Linux XDMCP HOWTO

Thomas Chao

�����������<tomchao@alcatel-lucent.com>
��������
Revision History                                                             
Revision v1.4                    11 June 2007                                
Adding info for now popular Ubuntu 7.0.4, RH Commercial Workstation v.3,     
Fedora Core 6 and 7, new Mandriva.                                           
Revision v1.3                    2 January 2003                              
Adding info for Red Hat 7.3 & 8.0, Mandrake 8.2 & 9.0, SuSE Linux            
configuration and contents update.                                           
Revision v1.2                    15 March 2002                               
Adding more info for Red Hat 7.2, Mandrake 8.1 and Slackware 8.0 Linux       
configuration and SSH X11 Forwarding.                                        
Revision v1.1                    20 March 2001                               
Revision and adding RH 7.0.                                                  
Revision v1.0                    01 November 2000                            
Initial revision and release.                                                


This HOWTO describes how you can use the combination of X Display Manager
(xdm, kdm and gdm) and XDMCP (X Display Manager Control Protocol) to provide
a solution for the X-Terminal and to provide a platform of efficient Remote X
Apps environment. This document will takes the focus on how to setup the X
connection using XDMCP.

-----------------------------------------------------------------------------
Table of Contents
1. Introduction
    1.1. Disclaimer
    1.2. Feedback
   
   
2. The Procedure
    2.1. Before you begin, some background
    2.2. Security Reminder
    2.3. The System I use
    2.4. Remote Client Piece
    2.5. Server Preparation
    2.6. Steps to Complete the Procedures
    2.7. Testing
   
   
3. X11 Forwarding using SSH
4. Troubleshooting
5. XDMCP and GDM (Gnome Display Manager)
6. Additional References
7. Authors
8. Copyright Information

1. Introduction

[http://en.wikipedia.org/wiki/X_Window_System] X Window System is the display
and networking protocol developed by MIT. The X is built with network in mind
with the capability to run a (graphical) session on a remote computer. In it,
an X Display Manager is used to start a session from a local system or from
another computer. The request and the start of the session is handled by the
XDMCP, which stands for "X Display Manager Control Protocol" and is a network
protocol. It provides a way of running the X-Terminal to run on your PC (or
MAC) and it uses the X Server to provide a client/server interface between
display hardware (the mouse, keyboard, and video displays) and the desktop
environment while also providing both the windowing infrastructure and a
standardized application interface (quoted from XFree86 Project home page).
The X-Terminal can be displayed with an individual window or multiple
windows, based on your X window system's software capabilities and setup.

I am always looking for the best way to use Linux, both at home and in work.
One of the biggest advantages among all is the ability to re-use the older
systems (like Pentium, Pentium II, Pentium III and even the 486 and AMD x86
CPUs) as a Xterminal (by using the Win32 apps; like Hummingbird's Exceed,
Reflection X, X-Win32 or X-ThinPro. For MAC, try eXodus) to run from any of
your PC remotely. I found out, somehow very surprising, that there are many
documents on the INTERNET that can help you to set it up, but not with a step
by step HOW-TO format! This is how I came up with this document as a way to
share my experiences with all users. By using X and XDMCP, you can build a
good, reliable and low cost X- environment for your home or work IT solution.
Best of all, it is free! You will also find out that those long abandoned PC
by the current Windows system can run the X in Linux just fine! It can save
you money and spare the mother earth!

In recent years, new Linux distributions are getting easier to use by adding
new user UI. However, I still believe much in manual control of the system
and application if I can, because in this way, I know what I am going to
change in my system in the way I wanted it. Therefore, I will focus this
document on manual configuration.
-----------------------------------------------------------------------------

1.1. Disclaimer

No liability for the contents of this documents can be accepted. Use the
concepts, examples and other content at your own risk. As this is a new
edition of this document, there may be errors and inaccuracies, that may of
course be damaging to your system. Proceed with caution, and although this is
highly unlikely, the author(s) do not take any responsibility for that.

All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document should not be
regarded as affecting the validity of any trademark or service mark.

Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major
installation and backups at regular intervals.
-----------------------------------------------------------------------------

1.2. Feedback

Feedback is most certainly welcome for this document. Without your
submissions and input, this document wouldn't exist. Please send your
additions, comments and criticisms to the following email address : <
tomchao@alcatel-lucent.com>.
-----------------------------------------------------------------------------

2. The Procedure

This section details the procedure for setting up Xterminal using XDMCP. The
pre-requisite is to have a (any) Linux distribution installed and running X.
-----------------------------------------------------------------------------

2.1. Before you begin, some background

Before you begin, it is better to have a basic understanding of how this
works. The X server is usually started from the X Display Manager (DM). In
this [http://en.wikipedia.org/wiki/X_display_manager] X DM Wiki page, it
gives you a basic understanding of how it works! (More details are at the [#
REFS] Resources below and [http://www.tldp.org] LDP HOWTO page)

Almost all the Linux distributions include the xdm, kdm and gdm to you as
your choices. (This document will use gdm and kdm as an example). The Display
Manager provides a nice and consistent interfaces for general users (X-based
login, starting up a window manager, clock, etc.). X Display Manager manages
a collection of X displays, which may be on the local host or remote servers.
It is worth noting that the Xsession file is what runs your environment.

