new session and the
|
|
chooser is offered again.
|
|
Default is 15.
|
|
.IP \fBDisplayManager.sourceAddress\fP
|
|
Use the numeric IP address of the incoming connection on multihomed hosts
|
|
instead of the host name. This is to avoid trying to connect on the wrong
|
|
interface which might be down at this time.
|
|
.IP \fBDisplayManager.willing\fP
|
|
This specifies a program which is run (as) root when an an XDMCP
|
|
BroadcastQuery is received and this host is configured to offer XDMCP
|
|
display management. The output of this program may be displayed on a chooser
|
|
window. If no program is specified, the string \fIWilling to manage\fP is
|
|
sent.
|
|
.PP
|
|
.\"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.resources\fP"
|
|
This resource specifies the name of the file to be loaded by \fIxrdb\fP
|
|
as the resource database onto the root window of screen 0 of the display.
|
|
The \fIXsetup\fP program, the Login widget, and \fIchooser\fP will use
|
|
the resources set in this file.
|
|
This resource data base is loaded just before the authentication procedure
|
|
is started, so it can control the appearance of the login window. See the
|
|
section
|
|
.B "Authentication Widget,"
|
|
which describes the various
|
|
resources that are appropriate to place in this file.
|
|
There is no default value for this resource, but
|
|
\fI XDMDIR/Xresources\fP
|
|
is the conventional name.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.chooser\fP"
|
|
Specifies the program run to offer a host menu for Indirect queries
|
|
redirected to the special host name CHOOSER.
|
|
\fI CHOOSERPATH \fP is the default.
|
|
See the sections \fBXDMCP Access Control\fP and \fBChooser\fP.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.xrdb\fP"
|
|
Specifies the program used to load the resources. By default,
|
|
.I xdm
|
|
uses \fI BINDIR/xrdb\fP.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.cpp\fP"
|
|
This specifies the name of the C preprocessor which is used by \fIxrdb\fP.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.setup\fP"
|
|
This specifies a program which is run (as root) before offering the
|
|
Login window. This may be used to change the appearance of the screen
|
|
around the Login window or to put up other windows (e.g., you may want
|
|
to run \fIxconsole\fP here).
|
|
By default, no program is run. The conventional name for a
|
|
file used here is \fIXsetup\fP.
|
|
See the section \fBSetup Program.\fP
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.startup\fP"
|
|
This specifies a program which is run (as root) after the authentication
|
|
process succeeds. By default, no program is run. The conventional name for a
|
|
file used here is \fIXstartup\fP.
|
|
See the section \fBStartup Program.\fP
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.session\fP"
|
|
This specifies the session to be executed (not running as root).
|
|
By default, \fI BINDIR/xterm\fP is
|
|
run. The conventional name is \fIXsession\fP.
|
|
See the section
|
|
.B "Session Program."
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.reset\fP"
|
|
This specifies a program which is run (as root) after the session terminates.
|
|
By default, no program is run.
|
|
The conventional name is \fIXreset\fP.
|
|
See the section
|
|
.B "Reset Program."
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.openDelay\fP"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.openRepeat\fP"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.openTimeout\fP"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.startAttempts\fP"
|
|
These numeric resources control the behavior of
|
|
.I xdm
|
|
when attempting to open intransigent servers. \fBopenDelay\fP is
|
|
the length of the
|
|
pause (in seconds) between successive attempts, \fBopenRepeat\fP is the
|
|
number of attempts to make, \fBopenTimeout\fP is the amount of time
|
|
to wait while actually
|
|
attempting the open (i.e., the maximum time spent in the
|
|
.IR connect (2)
|
|
system call) and \fBstartAttempts\fP is the number of times this entire process
|
|
is done before giving up on the server. After \fBopenRepeat\fP attempts have been made,
|
|
or if \fBopenTimeout\fP seconds elapse in any particular attempt,
|
|
.I xdm
|
|
terminates and restarts the server, attempting to connect again.
|
|
This
|
|
process is repeated \fBstartAttempts\fP times, at which point the display is
|
|
declared dead and disabled. Although
|
|
this behavior may seem arbitrary, it has been empirically developed and
|
|
works quite well on most systems. The default values are
|
|
5 for \fBopenDelay\fP, 5 for \fBopenRepeat\fP, 30 for \fBopenTimeout\fP and
|
|
4 for \fBstartAttempts\fP.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.pingInterval\fP"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.pingTimeout\fP"
|
|
To discover when remote displays disappear,
|
|
.I xdm
|
|
occasionally pings them, using an X connection and \fIXSync\fP
|
|
calls. \fBpingInterval\fP specifies the time (in minutes) between each
|
|
ping attempt, \fBpingTimeout\fP specifies the maximum amount of time (in
|
|
minutes) to wait for the terminal to respond to the request. If the
|
|
terminal does not respond, the session is declared dead and terminated. By
|
|
default, both are set to 5 minutes. If you frequently use X terminals which
|
|
can become isolated from the managing host, you may wish to increase this
|
|
value. The only worry is that sessions will continue to exist after the
|
|
terminal has been accidentally disabled.
|
|
.I xdm
|
|
will not ping local displays. Although it would seem harmless, it is
|
|
unpleasant when the workstation session is terminated as a result of the
|
|
server hanging for NFS service and not responding to the ping.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.terminateServer\fP"
|
|
This boolean resource specifies whether the X server should be terminated
|
|
when a session terminates (instead of resetting it). This option can be
|
|
used when the server tends to grow without bound over time, in order to limit
|
|
the amount of time the server is run. The default value is ``false.''
