IRIX Base Documentation 1998 November

home *** CD-ROM | disk | FTP | other *** search

/ IRIX Base Documentation 1998 November / IRIX 6.5.2 Base Documentation November 1998.img / usr / share / catman / u_man / cat1 / X11 / xdm.z / xdm

Wrap

Text File | 1998-10-30 | 99KB | 1,717 lines

XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) NNNNAAAAMMMMEEEE xdm - X Display Manager with support for XDMCP, host chooser SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS xxxxddddmmmm [ ----ccccoooonnnnffffiiiigggg _c_o_n_f_i_g_u_r_a_t_i_o_n__f_i_l_e ] [ ----nnnnooooddddaaaaeeeemmmmoooonnnn ] [ ----ddddeeeebbbbuuuugggg _d_e_b_u_g__l_e_v_e_l ] [ ----eeeerrrrrrrroooorrrr _e_r_r_o_r__l_o_g__f_i_l_e ] [ ----rrrreeeessssoooouuuurrrrcccceeeessss _r_e_s_o_u_r_c_e__f_i_l_e ] [ ----sssseeeerrrrvvvveeeerrrr _s_e_r_v_e_r__e_n_t_r_y ] [ ----sssseeeessssssssiiiioooonnnn _s_e_s_s_i_o_n__p_r_o_g_r_a_m ] DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN _X_d_m manages a collection of X displays, which may be on the local host or remote servers. The design of _x_d_m was guided by the needs of X terminals as well as the X Consortium standard XDMCP, the _X _D_i_s_p_l_a_y _M_a_n_a_g_e_r _C_o_n_t_r_o_l _P_r_o_t_o_c_o_l. _X_d_m provides services similar to those provided by _i_n_i_t, _g_e_t_t_y and _l_o_g_i_n on character terminals: prompting for login name and password, authenticating the user, and running a ``session.'' A ``session'' is defined by the lifetime of a particular process; in the traditional character-based terminal world, it is the user's login shell. In the _x_d_m context, it is an arbitrary session manager. This is because in a windowing environment, a user's login shell process does not necessarily have any terminal-like interface with which to connect. When a real session manager is not available, a window manager or terminal emulator is typically used as the ``session manager,'' meaning that termination of this process terminates the user's session. When the session is terminated, _x_d_m resets the X server and (optionally) restarts the whole process. When _x_d_m receives an Indirect query via XDMCP, it can run a _c_h_o_o_s_e_r process to perform an XDMCP BroadcastQuery (or an XDMCP Query to specified hosts) on behalf of the display and offer a menu of possible hosts that offer XDMCP display management. This feature is useful with X terminals that do not offer a host menu themselves. Because _x_d_m provides the first interface that users will see, it is designed to be simple to use and easy to customize to the needs of a particular site. _X_d_m has many options, most of which have reasonable defaults. Browse through the various sections of this manual, picking and choosing the things you want to change. Pay particular attention to the SSSSeeeessssssssiiiioooonnnn PPPPrrrrooooggggrrrraaaammmm section, which will describe how to set up the style of session desired. OOOOVVVVEEEERRRRVVVVIIIIEEEEWWWW _x_d_m is highly configurable, and most of its behavior can be controlled by resource files and shell scripts located in Page 1 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) the directory /var/X11/xdm. The names of these files themselves are resources read from the file _x_d_m-_c_o_n_f_i_g or the file named by the ----ccccoooonnnnffffiiiigggg option. _x_d_m offers display management two different ways. It can manage X servers running on the local machine and specified in _X_s_e_r_v_e_r_s, and it can manage remote X servers (typically X terminals) using XDMCP (the XDM Control Protocol) as specified in the _X_a_c_c_e_s_s file. _X_l_o_g_i_n, contains commands which initialize the login screen and provides hooks for alternative login programs. See the script for details. The resources of the X clients run by _x_d_m outside the user's session, including _x_d_m's own login window, can be affected by setting resources in the _X_r_e_s_o_u_r_c_e_s file. For X terminals that do not offer a menu of hosts to get display management from, _x_d_m can collect willing hosts and run the _c_h_o_o_s_e_r program to offer the user a menu. For X displays attached to a host, this step is typically not used, as the local host does the display management. After resetting the X server, _x_d_m runs the _X_s_e_t_u_p script to assist in setting up the screen the user sees along with the _x_l_o_g_i_n widget. The _x_l_o_g_i_n widget, which _x_d_m presents, offers the familiar login and password prompts. After the user logs in, _x_d_m runs the _X_s_t_a_r_t_u_p script as root. Then _x_d_m runs the _X_s_e_s_s_i_o_n script as the user. This system session file may do some additional startup and typically runs the ._x_s_e_s_s_i_o_n script in the user's home directory. When the _X_s_e_s_s_i_o_n script exits, the session is over. At the end of the session, the _X_r_e_s_e_t script is run to clean up, the X server is reset, and the cycle starts over. The file _x_d_m-_e_r_r_o_r_s will contain error messages from _x_d_m and anything output to stderr by _X_s_e_t_u_p, _X_s_t_a_r_t_u_p, _X_s_e_s_s_i_o_n or _X_r_e_s_e_t. When you have trouble getting _x_d_m working, check this file to see if _x_d_m has any clues to the trouble. OOOOPPPPTTTTIIIIOOOONNNNSSSS All of these options, except ----ccccoooonnnnffffiiiigggg itself, specify values that can also be specified in the configuration file as resources. Page 2 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) ----ccccoooonnnnffffiiiigggg _c_o_n_f_i_g_u_r_a_t_i_o_n__f_i_l_e Names the configuration file, which specifies resources to control the behavior of _x_d_m. /_v_a_r/_X_1_1/_x_d_m/_x_d_m-_c_o_n_f_i_g is the default. See the section CCCCoooonnnnffffiiiigggguuuurrrraaaattttiiiioooonnnn FFFFiiiilllleeee. ----nnnnooooddddaaaaeeeemmmmoooonnnn Specifies ``false'' as the value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ddddaaaaeeeemmmmoooonnnnMMMMooooddddeeee resource. This suppresses the normal daemon behavior, which is for _x_d_m to close all file descriptors, disassociate itself from the controlling terminal, and put itself in the background when it first starts up. ----ddddeeeebbbbuuuugggg _d_e_b_u_g__l_e_v_e_l Specifies the numeric value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ddddeeeebbbbuuuuggggLLLLeeeevvvveeeellll resource. A non-zero value causes _x_d_m to print lots of debugging statements to the terminal; it also disables the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ddddaaaaeeeemmmmoooonnnnMMMMooooddddeeee resource, forcing _x_d_m to run synchronously. To interpret these debugging messages, a copy of the source code for _x_d_m is almost a necessity. No attempt has been made to rationalize or standardize the output. ----eeeerrrrrrrroooorrrr _e_r_r_o_r__l_o_g__f_i_l_e Specifies the value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeerrrrrrrroooorrrrLLLLooooggggFFFFiiiilllleeee resource. This file contains errors from _x_d_m as well as anything written to stderr by the various scripts and programs run during the progress of the session. ----rrrreeeessssoooouuuurrrrcccceeeessss _r_e_s_o_u_r_c_e__f_i_l_e Specifies the value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr****rrrreeeessssoooouuuurrrrcccceeeessss resource. This file is loaded using _x_r_d_b to specify configuration parameters for the authentication widget. ----sssseeeerrrrvvvveeeerrrr _s_e_r_v_e_r__e_n_t_r_y Specifies the value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....sssseeeerrrrvvvveeeerrrrssss resource. See the section LLLLooooccccaaaallll SSSSeeeerrrrvvvveeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn for a description of this resource. ----uuuuddddppppPPPPoooorrrrtttt _p_o_r_t__n_u_m_b_e_r Specifies