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.userPath\fP"
|
|
.I Xdm
|
|
sets the PATH environment variable for the session to this value. It should
|
|
be a colon separated list of directories; see
|
|
.IR sh (1)
|
|
for a full description.
|
|
The default value is ``DEF_USER_PATH''.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.systemPath\fP"
|
|
.I Xdm
|
|
sets the PATH environment variable for the startup and reset scripts to the
|
|
value of this resource. The default for this resource is ``DEF_SYSTEM_PATH''.
|
|
Note the absence of ``.'' from this entry. This is a good practice to
|
|
follow for root; it avoids many common Trojan Horse system penetration
|
|
schemes.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.systemShell\fP"
|
|
.I Xdm
|
|
sets the SHELL environment variable for the startup and reset scripts to the
|
|
value of this resource. It is \fI/bin/sh\fP by default.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.failsafeClient\fP"
|
|
If the default session fails to execute,
|
|
.I xdm
|
|
will fall back to this program. This program is executed with no
|
|
arguments, but executes using the same environment variables as
|
|
the session would have had (see the section \fBSession Program\fP).
|
|
By default, \fI BINDIR/xterm\fP is used.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.grabServer\fP"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.grabTimeout\fP"
|
|
To improve security,
|
|
.I xdm
|
|
grabs the server and keyboard while reading the login name and password.
|
|
The
|
|
\fBgrabServer\fP resource specifies if the server should be held for the
|
|
duration of the name/password reading. When ``false,'' the server is ungrabbed
|
|
after the keyboard grab succeeds, otherwise the server is grabbed until just
|
|
before the session begins. The default is ``false.''
|
|
The \fBgrabTimeout\fP resource specifies the maximum time
|
|
.I xdm
|
|
will wait for the grab to succeed. The grab may fail if some other
|
|
client has the server grabbed, or possibly if the network latencies
|
|
are very high. This resource has a default value of 3 seconds; you
|
|
should be cautious when raising it, as a user can be spoofed by a
|
|
look-alike window on the display. If the grab fails,
|
|
.I xdm
|
|
kills and restarts the server (if possible) and the session.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.authorize\fP"
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.authName\fP"
|
|
\fBauthorize\fP is a boolean resource which controls whether
|
|
.I xdm
|
|
generates and uses authorization for the local server connections. If
|
|
authorization is used, \fBauthName\fP is a list
|
|
of authorization mechanisms to use, separated by white space.
|
|
XDMCP connections dynamically specify which
|
|
authorization mechanisms are supported, so
|
|
\fBauthName\fP is ignored in this case. When \fBauthorize\fP is set for a
|
|
display and authorization is not available, the user is informed by having a
|
|
different message displayed in the login widget. By default, \fBauthorize\fP
|
|
is ``true,'' \fBauthName\fP is ``MIT-MAGIC-COOKIE-1,'' or, if
|
|
XDM-AUTHORIZATION-1 is available, ``XDM-AUTHORIZATION-1\0MIT-MAGIC-COOKIE-1.''
|
|
.IP \fBDisplayManager.\fP\fIDISPLAY\fP\fB.authFile\fP
|
|
This file is used to communicate the authorization data from
|
|
.I xdm
|
|
to the server, using the \fB\-auth\fP server command line option.
|
|
It should be
|
|
kept in a directory which is not world-writable as it could easily be
|
|
removed, disabling the authorization mechanism in the server.
|
|
If not specified, a name is generated from DisplayManager.authDir and
|
|
the name of the display.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.authComplain\fP"
|
|
If set to ``false,'' disables the use of the \fBunsecureGreeting\fP
|
|
in the login window.
|
|
See the section \fBAuthentication Widget.\fP
|
|
The default is ``true.''
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.resetSignal\fP"
|
|
The number of the signal \fIxdm\fP sends to reset the server.
|
|
See the section \fBControlling the Server.\fP
|
|
The default is 1 (SIGHUP).
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.termSignal\fP"
|
|
The number of the signal \fIxdm\fP sends to terminate the server.
|
|
See the section \fBControlling the Server.\fP
|
|
The default is 15 (SIGTERM).
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.resetForAuth\fP"
|
|
The original implementation of authorization in the sample server reread the
|
|
authorization file at server reset time, instead of when checking the
|
|
initial connection. As
|
|
.I xdm
|
|
generates the authorization information just before connecting to the
|
|
display, an old server would not get up-to-date authorization information.
|
|
This resource causes
|
|
.I xdm
|
|
to send SIGHUP to the server after setting up the file, causing an
|
|
additional server reset to occur, during which time the new authorization
|
|
information will be read.
|
|
The default is ``false,'' which will work for all MIT servers.
|
|
.IP "\fBDisplayManager.\fP\fIDISPLAY\fP\fB.userAuthDir\fP"
|
|
When
|
|
.I xdm
|
|
is unable to write to the usual user authorization file ($HOME/.Xauthority),
|
|
it creates a unique file name in this directory and points the environment
|
|
variable XAUTHORITY at the created file. It uses \fI/tmp\fP by default.
|
|
.SH "CONFIGURATION FILE"
|
|
First, the
|
|
.I xdm
|
|
configuration file should be set up.
|
|
Make a directory (usually \fI XDMDIR\fP) to contain all
|
|
of the relevant files.
|
|
.LP
|
|
Here is a reasonable configuration file, which could be
|
|
named \fIxdm-config\fP:
|
|
.nf
|
|
|
|
.ta .5i 4i
|
|
|
|
DisplayManager.servers: XDMDIR/Xservers
|
|
DisplayManager.errorLogFile: XDMLOGDIR/xdm.log
|
|
DisplayManager*resources: XDMDIR/Xresources
|
|
DisplayManager*startup: XDMDIR/Xstartup
|
|
DisplayManager*session: XDMDIR/Xsession
|
|
DisplayManager.pidFile: XDMPIDDIR/xdm-pid
|
|
DisplayManager._0.authorize: true
|
|
DisplayManager*authorize: false
|
|
|
|
.fi
|
|
.PP
|
|
Note that this file mostly contains references to other files. Note also
|
|
that some of the resources are specified with ``*'' separating the
|
|
components. These resources can be made unique for each different display,
|
|
by replacing the ``*'' with the display-name, but normally this is not very
|
|
useful. See the \fBResources\fP section for a complete discussion.
|
|
.SH "XDMCP ACCESS CONTROL"
|
|
.PP
|
|
The database file specified by the \fBDisplayManager.accessFile\fP provides
|
|
information which
|
|
.I xdm
|
|
uses to control access from displays requesting XDMCP service. This file
|
|
contains three types of entries: entries which control the response to
|
|
Direct and Broadcast queries, entries which control the response to
|
|
Indirect queries, and macro definitions.
|
|
.PP
|
|
The format of the Direct entries is simple, either a host name or a
|
|
pattern, which is distinguished from a host name by the inclusion of
|
|
one or more meta characters (`*' matches any sequence of 0 or more
|
|
characters, and `?' matches any single character) which are compared against
|
|
the host name of the display device.
|
|
If the entry is a host name, all comparisons are done using
|
|
network addresses, so any name which converts to the correct network address
|
|
may be used.
|
|
For patterns, only canonical host names are used
|
|
in the comparison, so ensure that you do not attempt to match
|
|
aliases.
|
|
Preceding either a host name or a pattern with a `!' character
|
|
causes hosts which
|
|
match that entry to be excluded.
|
|
.PP
|
|
To only respond to Direct queries for a host or pattern,
|
|
it can be followed by the optional ``NOBROADCAST'' keyword.
|
|
This can be used to prevent an xdm server from appearing on
|
|
menus based on Broadcast queries.
|
|
.PP
|
|
An Indirect entry also contains a host name or pattern,
|
|
but follows it with a list of
|
|
host names or macros to which indirect queries should be sent.
|
|
.PP
|
|
A macro definition contains a macro name and a list of host names and
|
|
other macros that
|
|
the macro expands to. To distinguish macros from hostnames, macro
|
|
names start with a `%' character. Macros may be nested.
|
|
.PP
|
|
Indirect entries
|
|
may also specify to have \fIxdm\fP run \fIchooser\fP to offer a menu
|
|
of hosts to connect to. See the section \fBChooser\fP.
|
|
.PP
|
|
When checking access for a particular display host, each entry is scanned in
|
|
turn and the first matching entry determines the response. Direct and
|
|
Broadcast
|
|
entries are ignored when scanning for an Indirect entry and vice-versa.
|
|
.PP
|
|
Blank lines are ignored, `#' is treated as a comment
|
|
delimiter causing the rest of that line to be ignored,
|
|
and `\e\fInewline\fP'
|
|
causes the newline to be ignored, allowing indirect host lists to span
|
|
multiple lines.
|
|
.PP
|
|
Here is an example Xaccess file:
|
|
.LP
|
|
.ta 2i 4i
|
|
.nf
|
|
XCOMM
|
|
XCOMM Xaccess \- XDMCP access control file
|
|
XCOMM
|
|
|
|
XCOMM
|
|
XCOMM Direct/Broadcast query entries
|
|
XCOMM
|
|
|
|
!xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
|
|
bambi.ogi.edu # allow access from this particular display
|
|
*.lcs.mit.edu # allow access from any display in LCS
|
|
|
|
*.deshaw.com NOBROADCAST # allow only direct access
|
|
*.gw.com # allow direct and broadcast
|
|
|
|
XCOMM
|
|
XCOMM Indirect query entries
|
|
XCOMM
|
|
|
|
%HOSTS expo.lcs.mit.edu xenon.lcs.mit.edu \\
|
|
excess.lcs.mit.edu kanga.lcs.mit.edu
|
|
|
|
extract.lcs.mit.edu xenon.lcs.mit.edu #force extract to contact xenon
|
|
!xtra.lcs.mit.edu dummy #disallow indirect access
|
|
*.lcs.mit.edu %HOSTS #all others get to choose
|
|
.fi
|
|
.PP
|
|
If compiled with IPv6 support, multicast address groups may also be included
|
|
in the list of addresses indirect queries are set to. Multicast addresses
|
|
may be followed by an optional / character and hop count. If no hop count is
|
|
specified, the multicast hop count defaults to 1, keeping the packet on the
|
|
local network. For IPv4 multicasting, the hop count is used as the TTL.
|
|
.PP
|
|
Examples:
|
|
.LP
|
|
.ta 2.1i 4.5i
|
|
.nf
|
|
rincewind.sample.net ff02::1 #IPv6 Multicast to ff02::1
|
|
\& #with a hop count of 1
|
|
ponder.sample.net CHOOSER 239.192.1.1/16 #Offer a menu of hosts
|
|
\& #who respond to IPv4 Multicast
|
|
\& # to 239.192.1.1 with a TTL of 16
|
|
.fi
|
|
.SH CHOOSER
|
|
.PP
|
|
For X terminals that do not offer a host menu for use with Broadcast
|
|
or Indirect queries, the \fIchooser\fP program can do this for them.
|
|
In the \fIXaccess\fP file, specify ``CHOOSER'' as the first entry in
|
|
the Indirect host list. \fIChooser\fP will send a Query request to
|
|
each of the remaining host names in the list and offer a menu of all
|
|
the hosts that respond.
|
|
.PP
|
|
The list may consist of the word ``BROADCAST,'' in which case
|
|
\fIchooser\fP will send a Broadcast instead, again offering a menu of
|
|
all hosts that respond. Note that on some operating systems, UDP
|
|
packets cannot be broadcast, so this feature will not work.
|
|
.PP
|
|
Example \fIXaccess\fP file using \fIchooser\fP:
|
|
|
|
.nf
|
|
extract.lcs.mit.edu CHOOSER %HOSTS #offer a menu of these hosts
|
|
xtra.lcs.mit.edu CHOOSER BROADCAST #offer a menu of all hosts
|
|
.fi
|
|
.PP
|
|
The program to use for \fIchooser\fP is specified by the
|
|
\fBDisplayManager.\fP\fIDISPLAY\fP\fB.chooser\fP resource. For more
|
|
flexibility at this step, the chooser could be a shell script.
|
|
\fIChooser\fP is the session manager here; it is run instead of a
|
|
child \fIxdm\fP to manage the display.
|
|
.PP
|
|
Resources for this program
|
|
can be put into the file named by
|
|
\fBDisplayManager.\fP\fIDISPLAY\fP\fB.resources\fP.
|
|
.PP
|
|
When the user selects a host, \fIchooser\fP prints the host chosen,
|
|
which is read by the parent \fIxdm\fP, and exits.
|
|
\fIxdm\fP closes its connection to the X server, and the server resets
|
|
and sends another \fBIndirect\fP XDMCP request.
|
|
\fIxdm\fP remembers the user's choice (for
|
|
\fBDisplayManager.choiceTimeout\fP seconds) and forwards the request
|
|
to the chosen host, which starts a session on that display.
|
|
.\"
|
|
.SH LISTEN
|
|
The following configuration directive is also defined for the Xaccess
|
|
configuration file:
|
|
.IP "\fBLISTEN\fP \fIinterface\fP \fI[list of multicast group addresses]\fP"
|
|
\fIinterface\fP may be a hostname or IP addresss representing a
|
|
network interface on this machine, or the wildcard * to represent all
|
|
available network interfaces.