the value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....rrrreeeeqqqquuuueeeessssttttPPPPoooorrrrtttt resource. This sets the port-number which _x_d_m will monitor for XDMCP requests. As XDMCP uses the registered well-known UDP port 177, this resource should not be changed except for debugging. ----sssseeeessssssssiiiioooonnnn _s_e_s_s_i_o_n__p_r_o_g_r_a_m Specifies the value for the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr****sssseeeessssssssiiiioooonnnn resource. This indicates the program to run as the session after the user has logged in. Page 3 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) ----xxxxrrrrmmmm _r_e_s_o_u_r_c_e__s_p_e_c_i_f_i_c_a_t_i_o_n Allows an arbitrary resource to be specified, as in most X Toolkit applications. LLLLOOOOGGGGIIIINNNN DDDDEEEEFFFFAAAAUUUULLLLTTTTSSSS ((((SSSSGGGGIIII----ssssppppeeeecccciiiiffffiiiicccc)))) When _x_d_m's authentication widget is used to perform user authentication, _x_d_m enforces the following login defaults, which are specified in the file /_e_t_c/_d_e_f_a_u_l_t/_l_o_g_i_n. CONSOLE=_d_e_v_i_c_e If this is set to /dev/console, root logins are restricted to the first local display in the xservers file. If this is set to another value, root logins via xdm are disallowed. If undefined, root can log in on any display. PASSREQ=NO Determines whether all accounts must have passwords. If YES, and user has no password, they will be prompted for one at login time. MANDPASS=NO Like PASSREQ, but won't allow users with no password to log in. UMASK=022 Default umask, in octal. TIMEOUT=60 If login attempt is not completed within TIMEOUT seconds from first key press, the session is restarted. SLEEPTIME=1 Sleep for this many seconds before issuing "login incorrect" message (maximum 60 seconds). DISABLETIME=0 After LOGFAILURES or MAXTRYS unsuccessful attempts, sleep for DISABLETIME seconds before restarting. MAXTRYS=3 Restart session after MAXTRYS unsuccessful attempts (0 = unlimited attempts). LOGFAILURES=3 If there are LOGFAILURES consecutive unsuccessful login attempts, each of them will be logged in /var/adm/loginlog, if it exists. LOGFAILURES has a maximum value of 20. Note: Users get at most the minimum of (MAXTRYS, LOGFAILURES) unsuccessful attempts. IDLEWEEKS=-1 If non-negative, specify a grace period during which users with expired passwords will be allowed to enter a new password. Page 4 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) In other words, accounts with expired passwords can stay idle up to this long before being "locked out". If IDLEWEEKS is zero, there is no grace period, and expired passwords are the same as invalidated passwords. SYSLOG=FAIL Log to syslog all login failures (SYSLOG=FAIL) or all successes and failures (SYSLOG=ALL). Log entries are written to the LOG_AUTH facility (see _s_y_s_l_o_g(3) and _s_y_s_l_o_g_d(1M) for details). No messages are sent to syslog if not set. Note that this is separate from the login log, /_v_a_r/_a_d_m/_l_o_g_i_n_l_o_g. INITGROUPS=YES If YES, make the user session be a member of all of the user's supplementary groups (see _m_u_l_t_g_r_p_s(1) or _i_n_i_t_g_r_o_u_p_s(3). Note that some clients, such as _x_t_e_r_m(1) and _x_w_s_h(1G) , may call _i_n_i_t_g_r_o_u_p_s(3) even if _x_d_m does not. SVR4_SIGNALS=NO Use the SVR4 semantics for the SIGXCPU and SIGXFSZ signals. If SVR4_SIGNALS=YES, then the SVR4 semantics are preserved and all processes will ignore SIGXCPU and SIGXFSZ by default. If SVR4_SIGNALS=NO, then these two signals will retain their default action, which is to cause the receiving process to core dump. If users intend to make use of the CPU and filesize resource limits, SVR4_SIGNALS should be set to NO. Note that using these signals while SVR4_SIGNALS is set to YES will cause behavior which varies depending on the login shell. This setting has no affect on processes which explicitly alter the behavior of these signals using the _s_i_g_n_a_l(2) system call. SITECHECK= Use an external program to authenticate users instead of using the encrypted password field. This allows sites to implement other means of authentication, such as card keys, biometrics, etc. The program is invoked with user name as the first argument, and remote hostname and Page 5 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) username, if applicable. The action taken depends on exit status, as follows: 0 - success: user was authenticated, log in. 1 or 2 - failure; restart the session. other - use normal UNIX authentication. If the program is not owned by root, is writable by others, or cannot be executed, normal password authentication is performed. It is recommended that the program be given a mode of 500. A sitecheck program to be used with _x_d_m must create and manage its own window. WARNING! Because this option has the potential to defeat normal IRIX security, any program used in this way must be designed and tested very carefully. LOCKOUT=0 If non-zero, after this number of consecutive unsuccessful login attempts by the same user, by all instances of xdm and login, lock the account by invoking "passwd -l username". LOCKOUTEXEMPT= If LOCKOUT is greater than zero, the users listed as LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option. Usernames are separated by spaces, the list must be terminated by end-of-line, maximum list length is 240 characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is enabled, and the list is not empty. Including privileged accounts (such as _rrrr_oooo_oooo_tttt) in the LOCKOUTEXEMPT list, is not recommended, as it allows an indefinite number of attacks on the exempt accounts. Also, if LOCKOUTEXEMPT is enabled, the /etc/default/login file should be given a mode 400 or 600 to prevent unauthorized viewing and/or tampering with the LOCKOUTEXEMPT list. If user authentication is performed by a visual login program such as _c_l_o_g_i_n(1), _x_d_m enforces only UMASK and SVR4_SIGNALS. RRRREEEESSSSOOOOUUUURRRRCCCCEEEESSSS At many stages the actions of _x_d_m can be controlled through the use of its configuration file, which is in the X resource format. Some resources modify the behavior of _x_d_m Page 6 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) on all displays, while others modify its behavior on a single display. Where actions relate to a specific display, the display name is inserted into the resource name between ``DisplayManager'' and the final resource name segment. For local displays, the resource name and class are as read from the _X_s_e_r_v_e_r_s file. For remote displays, the resource name is what the network address of the display resolves to. See the rrrreeeemmmmoooovvvveeeeDDDDoooommmmaaaaiiiinnnn resource. The name must match exactly; _x_d_m is not aware of all the network aliases that might reach a given display. If the name resolve fails, the address is used. The resource class is as sent by the display in the XDMCP Manage request. Because the resource manager uses colons to separate the name of the resource from its value and dots to separate resource name parts, _x_d_m substitutes underscores for both dots and colons when generating the resource name. For example, DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeexxxxppppoooo____xxxx____oooorrrrgggg____0000....ssssttttaaaarrrrttttuuuupppp is the name of the resource which defines the startup shell file for the ``expo.x.org:0'' display. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....sssseeeerrrrvvvveeeerrrrssss This resource either specifies a file name full of server entries, one per line (if the value starts with a slash), or a single server entry. See the section LLLLooooccccaaaallll SSSSeeeerrrrvvvveeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn for the details. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....rrrreeeeqqqquuuueeeessssttttPPPPoooorrrrtttt This indicates the UDP port number which _x_d_m uses to listen for incoming XDMCP requests. Unless you need to debug the system, leave this with its default value of 177. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeerrrrrrrroooorrrrLLLLooooggggFFFFiiiilllleeee Error output is normally directed at the system console. To redirect it, set this resource to a file name. A method to send these messages to _s_y_s_l_o_g should be developed for systems which support it; however, the wide variety of interfaces precludes any system- independent implementation. This file also contains any output directed to stderr by the _X_s_e_t_u_p, _X_s_t_a_r_t_u_p, _X_s_e_s_s_i_o_n and _X_r_e_s_e_t files, so it will contain descriptions of problems in those scripts as well. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ddddeeeebbbbuuuuggggLLLLeeeevvvveeeellll If the integer value of this resource is greater than zero, reams of debugging information will be printed. It also disables daemon mode, which would redirect the information into the bit-bucket, and allows non-root Page 7 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) users to run _x_d_m, which would normally not be useful. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ddddaaaaeeeemmmmoooonnnnMMMMooooddddeeee Normally, _x_d_m attempts to make itself into a daemon process unassociated with any terminal. This is accomplished by forking and leaving the parent process to exit, then closing file descriptors and releasing the controlling terminal. In some environments this is not desired (in particular, when debugging). Setting this resource to ``false'' will disable this feature. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ppppiiiiddddFFFFiiiilllleeee The filename specified will be created to contain an ASCII representation of the process-id of the main _x_d_m process. _X_d_m also uses file locking on this file to attempt to eliminate multiple daemons running on the same machine, which would cause quite a bit of havoc. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....lllloooocccckkkkPPPPiiiiddddFFFFiiiilllleeee This is the resource which controls whether _x_d_m uses file locking to keep multiple display managers from running amok. On System V, this uses the _l_o_c_k_f library call, while on BSD it uses _f_l_o_c_k. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....aaaauuuutttthhhhDDDDiiiirrrr This names a directory under which _x_d_m stores authorization files while initializing the session. The default value is /_v_a_r/_X_1_1/_x_d_m. Can be overridden for specific displays by DisplayManager._D_I_S_P_L_A_Y.authFile. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....aaaauuuuttttooooRRRReeeessssccccaaaannnn This boolean controls whether _x_d_m rescans the configuration, servers, access control and authentication keys files after a session terminates and the files have changed. By default it is ``true.'' You can force _x_d_m to reread these files by sending a SIGHUP to the main process. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....rrrreeeemmmmoooovvvveeeeDDDDoooommmmaaaaiiiinnnnnnnnaaaammmmeeee When computing the display name for XDMCP clients, the name resolver will typically create a fully qualified host name for the terminal. As this is sometimes confusing, _x_d_m will remove the domain name portion of the host name if it is the same as the domain name of the local host when this variable is set. By default the value is ``true.'' DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....kkkkeeeeyyyyFFFFiiiilllleeee XDM-AUTHENTICATION-1 style XDMCP authentication requires that a private key be shared between _x_d_m and the terminal. This resource specifies the file Page 8 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) containing those values. Each entry in the file consists of a display name and the shared key. By default, _x_d_m does not include support for XDM- AUTHENTICATION-1, as it requires DES which is not generally distributable because of United States export restrictions. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....aaaacccccccceeeessssssssFFFFiiiilllleeee To prevent unauthorized XDMCP service and to allow forwarding of XDMCP IndirectQuery requests, this file contains a database of hostnames which are either allowed direct access to this machine, or have a list of hosts to which queries should be forwarded to. The format of this file is described in the section XXXXDDDDMMMMCCCCPPPP AAAAcccccccceeeessssssss CCCCoooonnnnttttrrrroooollll.... DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeexxxxppppoooorrrrttttLLLLiiiisssstttt A list of additional environment variables, separated by white space, to pass on to the _X_s_e_t_u_p, _X_s_t_a_r_t_u_p, _X_s_e_s_s_i_o_n, and _X_r_e_s_e_t programs. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....rrrraaaannnnddddoooommmmFFFFiiiilllleeee A file to checksum to generate the seed of authorization keys. This should be a file that changes frequently. The default is /_d_e_v/_m_e_m. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....ggggrrrreeeeeeeetttteeeerrrrLLLLiiiibbbb On systems that support a dynamically-loadable greeter library, the name of the library. Default is _l_i_b_X_d_m_G_r_e_e_t._s_o. SGI does not support dynamically- loadable libraries. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....cccchhhhooooiiiicccceeeeTTTTiiiimmmmeeeeoooouuuutttt Number of seconds to wait for display to respond after user has selected a host from the chooser. If the display sends an XDMCP IndirectQuery within this time, the request is forwarded to the chosen host. Otherwise, it is assumed to be from a new session and the chooser is offered again. Default is 15. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeessssoooouuuurrrrcccceeeessss This resource specifies the name of the file to be loaded by _x_r_d_b as the resource database onto the root window of screen 0 of the display. The _X_s_e_t_u_p program, the Login widget, and _c_h_o_o_s_e_r will use the resources set in this file. This resource data base is loaded just before the authentication procedure is started, so it can control the appearance of the login window. See the section AAAAuuuutttthhhheeeennnnttttiiiiccccaaaattttiiiioooonnnn WWWWiiiiddddggggeeeetttt,,,, which describes the various resources that are appropriate to place in this file. There is no default value for this resource, but /_v_a_r/_X_1_1/_x_d_m/_X_r_e_s_o_u_r_c_e_s is the conventional name. Page 9 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....cccchhhhoooooooosssseeeerrrr Specifies the program run to offer a host menu for Indirect queries redirected to the special host name CHOOSER. /_v_a_r/_X_1_1/_x_d_m/_c_h_o_o_s_e_r is the default. See the sections XXXXDDDDMMMMCCCCPPPP AAAAcccccccceeeessssssss CCCCoooonnnnttttrrrroooollll and CCCChhhhoooooooosssseeeerrrr. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....xxxxrrrrddddbbbb Specifies the program used to load the resources. By default, _x_d_m uses /_u_s_r/_b_i_n/_X_1_1/_x_r_d_b. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ccccpppppppp This specifies the name of the C preprocessor which is used by _x_r_d_b. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....sssseeeettttuuuupppp This specifies a program which is run (as root) before offering the Login window. This may be used to change the appearance of the screen around the Login window or to put up other windows (e.g., you may want to run _x_c_o_n_s_o_l_e here). By default, no program is run. The conventional name for a file used here is _X_s_e_t_u_p. See the section SSSSeeeettttuuuupppp PPPPrrrrooooggggrrrraaaammmm.... DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssttttaaaarrrrttttuuuupppp This specifies a program which is run (as root) after the authentication process succeeds. By default, no program is run. The conventional name for a file used here is _X_s_t_a_r_t_u_p. See the section SSSSttttaaaarrrrttttuuuupppp PPPPrrrrooooggggrrrraaaammmm.... DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....sssseeeessssssssiiiioooonnnn This specifies the session to be executed (not running as root). By default, /_u_s_r/_b_i_n/_X_1_1/_x_t_e_r_m is run. The conventional name is _X_s_e_s_s_i_o_n. See the section SSSSeeeessssssssiiiioooonnnn PPPPrrrrooooggggrrrraaaammmm.... DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeesssseeeetttt This specifies a program which is run (as root) after the session terminates. By default, no program is run. The conventional name is _X_r_e_s_e_t. See the section RRRReeeesssseeeetttt PPPPrrrrooooggggrrrraaaammmm.... DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ooooppppeeeennnnDDDDeeeellllaaaayyyy DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ooooppppeeeennnnRRRReeeeppppeeeeaaaatttt DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ooooppppeeeennnnTTTTiiiimmmmeeeeoooouuuutttt DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssttttaaaarrrrttttAAAAtttttttteeeemmmmppppttttssss These numeric resources control the behavior of _x_d_m when attempting to open intransigent servers. ooooppppeeeennnnDDDDeeeellllaaaayyyy is the length of the pause (in seconds) between successive attempts, ooooppppeeeennnnRRRReeeeppppeeeeaaaatttt is the number Page 10 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) of attempts to make, ooooppppeeeennnnTTTTiiiimmmmeeeeoooouuuutttt is the amount of time to wait while actually attempting the open (i.e., the maximum time spent in the _c_o_n_n_e_c_t(2) system call) and ssssttttaaaarrrrttttAAAAtttttttteeeemmmmppppttttssss is the number of times this entire process is done before giving up on the server. After ooooppppeeeennnnRRRReeeeppppeeeeaaaatttt attempts have been made, or if ooooppppeeeennnnTTTTiiiimmmmeeeeoooouuuutttt seconds elapse in any particular attempt, _x_d_m terminates and restarts the server, attempting to connect again. This process is repeated ssssttttaaaarrrrttttAAAAtttttttteeeemmmmppppttttssss times, at which point the display is declared dead and disabled. Although this behavior may seem arbitrary, it has been empirically developed and works quite well on most systems. The default values are 5 for ooooppppeeeennnnDDDDeeeellllaaaayyyy, 5 for ooooppppeeeennnnRRRReeeeppppeeeeaaaatttt, 30 for ooooppppeeeennnnTTTTiiiimmmmeeeeoooouuuutttt and 4 for ssssttttaaaarrrrttttAAAAtttttttteeeemmmmppppttttssss. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ppppiiiinnnnggggIIIInnnntttteeeerrrrvvvvaaaallll DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ppppiiiinnnnggggTTTTiiiimmmmeeeeoooouuuutttt To discover when remote displays disappear, _x_d_m occasionally pings them, using an X connection and _X_S_y_n_c calls. ppppiiiinnnnggggIIIInnnntttteeeerrrrvvvvaaaallll specifies the time (in minutes) between each ping attempt, ppppiiiinnnnggggTTTTiiiimmmmeeeeoooouuuutttt specifies the maximum amount of time (in minutes) to wait for the terminal to respond to the request. If the terminal does not respond, the session is declared dead and terminated. By default, both are set to 5 minutes. If you frequently use X terminals which can become isolated from the managing host, you may wish to increase this value. The only worry is that sessions will continue to exist after the terminal has been accidentally disabled. _x_d_m will not ping local displays. Although it would seem harmless, it is unpleasant when the workstation session is terminated as a result of the server hanging for NFS service and not responding to the ping. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....tttteeeerrrrmmmmiiiinnnnaaaatttteeeeSSSSeeeerrrrvvvveeeerrrr This boolean resource specifies whether the X server should be terminated when a session terminates (instead of resetting it). This option can be used when the server tends to grow without bound over time, in order to limit the amount of time the server is run. The default value is ``false.'' DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....uuuusssseeeerrrrPPPPaaaatttthhhh _X_d_m sets the PATH environment variable for the session to this value. It should be a colon separated list of directories; see _s_h(1) for a full description. ``:/bin:/usr/bin:/usr/X11/bin:/usr/ucb'' is a common setting. The default value can be specified at build time in the X system configuration file with Page 11 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) DefaultUserPath. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssyyyysssstttteeeemmmmPPPPaaaatttthhhh _X_d_m sets the PATH environment variable for the startup and reset scripts to the value of this resource. The default for this resource is specified at build time by the DefaultSystemPath entry in the system configuration file; ``/etc:/bin:/usr/bin:/usr/X11/bin:/usr/ucb'' is a common choice. Note the absence of ``.'' from this entry. This is a good practice to follow for root; it avoids many common Trojan Horse system penetration schemes. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssyyyysssstttteeeemmmmSSSShhhheeeellllllll _X_d_m sets the SHELL environment variable for the startup and reset scripts to the value of this resource. It is /_b_i_n/_s_h by default. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ffffaaaaiiiillllssssaaaaffffeeeeCCCClllliiiieeeennnntttt If the default session fails to execute, _x_d_m will fall back to this program. This program is executed with no arguments, but executes using the same environment variables as the session would have had (see the section SSSSeeeessssssssiiiioooonnnn PPPPrrrrooooggggrrrraaaammmm). By default, /_u_s_r/_b_i_n/_X_1_1/_x_t_e_r_m is used. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ggggrrrraaaabbbbSSSSeeeerrrrvvvveeeerrrr DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ggggrrrraaaabbbbTTTTiiiimmmmeeeeoooouuuutttt To improve security, _x_d_m grabs the server and keyboard while reading the login name and password. The ggggrrrraaaabbbbSSSSeeeerrrrvvvveeeerrrr resource specifies if the server should be held for the duration of the name/password reading. When ``false,'' the server is ungrabbed after the keyboard grab succeeds, otherwise the server is grabbed until just before the session begins. The default is ``false.'' The ggggrrrraaaabbbbTTTTiiiimmmmeeeeoooouuuutttt resource specifies the maximum time _x_d_m will wait for the grab to succeed. The grab may fail if some other client has the server grabbed, or possibly if the network latencies are very high. This resource has a default value of 3 seconds; you should be cautious when raising it, as a user can be spoofed by a look-alike window on the display. If the grab fails, _x_d_m kills and restarts the server (if possible) and the session. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....aaaauuuutttthhhhoooorrrriiiizzzzeeee DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....aaaauuuutttthhhhNNNNaaaammmmeeee aaaauuuutttthhhhoooorrrriiiizzzzeeee is a boolean resource which controls whether _x_d_m generates and uses authorization for the local server connections. If authorization is used, aaaauuuutttthhhhNNNNaaaammmmeeee Page 12 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) is a list of authorization mechanisms to use, separated by white space. XDMCP connections dynamically specify which authorization mechanisms are supported, so aaaauuuutttthhhhNNNNaaaammmmeeee is ignored in this case. When aaaauuuutttthhhhoooorrrriiiizzzzeeee is set for a display and authorization is not available, the user is informed by having a different message displayed in the login widget. By default, aaaauuuutttthhhhoooorrrriiiizzzzeeee is ``off.'' aaaauuuutttthhhhNNNNaaaammmmeeee is ``MIT-MAGIC-COOKIE-1,'' or, if XDM-AUTHORIZATION-1 is available, ``XDM-AUTHORIZATION- 1 MIT-MAGIC-COOKIE-1.'' DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....aaaauuuutttthhhhFFFFiiiilllleeee This file is used to communicate the authorization data from _x_d_m to the server, using the ----aaaauuuutttthhhh server command line option. It should be kept in a directory which is not world-writable as it could easily be removed, disabling the authorization mechanism in the server. If not specified, a name is generated from DisplayManager.authDir and the name of the display. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....aaaauuuutttthhhhCCCCoooommmmppppllllaaaaiiiinnnn If set to ``false,'' disables the use of the uuuunnnnsssseeeeccccuuuurrrreeeeGGGGrrrreeeeeeeettttiiiinnnngggg in the login window. See the section AAAAuuuutttthhhheeeennnnttttiiiiccccaaaattttiiiioooonnnn WWWWiiiiddddggggeeeetttt.... The default is ``false.'' DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeesssseeeettttSSSSiiiiggggnnnnaaaallll The number of the signal _x_d_m sends to reset the server. See the section CCCCoooonnnnttttrrrroooolllllllliiiinnnngggg tttthhhheeee SSSSeeeerrrrvvvveeeerrrr.... The default is 1 (SIGHUP). DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....tttteeeerrrrmmmmSSSSiiiiggggnnnnaaaallll The number of the signal _x_d_m sends to terminate the server. See the section CCCCoooonnnnttttrrrroooolllllllliiiinnnngggg tttthhhheeee SSSSeeeerrrrvvvveeeerrrr.... The default is 15 (SIGTERM). DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeesssseeeettttFFFFoooorrrrAAAAuuuutttthhhh The original implementation of authorization in the sample server reread the authorization file at server reset time, instead of when checking the initial connection. As _x_d_m generates the authorization information just before connecting to the display, an old server would not get up-to-date authorization information. This resource causes _x_d_m to send SIGHUP to the server after setting up the file, causing an additional server reset to occur, during which time the new authorization information will be read. The default is ``false,'' which will work for all MIT servers. DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....uuuusssseeeerrrrAAAAuuuutttthhhhDDDDiiiirrrr When _x_d_m is unable to write to the usual user authorization file ($HOME/.Xauthority), it creates a Page 13 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) unique file name in this directory and points the environment variable XAUTHORITY at the created file. It uses /_t_m_p by default. CCCCOOOONNNNFFFFIIIIGGGGUUUURRRRAAAATTTTIIIIOOOONNNN FFFFIIIILLLLEEEE First, the _x_d_m configuration file should be set up. Make a directory (usually /_v_a_r/_X_1_1/_x_d_m). On SGI systems, the default configuration files is /var/X11/xdm/xdm-config. Here is a reasonable configuration file, which could be named _x_d_m-_c_o_n_f_i_g: DisplayManager.servers: /var/X11/xdm/Xservers DisplayManager.errorLogFile: /var/X11/xdm/xdm-errors DisplayManager*resources: /var/X11/xdm/Xresources DisplayManager*startup: /var/X11/xdm/Xstartup DisplayManager*session: /var/X11/xdm/Xsession DisplayManager.pidFile: /var/X11/xdm/xdm-pid DisplayManager._0.authorize: true DisplayManager*authorize: false Note that this file mostly contains references to other files. Note also that some of the resources are specified with ``*'' separating the components. These resources can be made unique for each different display, by replacing the ``*'' with the display-name, but normally this is not very useful. See the RRRReeeessssoooouuuurrrrcccceeeessss section for a complete discussion. XXXXDDDDMMMMCCCCPPPP AAAACCCCCCCCEEEESSSSSSSS CCCCOOOONNNNTTTTRRRROOOOLLLL The database file specified by the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....aaaacccccccceeeessssssssFFFFiiiilllleeee provides information which _x_d_m uses to control access from displays requesting XDMCP service. This file contains three types of entries: entries which control the response to Direct and Broadcast queries, entries which control the response to Indirect queries, and macro definitions. The format of the Direct entries is simple, either a host name or a pattern, which is distinguished from a host name by the inclusion of one or more meta characters (`*' matches any sequence of 0 or more characters, and `?' matches any single character) which are compared against the host name of the display device. If the entry is a host name, all comparisons are done using network addresses, so any name which converts to the correct network address may be used. For patterns, only canonical host names are used in the comparison, so ensure that you do not attempt to match aliases. Preceding either a host name or a pattern with a `!' character causes hosts which match that entry to be excluded. Page 14 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) An Indirect entry also contains a host name or pattern, but follows it with a list of host names or macros to which indirect queries should be sent. A macro definition contains a macro name and a list of host names and other macros that the macro expands to. To distinguish macros from hostnames, macro names start with a `%' character. Macros may be nested. Indirect entries may also specify to have _x_d_m run _c_h_o_o_s_e_r to offer a menu of hosts to connect to. See the section CCCChhhhoooooooosssseeeerrrr. When checking access for a particular display host, each entry is scanned in turn and the first matching entry determines the response. Direct and Broadcast entries are ignored when scanning for an Indirect entry and vice-versa. Blank lines are ignored, `#' is treated as a comment delimiter causing the rest of that line to be ignored, and `\_n_e_w_l_i_n_e' causes the newline to be ignored, allowing indirect host lists to span multiple lines. Here is an example Xaccess file: # # Xaccess - XDMCP access control file # # # Direct/Broadcast query entries # !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra bambi.ogi.edu # allow access from this particular display *.lcs.mit.edu # allow access from any display in LCS # # Indirect query entries # %HOSTS expo.lcs.mit.edu xenon.lcs.mit.edu \ excess.lcs.mit.edu kanga.lcs.mit.edu extract.lcs.mit.edu xenon.lcs.mit.edu #force extract to contact xenon !xtra.lcs.mit.edu dummy #disallow indirect access *.lcs.mit.edu %HOSTS #all others get to choose CCCCHHHHOOOOOOOOSSSSEEEERRRR For X terminals that do not offer a host menu for use with Broadcast or Indirect queries, the _c_h_o_o_s_e_r program can do this for them. In the _X_a_c_c_e_s_s file, specify ``CHOOSER'' as Page 15 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) the first entry in the Indirect host list. _C_h_o_o_s_e_r will send a Query request to each of the remaining host names in the list and offer a menu of all the hosts that respond. The list may consist of the word ``BROADCAST,'' in which case _c_h_o_o_s_e_r will send a Broadcast instead, again offering a menu of all hosts that respond. Note that on some operating systems, UDP packets cannot be broadcast, so this feature will not work. Example _X_a_c_c_e_s_s file using _c_h_o_o_s_e_r: extract.lcs.mit.edu CHOOSER %HOSTS #offer a menu of these hosts xtra.lcs.mit.edu CHOOSER BROADCAST #offer a menu of all hosts The program to use for _c_h_o_o_s_e_r is specified by the DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....cccchhhhoooooooosssseeeerrrr resource. For more flexibility at this step, the chooser could be a shell script. _C_h_o_o_s_e_r is the session manager here; it is run instead of a child _x_d_m to manage the display. Resources for this program can be put into the file named by DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeessssoooouuuurrrrcccceeeessss. When the user selects a host, _c_h_o_o_s_e_r prints the host chosen, which is read by the parent _x_d_m, and exits. _x_d_m closes its connection to the X server, and the server resets and sends another IIIInnnnddddiiiirrrreeeecccctttt XDMCP request. _x_d_m remembers the user's choice (for DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....cccchhhhooooiiiicccceeeeTTTTiiiimmmmeeeeoooouuuutttt seconds) and forwards the request to the chosen host, which starts a session on that display. LLLLOOOOCCCCAAAALLLL SSSSEEEERRRRVVVVEEEERRRR SSSSPPPPEEEECCCCIIIIFFFFIIIICCCCAAAATTTTIIIIOOOONNNN The resource DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....sssseeeerrrrvvvveeeerrrrssss gives a server specification or, if the values starts with a slash (/), the name of a file containing server specifications, one per line. Each specification indicates a display which should constantly be managed and which is not using XDMCP. This method is used typically for local servers only. If the resource or the file named by the resource is empty, _x_d_m will offer XDMCP service only. Each specification consists of at least three parts: a display name, a display class, a display type, and (for local servers) a command line to start the server. A typical entry for local display number 0 would be: :0 Digital-QV local /usr/X11/bin/X :0 The display types are: Page 16 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) local local display: _x_d_m must run the server foreign remote display: _x_d_m opens an X connection to a running server The display name must be something that can be passed in the ----ddddiiiissssppppllllaaaayyyy option to an X program. This string is used to generate the display-specific resource names, so be careful to match the names (e.g., use ``:0 local /usr/X11/bin/X :0'' instead of ``localhost:0 local /usr/X11/bin/X :0'' if your other resources are specified as ``DisplayManager._0.session''). The display class portion is also used in the display-specific resources, as the class of the resource. This is useful if you have a large collection of similar displays (such as a corral of X terminals) and would like to set resources for groups of them. When using XDMCP, the display is required to specify the display class, so the manual for your particular X terminal should document the display class string for your device. If it doesn't, you can run _x_d_m in debug mode and look at the resource strings which it generates for that device, which will include the class string. When _x_d_m starts a session, it sets up authorization data for the server. For local servers, _x_d_m passes ``----aaaauuuutttthhhh _f_i_l_e_n_a_m_e'' on the server's command line to point it at its authorization data. For XDMCP servers, _x_d_m passes the authorization data to the server via the AAAAcccccccceeeepppptttt XDMCP request. RRRREEEESSSSOOOOUUUURRRRCCCCEEEESSSS FFFFIIIILLLLEEEE The _X_r_e_s_o_u_r_c_e_s file is loaded onto the display as a resource database using _x_r_d_b. As the authentication widget reads this database before starting up, it usually contains parameters for that widget: xlogin*login.translations: #override\ Ctrl<Key>R: abort-display()\n\ <Key>F1: set-session-argument(failsafe) finish-field()\n\ <Key>Return: set-session-argument() finish-field() xlogin*borderWidth: 3 xlogin*greeting: CLIENTHOST #ifdef COLOR xlogin*greetColor: CadetBlue xlogin*failColor: red #endif Please note the translations entry; it specifies a few new translations for the widget which allow users to escape from the default session (and avoid troubles that may occur in it). Note that if #override is not specified, the default translations are removed and replaced by the new value, not Page 17 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) a very useful result as some of the default translations are quite useful (such as ``<Key>: insert-char ()'' which responds to normal typing). This file may also contain resources for the setup program and _c_h_o_o_s_e_r. SSSSEEEETTTTUUUUPPPP PPPPRRRROOOOGGGGRRRRAAAAMMMM The _X_s_e_t_u_p file is run after the server is reset, but before the Login window is offered. The file is typically a shell script. It is run as root, so should be careful about security. This is the place to change the root background or bring up other windows that should appear on the screen along with the Login widget. In addition to any specified by DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeexxxxppppoooorrrrttttLLLLiiiisssstttt, the following environment variables are passed: DISPLAY the associated display name PATH the value of DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssyyyysssstttteeeemmmmPPPPaaaatttthhhh SHELL the value of DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssyyyysssstttteeeemmmmSSSShhhheeeellllllll XAUTHORITY may be set to an authority file Note that since _x_d_m grabs the keyboard, any other windows will not be able to receive keyboard input. They will be able to interact with the mouse, however; beware of potential security holes here. If DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ggggrrrraaaabbbbSSSSeeeerrrrvvvveeeerrrr is set, _X_s_e_t_u_p will not be able to connect to the display at all. Resources for this program can be put into the file named by DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeessssoooouuuurrrrcccceeeessss. Here is a sample _X_s_e_t_u_p script: #!/bin/sh # Xsetup_0 - setup script for one workstation xcmsdb < /var/monitors/alex.0 xconsole -geometry 480x130-0-0 -notify -verbose -exitOnFail & AAAAUUUUTTTTHHHHEEEENNNNTTTTIIIICCCCAAAATTTTIIIIOOOONNNN WWWWIIIIDDDDGGGGEEEETTTT The authentication widget reads a name/password pair from the keyboard. Nearly every imaginable parameter can be controlled with a resource. Resources for this widget should be put into the file named by DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeessssoooouuuurrrrcccceeeessss. All of these have reasonable default values, so it is not necessary to specify any of them. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....yyyy xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....wwwwiiiiddddtttthhhh,,,, xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....hhhheeeeiiiigggghhhhtttt,,,, xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....xxxx,,,, The geometry of the Login widget is normally computed Page 18 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) automatically. If you wish to position it elsewhere, specify each of these resources. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ffffoooorrrreeeeggggrrrroooouuuunnnndddd The color used to display the typed-in user name. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ffffoooonnnntttt The font used to display the typed-in user name. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ggggrrrreeeeeeeettttiiiinnnngggg A string which identifies this window. The default is ``X Window System.'' xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....uuuunnnnsssseeeeccccuuuurrrreeeeGGGGrrrreeeeeeeettttiiiinnnngggg When X authorization is requested in the configuration file for this display and none is in use, this greeting replaces the standard greeting. The default is ``This is an unsecure session'' xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ggggrrrreeeeeeeettttFFFFoooonnnntttt The font used to display the greeting. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ggggrrrreeeeeeeettttCCCCoooolllloooorrrr The color used to display the greeting. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....nnnnaaaammmmeeeePPPPrrrroooommmmpppptttt The string displayed to prompt for a user name. _X_r_d_b strips trailing white space from resource values, so to add spaces at the end of the prompt (usually a nice thing), add spaces escaped with backslashes. The default is ``Login: '' xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ppppaaaasssssssswwwwddddPPPPrrrroooommmmpppptttt The string displayed to prompt for a password. The default is ``Password: '' xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....pppprrrroooommmmppppttttFFFFoooonnnntttt The font used to display both prompts. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....pppprrrroooommmmppppttttCCCCoooolllloooorrrr The color used to display both prompts. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ffffaaaaiiiillll A message which is displayed when the authentication fails. The default is ``Login incorrect'' xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ffffaaaaiiiillllFFFFoooonnnntttt The font used to display the failure message. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ffffaaaaiiiillllCCCCoooolllloooorrrr The color used to display the failure message. Page 19 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ffffaaaaiiiillllTTTTiiiimmmmeeeeoooouuuutttt The number of seconds that the failure message is displayed. The default is 30. xxxxllllooooggggiiiinnnn....LLLLooooggggiiiinnnn....ttttrrrraaaannnnssssllllaaaattttiiiioooonnnnssss This specifies the translations used for the login widget. Refer to the X Toolkit documentation for a complete discussion on translations. The default translation table is: Ctrl<Key>H: delete-previous-character() \n\ Ctrl<Key>D: delete-character() \n\ Ctrl<Key>B: move-backward-character() \n\ Ctrl<Key>F: move-forward-character() \n\ Ctrl<Key>A: move-to-begining() \n\ Ctrl<Key>E: move-to-end() \n\ Ctrl<Key>K: erase-to-end-of-line() \n\ Ctrl<Key>U: erase-line() \n\ Ctrl<Key>X: erase-line() \n\ Ctrl<Key>C: restart-session() \n\ Ctrl<Key>\\: abort-session() \n\ <Key>BackSpace:delete-previous-character() \n\ <Key>Delete: delete-previous-character() \n\ <Key>Return: finish-field() \n\ <Key>: insert-char() \ The actions which are supported by the widget are: delete-previous-character Erases the character before the cursor. delete-character Erases the character after the cursor. move-backward-character Moves the cursor backward. move-forward-character Moves the cursor forward. move-to-begining (Apologies about the spelling error.) Moves the cursor to the beginning of the editable text. move-to-end Moves the cursor to the end of the editable text. erase-to-end-of-line Erases all text after the cursor. erase-line Page 20 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) Erases the entire text. finish-field If the cursor is in the name field, proceeds to the password field; if the cursor is in the password field, checks the current name/password pair. If the name/password pair is valid, _x_d_m starts the session. Otherwise the failure message is displayed and the user is prompted again. abort-session Terminates and restarts the server. abort-display Terminates the server, disabling it. This action is not accessible in the default configuration. There are various reasons to stop _x_d_m on a system console, such as when shutting the system down, when using _x_d_m_s_h_e_l_l, to start another type of server, or to generally access the console. Sending _x_d_m a SIGHUP will restart the display. See the section CCCCoooonnnnttttrrrroooolllllllliiiinnnngggg XXXXDDDDMMMM. restart-session Resets the X server and starts a new session. This can be used when the resources have been changed and you want to test them or when the screen has been overwritten with system messages. insert-char Inserts the character typed. set-session-argument Specifies a single word argument which is passed to the session at startup. See the section SSSSeeeessssssssiiiioooonnnn PPPPrrrrooooggggrrrraaaammmm. allow-all-access Disables access control in the server. This can be used when the .Xauthority file cannot be created by _x_d_m. Be very careful using this; it might be better to disconnect the machine from the network before doing this. SSSSTTTTAAAARRRRTTTTUUUUPPPP PPPPRRRROOOOGGGGRRRRAAAAMMMM The _X_s_t_a_r_t_u_p program is run as root when the user logs in. It is typically a shell script. Since it is run as root, _X_s_t_a_r_t_u_p should be very careful about security. This is the place to put commands which add entries to /_e_t_c/_u_t_m_p (the _s_e_s_s_r_e_g program may be useful here), mount users' home directories from file servers, or abort the session if logins are not allowed. In addition to any specified by DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeexxxxppppoooorrrrttttLLLLiiiisssstttt, Page 21 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) the following environment variables are passed: DISPLAY the associated display name HOME the initial working directory of the user LOGNAME the user name USER the user name PATH the value of DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssyyyysssstttteeeemmmmPPPPaaaatttthhhh SHELL the value of DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....ssssyyyysssstttteeeemmmmSSSShhhheeeellllllll XAUTHORITY may be set to an authority file No arguments are passed to the script. _X_d_m waits until this script exits before starting the user session. If the exit value of this script is non-zero, _x_d_m discontinues the session and starts another authentication cycle. The sample _X_s_t_a_r_t_u_p file shown here prevents login while the file /_e_t_c/_n_o_l_o_g_i_n exists. Thus this is not a complete example, but simply a demonstration of the available functionality. Here is a sample _X_s_t_a_r_t_u_p script: #!/bin/sh # # Xstartup # # This program is run as root after the user is verified # if [ -f /etc/nologin ]; then xmessage -file /etc/nologin -timeout 30 -center exit 1 fi sessreg -a -l $DISPLAY -x /var/X11/xdm/Xservers $LOGNAME /var/xdm/GiveConsole exit 0 SSSSEEEESSSSSSSSIIIIOOOONNNN PPPPRRRROOOOGGGGRRRRAAAAMMMM The _X_s_e_s_s_i_o_n program is the command which is run as the user's session. It is run with the permissions of the authorized user. In addition to any specified by DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....eeeexxxxppppoooorrrrttttLLLLiiiisssstttt, the following environment variables are passed: DISPLAY the associated display name HOME the initial working directory of the user LOGNAME the user name USER the user name PATH the value of DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....uuuusssseeeerrrrPPPPaaaatttthhhh SHELL the user's default shell (from _g_e_t_p_w_n_a_m) XAUTHORITY may be set to a non-standard authority file Page 22 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) KRB5CCNAME may be set to a Kerberos credentials cache name At most installations, _X_s_e_s_s_i_o_n should look in $HOME for a file ._x_s_e_s_s_i_o_n, which contains commands that each user would like to use as a session. _X_s_e_s_s_i_o_n should also implement a system default session if no user-specified session exists. See the section TTTTyyyyppppiiiiccccaaaallll UUUUssssaaaaggggeeee. An argument may be passed to this program from the authentication widget using the `set-session-argument' action. This can be used to select different styles of session. One good use of this feature is to allow the user to escape from the ordinary session when it fails. This allows users to repair their own ._x_s_e_s_s_i_o_n if it fails, without requiring administrative intervention. The example following demonstrates this feature. This example recognizes the special ``failsafe'' mode, specified in the translations in the _X_r_e_s_o_u_r_c_e_s file, to provide an escape from the ordinary session. It also requires that the .xsession file be executable so we don't have to guess what shell it wants to use. #!