|
|
.PP
|
|
If one or more LISTEN lines are specified, xdm only listens for XDMCP
|
|
connections on the specified interfaces. If multicast group addresses
|
|
are listed on a listen line, xdm joins the multicast groups on the
|
|
given interface.
|
|
.PP
|
|
If no LISTEN lines are given, the original behavior of listening on
|
|
all interfaces is preserved for backwards compatibility.
|
|
Additionally, if no LISTEN is specified, xdm joins the default XDMCP
|
|
IPv6 multicast group, when compiled with IPv6 support.
|
|
.PP
|
|
To disable listening for XDMCP connections altogther, a line of LISTEN
|
|
with no addresses may be specified, or the previously supported method
|
|
of setting DisplayManager.requestPort to 0 may be used.
|
|
.PP
|
|
Examples:
|
|
.ta 2i 4i
|
|
.nf
|
|
LISTEN * ff02::1 # Listen on all interfaces and to the
|
|
\& # ff02::1 IPv6 multicast group.
|
|
LISTEN 10.11.12.13 # Listen only on this interface, as long
|
|
\& # as no other listen directives appear in
|
|
\& # file.
|
|
.fi
|
|
.SH "IPv6 MULTICAST ADDRESS SPECIFICATION"
|
|
.PP
|
|
The Internet Assigned Numbers Authority has has assigned
|
|
ff0\fIX\fP:0:0:0:0:0:0:12b as the permanently assigned range of
|
|
multicast addresses for XDMCP. The \fIX\fP in the prefix may be replaced
|
|
by any valid scope identifier, such as 1 for Interface-Local, 2 for Link-Local,
|
|
5 for Site-Local, and so on. (See IETF RFC 4291 or its replacement for
|
|
further details and scope definitions.) xdm defaults to listening on the
|
|
Link-Local scope address ff02:0:0:0:0:0:0:12b to most closely match the
|
|
old IPv4 subnet broadcast behavior.
|
|
.SH "LOCAL SERVER SPECIFICATION"
|
|
.PP
|
|
The resource \fBDisplayManager.servers\fP gives a server specification
|
|
or, if the values starts with a slash (/), the name of a file
|
|
containing server specifications, one per line.
|
|
.PP
|
|
Each specification
|
|
indicates a display which should constantly be managed and which is
|
|
not using XDMCP.
|
|
This method is used typically for local servers only. If the resource
|
|
or the file named by the resource is empty, \fIxdm\fP will offer XDMCP
|
|
service only.
|
|
.PP
|
|
Each specification consists of at least three parts: a display
|
|
name, a display class, a display type, and (for local servers) a command
|
|
line to start the server. A typical entry for local display number 0 would
|
|
be:
|
|
.nf
|
|
|
|
:0 Digital-QV local BINDIR/X :0
|
|
|
|
.fi
|
|
The display types are:
|
|
.ta 1i
|
|
.nf
|
|
|
|
local local display: \fIxdm\fP must run the server
|
|
foreign remote display: \fIxdm\fP opens an X connection to a running server
|
|
|
|
.fi
|
|
.PP
|
|
The display name must be something that can be passed in the \fB\-display\fP
|
|
option to an X program. This string is used to generate the display-specific
|
|
resource names, so be careful to match the
|
|
names (e.g., use ``:0 Sun-CG3 local BINDIR/X :0'' instead of
|
|
``localhost:0 Sun-CG3 local BINDIR/X :0''
|
|
if your other resources are specified as
|
|
``DisplayManager._0.session''). The display class portion is also used in the
|
|
display-specific resources, as the class of the resource. This is
|
|
useful if you have a large collection of similar displays (such as a corral of
|
|
X terminals) and would like to set resources for groups of them. When using
|
|
XDMCP, the display is required to specify the display class, so the manual
|
|
for your particular X terminal should document the display class
|
|
string for your device. If it doesn't, you can run
|
|
.I xdm
|
|
in debug mode and
|
|
look at the resource strings which it generates for that device, which will
|
|
include the class string.
|
|
.PP
|
|
When \fIxdm\fP starts a session, it sets up authorization data for the
|
|
server. For local servers, \fIxdm\fP passes
|
|
``\fB\-auth\fP \fIfilename\fP'' on the server's command line to point
|
|
it at its authorization data.
|
|
For XDMCP servers, \fIxdm\fP passes the
|
|
authorization data to the server via the \fBAccept\fP XDMCP request.
|
|
.SH RESOURCES FILE
|
|
The \fIXresources\fP file is
|
|
loaded onto the display as a resource database using
|
|
.I xrdb.
|
|
As the authentication
|
|
widget reads this database before starting up, it usually contains
|
|
parameters for that widget:
|
|
.nf
|
|
.ta .5i 1i
|
|
|
|
xlogin*login.translations: #override\\
|
|
Ctrl<Key>R: abort-display()\\n\\
|
|
<Key>F1: set-session-argument(failsafe) finish-field()\\n\\
|
|
<Key>Return: set-session-argument() finish-field()
|
|
xlogin*borderWidth: 3
|
|
xlogin*greeting: CLIENTHOST
|
|
\& #ifdef COLOR
|
|
xlogin*greetColor: CadetBlue
|
|
xlogin*failColor: red
|
|
\& #endif
|
|
|
|
.fi
|
|
.PP
|
|
Please note the translations entry; it specifies
|
|
a few new translations for the widget which allow users to escape from the
|
|
default session (and avoid troubles that may occur in it). Note that if
|
|
\&#override is not specified, the default translations are removed and replaced
|
|
by the new value, not a very useful result as some of the default translations
|
|
are quite useful (such as ``<Key>: insert-char ()'' which responds to normal
|
|
typing).
|
|
.PP
|
|
This file may also contain resources for the setup program and \fIchooser\fP.
|
|
.SH "SETUP PROGRAM"
|
|
The \fIXsetup\fP file is run after
|
|
the server is reset, but before the Login window is offered.
|
|
The file is typically a shell script.
|
|
It is run as root, so should be careful about security.
|
|
This is the place to change the root background or bring up other
|
|
windows that should appear on the screen along with the Login widget.
|
|
.PP
|
|
In addition to any specified by \fBDisplayManager.exportList\fP,
|
|
the following environment variables are passed:
|
|
.nf
|
|
.ta .5i 2i
|
|
|
|
DISPLAY the associated display name
|
|
PATH the value of \fBDisplayManager.\fP\fIDISPLAY\fP\fB.systemPath\fP
|
|
SHELL the value of \fBDisplayManager.\fP\fIDISPLAY\fP\fB.systemShell\fP
|
|
XAUTHORITY may be set to an authority file
|
|
.fi
|
|
.PP
|
|
Note that since \fIxdm\fP grabs the keyboard, any other windows will not be
|
|
able to receive keyboard input. They will be able to interact with
|
|
the mouse, however; beware of potential security holes here.
|
|
If \fBDisplayManager.\fP\fIDISPLAY\fP\fB.grabServer\fP is set,
|
|
\fIXsetup\fP will not be able to connect
|
|
to the display at all.
|
|
Resources for this program
|
|
can be put into the file named by
|
|
\fBDisplayManager.\fP\fIDISPLAY\fP\fB.resources\fP.
|
|
.PP
|
|
Here is a sample \fIXsetup\fP script:
|
|
.nf
|
|
|
|
\& #!/bin/sh
|
|
\& # Xsetup_0 \- setup script for one workstation
|
|
xcmsdb < XDMDIR/monitors/alex.0
|
|
xconsole\0\-geometry\0480x130\-0\-0\0\-notify\0\-verbose\0\-exitOnFail &
|
|
|
|
.fi
|
|
.SH "AUTHENTICATION WIDGET"
|
|
The authentication widget prompts the user for the username, password, and/or
|
|
other required authentication data from the keyboard. Nearly every imaginable
|
|
parameter can be controlled with a resource. Resources for this widget
|
|
should be put into the file named by
|
|
\fBDisplayManager.\fP\fIDISPLAY\fP\fB.resources\fP. All of these have reasonable
|
|
default values, so it is not necessary to specify any of them.
|
|
.PP
|
|
The resource file is loaded with
|
|
.IR xrdb (__appmansuffix__)
|
|
so it may use the substitutions defined by that program such as CLIENTHOST
|
|
for the client hostname in the login message, or C pre-processor #ifdef
|
|
statements to produce different displays depending on color depth or other
|
|
variables.
|
|
.PP
|
|
.I Xdm
|
|
can be compiled with support for the
|
|
.IR Xft (__libmansuffix__)
|
|
library for font rendering. If this support is present, font faces are
|
|
specified using the resources with names ending in ``face'' in the
|
|
fontconfig face format described in the
|
|
.I Font Names
|
|
section of
|
|
.IR fonts.conf (__filemansuffix__).
|
|
If not, then fonts are specified using the resources with names ending
|
|
in ``font'' in the traditional
|
|
.I X Logical Font Description
|
|
format described in the
|
|
.I Font Names
|
|
section of
|
|
.IR X (__miscmansuffix__).
|
|
.IP "\fBxlogin.Login.width, xlogin.Login.height, xlogin.Login.x, xlogin.Login.y\fP"
|
|
The geometry of the Login widget is normally computed automatically. If you
|
|
wish to position it elsewhere, specify each of these resources.
|
|
.IP "\fBxlogin.Login.foreground\fP"
|
|
The color used to display the input typed by the user.
|
|
.IP "\fBxlogin.Login.face\fP"
|
|
The face used to display the input typed by the user when built with Xft
|
|
support. The default is ``Serif-18''.
|
|
.IP "\fBxlogin.Login.font\fP"
|
|
The font used to display the input typed by the user when not built with Xft
|
|
support.
|
|
.IP "\fBxlogin.Login.greeting\fP"
|
|
A string which identifies this window.
|
|
The default is ``X Window System.''
|
|
.IP "\fBxlogin.Login.unsecureGreeting\fP"
|
|
When X authorization is requested in the configuration file for this
|
|
display and none is in use, this greeting replaces the standard
|
|
greeting. The default is ``This is an unsecure session''
|
|
.IP "\fBxlogin.Login.greetFace\fP"
|
|
The face used to display the greeting when built with Xft support.
|
|
The default is ``Serif-24:italic''.
|
|
.IP "\fBxlogin.Login.greetFont\fP"
|
|
The font used to display the greeting when not built with Xft support.
|
|
.IP "\fBxlogin.Login.greetColor\fP"
|
|
The color used to display the greeting.
|
|
.IP "\fBxlogin.Login.namePrompt\fP"
|
|
The string displayed to prompt for a user name.
|
|
.I Xrdb
|
|
strips trailing white space from resource values, so to add spaces at
|
|
the end of the prompt (usually a nice thing), add spaces escaped with
|
|
backslashes. The default is ``Login: ''
|
|
.IP "\fBxlogin.Login.passwdPrompt\fP"
|
|
The string displayed to prompt for a password, when not using an authentication
|
|
system such as PAM that provides its own prompts.
|
|
The default is ``Password: ''
|
|
.IP "\fBxlogin.Login.promptFace\fP"
|
|
The face used to display prompts when built with Xft support.
|
|
The default is ``Serif-18:bold''.
|
|
.IP "\fBxlogin.Login.promptFont\fP"
|
|
The font used to display prompts when not built with Xft support.
|
|
.IP "\fBxlogin.Login.promptColor\fP"
|
|
The color used to display prompts.
|
|
.IP "\fBxlogin.Login.changePasswdMessage\fP"
|
|
A message which is displayed when the users password has expired.
|
|
The default is ``Password Change Required''
|
|
.IP "\fBxlogin.Login.fail\fP"
|
|
A message which is displayed when the authentication fails, when not using an
|
|
authentication system such as PAM that provides its own prompts.
|
|
The default is ``Login incorrect''
|
|
.IP "\fBxlogin.Login.failFace\fP"
|
|
The face used to display the failure message when built with Xft support.
|
|
The default is ``Serif-18:bold''.
|
|
.IP "\fBxlogin.Login.failFont\fP"
|
|
The font used to display the failure message when not built with Xft support.
|
|
.IP "\fBxlogin.Login.failColor\fP"
|
|
The color used to display the failure message.
|
|
.IP "\fBxlogin.Login.failTimeout\fP"
|
|
The number of seconds that the failure message is displayed.
|
|
The default is 10.
|
|
.IP "\fBxlogin.Login.logoFileName\fP"
|
|
Name of an XPM format pixmap to display in the greeter window, if built with
|
|
XPM support. The default is no pixmap.