/bin/sh # # Xsession # # This is the program that is run as the client # for the display manager. case $# in 1) case $1 in failsafe) exec xterm -geometry 80x24-0-0 ;; esac esac startup=$HOME/.xsession resources=$HOME/.Xresources if [ -f "$startup" ]; then exec "$startup" else if [ -f "$resources" ]; then xrdb -load "$resources" fi twm & xman -geometry +10-10 & exec xterm -geometry 80x24+10+10 -ls Page 23 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) fi Note that the script always ends with an _e_x_e_c. This is the standard way to run _x_d_m. When the _e_x_e_ced program exits, the session will end. SGI also provides another way to control the termination of a session. You can finish your script with: exec /usr/bin/X11/reaper In that case, the _r_e_a_p_e_r program places a property, __S_G_I__S_E_S_S_I_O_N__P_R_O_P_E_R_T_Y, on the root window and exits. The session does not end when _r_e_a_p_e_r exits. Instead, when the _SGI_SESSION_PROPERTY property is removed, xdm will terminate the session. The program _e_n_d_s_e_s_s_i_o_n will remove that property. So will selecting "Log out" in the standard _t_o_o_l_c_h_e_s_t menu. The user's ._x_s_e_s_s_i_o_n file might look something like this example. Don't forget that the file must have execute permission. #! /bin/csh # no -f in the previous line so .cshrc gets run to set $PATH twm & xrdb -merge "$HOME/.Xresources" emacs -geometry +0+50 & xbiff -geometry -430+5 & xterm -geometry -0+50 -ls RRRREEEESSSSEEEETTTT PPPPRRRROOOOGGGGRRRRAAAAMMMM Symmetrical with _X_s_t_a_r_t_u_p, the _X_r_e_s_e_t script is run after the user session has terminated. Run as root, it should contain commands that undo the effects of commands in _X_s_t_a_r_t_u_p, removing entries from /_e_t_c/_u_t_m_p or unmounting directories from file servers. The environment variables that were passed to _X_s_t_a_r_t_u_p are also passed to _X_r_e_s_e_t. A sample _X_r_e_s_e_t script: #!/bin/sh # # Xreset # # This program is run as root after the session ends # sessreg -d -l $DISPLAY -x /var/X11/xdm/Xservers $LOGNAME /var/xdm/TakeConsole exit 0 CCCCOOOONNNNTTTTRRRROOOOLLLLLLLLIIIINNNNGGGG TTTTHHHHEEEE SSSSEEEERRRRVVVVEEEERRRR _X_d_m controls local servers using POSIX signals. SIGHUP is expected to reset the server, closing all client connections and performing other cleanup duties. SIGTERM is expected to terminate the server. If these signals do not perform the Page 24 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) expected actions, the resources DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....rrrreeeesssseeeettttSSSSiiiiggggnnnnaaaallll and DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr...._D_I_S_P_L_A_Y....tttteeeerrrrmmmmSSSSiiiiggggnnnnaaaallll can specify alternate signals. To control remote terminals not using XDMCP, _x_d_m searches the window hierarchy on the display and uses the protocol request KillClient in an attempt to clean up the terminal for the next session. This may not actually kill all of the clients, as only those which have created windows will be noticed. XDMCP provides a more sure mechanism; when _x_d_m closes its initial connection, the session is over and the terminal is required to close all other connections. CCCCOOOONNNNTTTTRRRROOOOLLLLLLLLIIIINNNNGGGG XXXXDDDDMMMM _X_d_m responds to two signals: SIGHUP and SIGTERM. When sent a SIGHUP, _x_d_m rereads the configuration file, the access control file, and the servers file. For the servers file, it notices if entries have been added or removed. If a new entry has been added, _x_d_m starts a session on the associated display. Entries which have been removed are disabled immediately, meaning that any session in progress will be terminated without notice and no new session will be started. When sent a SIGTERM, _x_d_m terminates all sessions in progress and exits. This can be used when shutting down the system. _X_d_m attempts to mark its various sub-processes for _p_s(1) by editing the command line argument list in place. Because _x_d_m can't allocate additional space for this task, it is useful to start _x_d_m with a reasonably long command line (using the full path name should be enough). Each process which is servicing a display is marked ----_d_i_s_p_l_a_y. AAAADDDDDDDDIIIITTTTIIIIOOOONNNNAAAALLLL LLLLOOOOCCCCAAAALLLL DDDDIIIISSSSPPPPLLLLAAAAYYYYSSSS To add an additional local display, add a line for it to the _X_s_e_r_v_e_r_s file. (See the section LLLLooooccccaaaallll SSSSeeeerrrrvvvveeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn.) Examine the display-specific resources in _x_d_m-_c_o_n_f_i_g (e.g., DDDDiiiissssppppllllaaaayyyyMMMMaaaannnnaaaaggggeeeerrrr....____0000....aaaauuuutttthhhhoooorrrriiiizzzzeeee) and consider which of them should be copied for the new display. The default _x_d_m- _c_o_n_f_i_g has all the appropriate lines for displays ::::0000 and ::::1111. OOOOTTTTHHHHEEEERRRR PPPPOOOOSSSSSSSSIIIIBBBBIIIILLLLIIIITTTTIIIIEEEESSSS You can use _x_d_m to run a single session at a time, using the 4.3 _i_n_i_t options or other suitable daemon by specifying the server on the command line: xdm -server ":0 SUN-3/60CG4 local /usr/X11R6/bin/X :0" Page 25 (printed 10/24/98) XXXXDDDDMMMM((((1111)))) XXXX VVVVeeeerrrrssssiiiioooonnnn 11111111 ((((RRRReeeelllleeeeaaaasssseeee 6666....3333)))) XXXXDDDDMMMM((((1111)))) Or, you might have a file server and a collection of X terminals. The configuration for this is identical to the sample above, except the _X_s_e_r_v_e_r_s file would look like extol:0 VISUAL-19 foreign exalt:0 NCD-19 foreign explode:0 NCR-TOWERVIEW3000 foreign This directs _x_d_m to manage sessions on all three of these terminals. See the section CCCCoooonnnnttttrrrroooolllllllliiiinnnngggg XXXXddddmmmm for a description of using signals to enable and disable these terminals in a manner reminiscent of _i_n_i_t(8). LLLLIIIIMMMMIIIITTTTAAAATTTTIIIIOOOONNNNSSSS One thing that _x_d_m isn't very good at doing is coexisting with other window systems. To use multiple window systems on the same hardware, you'll probably be more interested in _x_i_n_i_t. FFFFIIIILLLLEEEESSSS /_v_a_r/_X_1_1/_x_d_m/_x_d_m-_c_o_n_f_i_g the default configuration file $_H_O_M_E/._X_a_u_t_h_o_r_i_t_y user authorization file where _x_d_m stores keys for clients to read /_v_a_r/_X_1_1/_x_d_m/_c_h_o_o_s_e_r the default chooser /_u_s_r/_b_i_n/_X_1_1/_x_r_d_b the default resource database loader /_u_s_r/_b_i_n/_X_1_1/_X the default server /_u_s_r/_b_i_n/_X_1_1/_x_t_e_r_m the default session program and failsafe client /_v_a_r/_X_1_1/_x_d_m/_A<_d_i_s_p_l_a_y>-<_s_u_f_f_i_x> the default place for authorization files /_t_m_p/_K_5_C<_d_i_s_p_l_a_y> Kerberos credentials cache SSSSEEEEEEEE AAAALLLLSSSSOOOO _X(1), _x_i_n_i_t(1), _x_a_u_t_h(1), _X_s_e_c_u_r_i_t_y(1), _s_e_s_s_r_e_g(1), _X_s_e_r_v_e_r(1), _X_s_g_i(1), _X _D_i_s_p_l_a_y _M_a_n_a_g_e_r _C_o_n_t_r_o_l _P_r_o_t_o_c_o_l AAAAUUUUTTTTHHHHOOOORRRR Keith Packard, MIT X Consortium Page 26 (printed 10/24/98)