|
|
.IP "\fBxlogin.Login.logoPadding\fP"
|
|
Number of pixels of space between the logo pixmap and other elements of the
|
|
greeter window, if the pixmap is displayed.
|
|
The default is 5.
|
|
.IP "\fBxlogin.Login.useShape\fP"
|
|
If set to ``true'', when built with XPM support, attempt to use the
|
|
X Non-Rectangular Window Shape Extension to set the window shape.
|
|
The default is ``true''.
|
|
.IP "\fBxlogin.Login.hiColor\fP, \fBxlogin.Login.shdColor\fP"
|
|
Raised appearance bezels may be drawn around
|
|
the greeter frame and text input boxes by setting these resources. hiColor
|
|
is the highlight color, used on the top and left sides of the frame, and the
|
|
bottom and right sides of text input areas. shdColor is the shadow color,
|
|
used on the bottom and right sides of the frame, and the top and left sides
|
|
of text input areas.
|
|
The default for both is the foreground color, providing a flat appearance.
|
|
.IP "\fBxlogin.Login.frameWidth\fP"
|
|
frameWidth is the width in pixels of the area
|
|
around the greeter frame drawn in hiColor and shdColor.
|
|
.IP "\fBxlogin.Login.innerFramesWidth\fP"
|
|
innerFramesWidth is the width in pixels of the
|
|
area around text input areas drawn in hiColor and shdColor.
|
|
.IP "\fBxlogin.Login.sepWidth\fP"
|
|
sepWidth is the width in pixels of the
|
|
bezeled line between the greeting and input areas
|
|
drawn in hiColor and shdColor.
|
|
.IP "\fBxlogin.Login.allowRootLogin\fP"
|
|
If set to ``false'', don't allow root (and any other user with uid = 0) to
|
|
log in directly.
|
|
The default is ``true''.
|
|
.IP "\fBxlogin.Login.allowNullPasswd\fP"
|
|
If set to ``true'', allow an otherwise failing password match to succeed
|
|
if the account does not require a password at all.
|
|
The default is ``false'', so only users that have passwords assigned can
|
|
log in.
|
|
.IP "\fBxlogin.Login.translations\fP"
|
|
This specifies the translations used for the login widget. Refer to the X
|
|
Toolkit documentation for a complete discussion on translations. The default
|
|
translation table is:
|
|
.nf
|
|
.ta .5i 2i
|
|
|
|
Ctrl<Key>H: delete-previous-character() \\n\\
|
|
Ctrl<Key>D: delete-character() \\n\\
|
|
Ctrl<Key>B: move-backward-character() \\n\\
|
|
Ctrl<Key>F: move-forward-character() \\n\\
|
|
Ctrl<Key>A: move-to-begining() \\n\\
|
|
Ctrl<Key>E: move-to-end() \\n\\
|
|
Ctrl<Key>K: erase-to-end-of-line() \\n\\
|
|
Ctrl<Key>U: erase-line() \\n\\
|
|
Ctrl<Key>X: erase-line() \\n\\
|
|
Ctrl<Key>C: restart-session() \\n\\
|
|
Ctrl<Key>\\\\: abort-session() \\n\\
|
|
<Key>BackSpace: delete-previous-character() \\n\\
|
|
<Key>Delete: delete-previous-character() \\n\\
|
|
<Key>Return: finish-field() \\n\\
|
|
<Key>: insert-char() \\
|
|
|
|
.fi
|
|
.PP
|
|
The actions which are supported by the widget are:
|
|
.IP "delete-previous-character"
|
|
Erases the character before the cursor.
|
|
.IP "delete-character"
|
|
Erases the character after the cursor.
|
|
.IP "move-backward-character"
|
|
Moves the cursor backward.
|
|
.IP "move-forward-character"
|
|
Moves the cursor forward.
|
|
.IP "move-to-begining"
|
|
(Apologies about the spelling error.)
|
|
Moves the cursor to the beginning of the editable text.
|
|
.IP "move-to-end"
|
|
Moves the cursor to the end of the editable text.
|
|
.IP "erase-to-end-of-line"
|
|
Erases all text after the cursor.
|
|
.IP "erase-line"
|
|
Erases the entire text.
|
|
.IP "finish-field"
|
|
If the cursor is in the name field, proceeds to the password field; if the
|
|
cursor is in the password field, checks the current name/password pair. If
|
|
the name/password pair is valid, \fIxdm\fP
|
|
starts the session. Otherwise the failure message is displayed and
|
|
the user is prompted again.
|
|
.IP "abort-session"
|
|
Terminates and restarts the server.
|
|
.IP "abort-display"
|
|
Terminates the server, disabling it. This action
|
|
is not accessible in the default configuration.
|
|
There are various reasons to stop \fIxdm\fP on a system console, such as
|
|
when shutting the system down, when using \fIxdmshell\fP,
|
|
to start another type of server, or to generally access the console.
|
|
Sending \fIxdm\fP a SIGHUP will restart the display. See the section
|
|
\fBControlling XDM\fP.
|
|
.IP "restart-session"
|
|
Resets the X server and starts a new session. This can be used when
|
|
the resources have been changed and you want to test them or when
|
|
the screen has been overwritten with system messages.
|
|
.IP "insert-char"
|
|
Inserts the character typed.
|
|
.IP "set-session-argument"
|
|
Specifies a single word argument which is passed to the session at startup.
|
|
See the section \fBSession Program\fP.
|
|
.IP "allow-all-access"
|
|
Disables access control in the server. This can be used when
|
|
the .Xauthority file cannot be created by
|
|
.I xdm.
|
|
Be very careful using this;
|
|
it might be better to disconnect the machine from the network
|
|
before doing this.
|
|
.PP
|
|
On some systems (OpenBSD) the user's shell must be listed in
|
|
.I /etc/shells
|
|
to allow login through xdm. The normal password and account expiration
|
|
dates are enforced too.
|
|
.SH "STARTUP PROGRAM"
|
|
.PP
|
|
The \fIXstartup\fP program is run as
|
|
root when the user logs in.
|
|
It is typically a shell script.
|
|
Since it is run as root, \fIXstartup\fP should be
|
|
very careful about security. This is the place to put commands which add
|
|
entries to \fIutmp\fP or \fIwtmp\fP files,
|
|
(the \fIsessreg\fP program may be useful here),
|
|
mount users' home directories from file servers,
|
|
or abort the session if logins are not
|
|
allowed.
|
|
.PP
|
|
In addition to any specified by \fBDisplayManager.exportList\fP,
|
|
the following environment variables are passed:
|
|
.nf
|
|
.ta .5i 2i
|
|
|
|
DISPLAY the associated display name
|
|
HOME the initial working directory of the user
|
|
LOGNAME the user name
|
|
USER the user name
|
|
PATH the value of \fBDisplayManager.\fP\fIDISPLAY\fP\fB.systemPath\fP
|
|
SHELL the value of \fBDisplayManager.\fP\fIDISPLAY\fP\fB.systemShell\fP
|
|
XAUTHORITY may be set to an authority file
|
|
WINDOWPATH may be set to the "window path" leading to the X server
|
|
|
|
.fi
|
|
.PP
|
|
No arguments are passed to the script.
|
|
.I Xdm
|
|
waits until this script exits before starting the user session. If the
|
|
exit value of this script is non-zero,
|
|
.I xdm
|
|
discontinues the session and starts another authentication
|
|
cycle.
|
|
.PP
|
|
The sample \fIXstartup\fP file shown here prevents login while the
|
|
file \fI/etc/nologin\fP
|
|
exists.
|
|
Thus this is not a complete example, but
|
|
simply a demonstration of the available functionality.
|
|
.PP
|
|
Here is a sample \fIXstartup\fP script:
|
|
.nf
|
|
.ta .5i 1i
|
|
|
|
\& #!/bin/sh
|
|
\& #
|
|
\& # Xstartup
|
|
\& #
|
|
\& # This program is run as root after the user is verified
|
|
\& #
|
|
if [ \-f /etc/nologin ]; then
|
|
xmessage\0\-file /etc/nologin\0\-timeout 30\0\-center
|
|
exit 1
|
|
fi
|
|
sessreg\0\-a\0\-l $DISPLAY\0\-x XDMDIR/Xservers $LOGNAME
|
|
XDMDIR/GiveConsole
|
|
exit 0
|
|
.fi
|
|
.SH "SESSION PROGRAM"
|
|
.PP
|
|
The \fIXsession\fP program is the command which is run as the user's session.
|
|
It is run with
|
|
the permissions of the authorized user.
|
|
.PP
|
|
In addition to any specified by \fBDisplayManager.exportList\fP,
|
|
the following environment variables are passed:
|
|
.nf
|
|
.ta .5i 2i
|
|
|
|
DISPLAY the associated display name
|
|
HOME the initial working directory of the user
|
|
LOGNAME the user name
|
|
USER the user name
|
|
PATH the value of \fBDisplayManager.\fP\fIDISPLAY\fP\fB.userPath\fP
|
|
SHELL the user's default shell (from \fIgetpwnam\fP)
|
|
XAUTHORITY may be set to a non-standard authority file
|
|
KRB5CCNAME may be set to a Kerberos credentials cache name
|
|
WINDOWPATH may be set to the "window path" leading to the X server
|
|
|
|
.fi
|
|
.PP
|
|
At most installations, \fIXsession\fP should look in $HOME for
|
|
a file \fI\.xsession,\fP
|
|
which contains commands that each user would like to use as a session.
|
|
\fIXsession\fP should also
|
|
implement a system default session if no user-specified session exists.
|
|
.PP
|
|
An argument may be passed to this program from the authentication widget
|
|
using the `set-session-argument' action. This can be used to select
|
|
different styles of session. One good use of this feature is to allow
|
|
the user to escape from the ordinary session when it fails. This
|
|
allows users to repair their own \fI.xsession\fP if it fails,
|
|
without requiring administrative intervention.
|
|
The example following
|
|
demonstrates this feature.
|
|
.PP
|
|
This example recognizes
|
|
the special
|
|
``failsafe'' mode, specified in the translations
|
|
in the \fIXresources\fP file, to provide an escape
|
|
from the ordinary session. It also requires that the .xsession file
|
|
be executable so we don't have to guess what shell it wants to use.
|
|
.nf
|
|
.ta .5i 1i 1.5i
|
|
|
|
\& #!/bin/sh
|
|
\& #
|
|
\& # Xsession
|
|
\& #
|
|
\& # This is the program that is run as the client
|
|
\& # for the display manager.
|
|
|
|
case $# in
|
|
1)
|
|
case $1 in
|
|
failsafe)
|
|
exec xterm \-geometry 80x24\-0\-0
|
|
;;
|
|
esac
|
|
esac
|
|
|
|
startup=$HOME/.xsession
|
|
resources=$HOME/.Xresources
|
|
|
|
if [ \-f "$startup" ]; then
|
|
exec "$startup"
|
|
else
|
|
if [ \-f "$resources" ]; then
|
|
xrdb \-load "$resources"
|
|
fi
|
|
twm &
|
|
xman \-geometry +10\-10 &
|
|
exec xterm \-geometry 80x24+10+10 \-ls
|
|
fi
|
|
|
|
.fi
|
|
.PP
|
|
The user's \fI.xsession\fP file might look something like this
|
|
example. Don't forget that the file must have execute permission.
|
|
.nf
|
|
\& #! /bin/csh
|
|
\& # no \-f in the previous line so .cshrc gets run to set $PATH
|
|
twm &
|
|
xrdb \-merge "$HOME/.Xresources"
|
|
emacs \-geometry +0+50 &
|
|
xbiff \-geometry \-430+5 &
|
|
xterm \-geometry \-0+50 -ls
|
|
.fi
|
|
.SH "RESET PROGRAM"
|
|
.PP
|
|
Symmetrical with \fIXstartup\fP,
|
|
the \fIXreset\fP script is run after the user session has
|
|
terminated. Run as root, it should contain commands that undo
|
|
the effects of commands in \fIXstartup,\fP updating entries
|
|
in \fIutmp\fP or \fIwtmp\fP files,
|
|
or unmounting directories from file servers. The environment
|
|
variables that were passed to \fIXstartup\fP are also
|
|
passed to \fIXreset\fP.
|
|
.PP
|
|
A sample \fIXreset\fP script:
|
|
.nf
|
|
.ta .5i 1i
|
|
\& #!/bin/sh
|
|
\& #
|
|
\& # Xreset
|
|
\& #
|
|
\& # This program is run as root after the session ends
|
|
\& #
|
|
sessreg\0\-d\0\-l $DISPLAY\0\-x XDMDIR/Xservers $LOGNAME
|
|
XDMDIR/TakeConsole
|
|
exit 0
|
|
.fi
|
|
.SH "CONTROLLING THE SERVER"
|
|
.I Xdm
|
|
controls local servers using POSIX signals. SIGHUP is expected to reset the
|
|
server, closing all client connections and performing other cleanup
|
|
duties. SIGTERM is expected to terminate the server.
|
|
If these signals do not perform the expected actions,
|
|
the resources \fBDisplayManager.\fP\fIDISPLAY\fP\fB.resetSignal\fP and
|
|
\fBDisplayManager.\fP\fIDISPLAY\fP\fB.termSignal\fP can specify alternate signals.
|
|
.PP
|
|
To control remote terminals not using XDMCP,
|
|
.I xdm
|
|
searches the window hierarchy on the display and uses the protocol request
|
|
KillClient in an attempt to clean up the terminal for the next session. This
|
|
may not actually kill all of the clients, as only those which have created
|
|
windows will be noticed. XDMCP provides a more sure mechanism; when
|
|
.I xdm
|
|
closes its initial connection, the session is over and the terminal is
|
|
required to close all other connections.
|
|
.SH "CONTROLLING XDM"
|
|
.PP
|
|
.I Xdm
|
|
responds to two signals: SIGHUP and SIGTERM. When sent a SIGHUP,
|
|
.I xdm
|
|
rereads the configuration file, the access control file, and the servers
|
|
file. For the servers file, it notices if entries have been added or
|
|
removed. If a new entry has been added,
|
|
.I xdm
|
|
starts a session on the associated display. Entries which have been removed
|
|
are disabled immediately, meaning that any session in progress will be
|
|
terminated without notice and no new session will be started.
|
|
.PP
|
|
When sent a SIGTERM,
|
|
.I xdm
|
|
terminates all sessions in progress and exits. This can be used when
|
|
shutting down the system.
|
|
.PP
|
|
.I Xdm
|
|
attempts to mark its various sub-processes for
|
|
.IR ps (1)
|
|
by editing the
|
|
command line argument list in place. Because
|
|
.I xdm
|
|
can't allocate additional
|
|
space for this task, it is useful to start
|
|
.I xdm
|
|
with a reasonably long
|
|
command line (using the full path name should be enough).
|
|
Each process which is
|
|
servicing a display is marked \fB\-\fP\fIdisplay.\fP
|
|
.SH "ADDITIONAL LOCAL DISPLAYS"
|
|
.PP
|
|
To add an additional local display, add a line for it to the
|
|
\fIXservers\fP file.
|
|
(See the section \fBLocal Server Specification\fP.)
|
|
.PP
|
|
Examine the display-specific resources in \fIxdm-config\fP
|
|
(e.g., \fBDisplayManager._0.authorize\fP)
|
|
and consider which of them should be copied for the new display.
|
|
The default \fIxdm-config\fP has all the appropriate lines for
|
|
displays \fB:0\fP and \fB:1\fP.
|
|
.SH "OTHER POSSIBILITIES"
|
|
.PP
|
|
You can use \fIxdm\fP
|
|
to run a single session at a time, using the 4.3 \fIinit\fP
|
|
options or other suitable daemon by specifying the server on the command
|
|
line:
|
|
.nf
|
|
.ta .5i
|
|
|
|
xdm \-server \(lq:0 SUN-3/60CG4 local BINDIR/X :0\(rq
|
|
|
|
.fi
|
|
.PP
|
|
Or, you might have a file server and a collection of X terminals. The
|
|
configuration for this is identical to the sample above,
|
|
except the \fIXservers\fP file would look like
|
|
.nf
|
|
.ta .5i
|
|
|
|
extol:0 VISUAL-19 foreign
|
|
exalt:0 NCD-19 foreign
|
|
explode:0 NCR-TOWERVIEW3000 foreign
|
|
|
|
.fi
|
|
.PP
|
|
This directs
|
|
.I xdm
|
|
to manage sessions on all three of these terminals. See the section
|
|
\fBControlling Xdm\fP for a description of using signals to enable
|
|
and disable these terminals in a manner reminiscent of
|
|
.IR init (__adminmansuffix__).
|
|
.SH LIMITATIONS
|
|
One thing that
|
|
.I xdm
|
|
isn't very good at doing is coexisting with other window systems. To use
|
|
multiple window systems on the same hardware, you'll probably be more
|
|
interested in
|
|
.I xinit.
|
|
.SH FILES
|
|
.TP 20
|
|
.I XDMDIR/xdm-config
|
|
the default configuration file
|
|
.TP 20
|
|
.I $HOME/.Xauthority
|
|
user authorization file where \fIxdm\fP stores keys for clients to read
|
|
.TP 20
|
|
.I CHOOSERPATH
|
|
the default chooser
|
|
.TP 20
|
|
.I BINDIR/xrdb
|
|
the default resource database loader
|
|
.TP 20
|
|
.I BINDIR/X
|
|
the default server
|
|
.TP 20
|
|
.I BINDIR/xterm
|
|
the default session program and failsafe client
|
|
.TP 20
|
|
.I XDMXAUTHDIR/A<display>\-<suffix>
|
|
the default place for authorization files
|
|
.TP 20
|
|
.I /tmp/K5C<display>
|
|
Kerberos credentials cache
|
|
.SH "SEE ALSO"
|
|
.IR X (__miscmansuffix__),
|
|
.IR xinit (__appmansuffix__),
|
|
.IR xauth (__appmansuffix__),
|
|
.IR xrdb (__appmansuffix__),
|
|
.IR Xsecurity (__miscmansuffix__),
|
|
.IR sessreg (__appmansuffix__),
|
|
.IR Xserver (__appmansuffix__),
|
|
.\" .IR chooser (__appmansuffix__), \" except that there isn't a manual for it yet
|
|
.\" .IR xdmshell (__appmansuffix__), \" except that there isn't a manual for it yet
|
|
.IR fonts.conf (__filemansuffix__).
|
|
.br
|
|
.I "X Display Manager Control Protocol"
|
|
.br
|
|
.RI "IETF RFC 4291: " "IP Version 6 Addressing Architecture" .
|
|
.SH AUTHOR
|
|
Keith Packard, MIT X Consortium
|