When xdm runs, it offers display management in two different ways. It can
manage X Server running on the local machine and specified in "Xservers", and
/or it can manage remote X Servers (typically Xterminals) using XDMCP as
specified in the "Xaccess" file. (refer to the xdm man page).

For kdm (which comes with the KDE desktop), it is a replacement of xdm and
configures the same way, except its files are in /etc/X11/kdm in Caldera/SCO,
/etc/kde/kdm in Red Hat (and Fedora Core) and /usr/share/config/kdm, which is
a symbolic link to /etc/kde/kdm, in Mandrake.

The gdm (Gnome Display Manager) is a re-implementation of the well known xdm.
gdm has similar functions to xdm and kdm, gdm is the Gnome Display Manager,
and its configuration files are found in /etc/X11/gdm/gdm.conf. The gdm.conf
file contains sets of variables and many options for gdm, and the Sessions
directory contains a script for each session option; each script calls /etc/
X11/xdm/Xsession with the appropriate option. gdm has similar functions to
xdm and kdm, but was written from scratch and does not contain any original
XDM / X Consortium code.

RH 8.0 introduces the new graphical interface called "Bluecurve". The new
interface is aimed for XP feel and styles. The setup makes no difference in
this case!

Other good references for the similar setup can be found in the following
documents:

��*�The [http://www.tldp.org/HOWTO/XDM-Xterm/index.html] XDM and Xterminal
    mini-HOWTO, by Kevin Taylor
   
��*�Linux [] Remote X Apps mini HOWTO A very good reference for Remote X in
    both theoretical and practical view. By Vincent Zweije
   
��*�The [http://www.tldp.org/HOWTO/Xterminals/index.html] Connecting
    Xterminal mini-HOWTO, by Salvador J. Peralta
   
��*�The [http://www.gnome.org/projects/gdm/docs/gdmtalk.pdf] Using and
    Managing GDM [ PDF ] from The GNOME Project.
   

-----------------------------------------------------------------------------
2.2. Security Reminder

Do not believe the myth that Linux (or UNIX) is a safer OS than the MS
Windows! All OSs are vulnerable to the hackers, if the user does poor
configuration job or maintaining the security updates!

You need to bare this in mind that both X and XDMCP is inherently insecure,
and that's why many of the distributions shipped as it's XDMCP default turned
off. If you must use XDMCP, be sure to use it only in a trusted networks,
such as corporate network within a firewall. Never use it in the open network
(or Internet) environment without a firewall protection! If you are using at
home, remember to add a firewall equipped router for protection.

A good way to test your network security is to test it using the [http://
www.grc.com] ShieldsUp by Gibson Research. It is free and easy to use!

XDMCP connection opens up UDP ports; therefore, it is not natively able to
use it with SSH. Currently, SSH1 and SSH2 are not implemented to securely
forward the UDP communication. To secure the connection with SSH, the
technique is called X11 TCP/IP Port Forwarding. Check this [http://
www.ox.compsoc.net/~steve/portforwarding.html] Why Port Forwarding? site and
the [#REFS] Resources area for additional HOW-TO information. If you would
like to experiment this, I have add a little section below to show you how it
works. I will give you only the basic idea how it works, and I will leave the
more advanced way of running it to other experts and/or HOWTOs.
-----------------------------------------------------------------------------

2.3. The System I use

I have tested the setup running a GNOME (gdm), as well as KDE (kdm) on the
following distributions:

��*�[http://www.redhat.com] Red Hat: From RH 8.0 down to 6.0. RH Workstation
    v.3 (commercial).
   
��*�[http://fedoraproject.org] Fedora Core v.5 to v.7. (The new RH free
    version)
   
��*�Mandrake Linux from 7.2 to 10.0 and Limited Edition 2005. I would also
    like to test it out on the new [http://www.mandriva.com] Mandriva 2007
    Spring version.
   
��*�[http://www.ubuntu] Ubuntu version 6.x, 7.04.
   

SuSE 7.2 (SuSE is now the new [http://www.novell.com/linux] Novell Linux) and
[http://www.slackware.com] Slackware 8.0's setup are tested by the users,
thanks to Peter Van Eerten and others, who helps the test for this HOW-TO. (I
would like to thank all users who help me on this project). The other I have
tried on is Caldera eDesktop 2.4 (now owned by SCO), which is similar to RH's
setup, except that it uses KDE. I have not had a chance to test it on other
Linux flavors like Debian, Turbolinux, Gentoo, etc. However, the setup should
be similar and should work just fine. If you have successfully setup one
other than the distribution listed above, please share it with me. I will add
them into this document.

The PC hardware that I am using is an IBM PC clone running an Intel Celeron
2.9 GHz with 1 GB memory and a 160 GB ATA-133 Hard Drive. The oldest system I
current have (in 2007) for the testing are using the Intel Pentium II 450 MHz
PC with 128 MB memory and it is running with good performance. (I test run on
an old Pentium 100 MHz PC in 2003 and it runs OK). I use a built-in Fast
Ethernet NIC in my Intel clone M/B. In my old machine, I use the 3Com 10/100
(3C509B) NIC with an ATAPI DVD-ROM and an IOMEGA ZIP drive. I have also test
it on my IBM T21 laptop connecting using my Agere Wireless LAN card. I have
also test the setup on one of my system at home that is using the AMD 64-bit
CPU running the Fedora Core 6.
-----------------------------------------------------------------------------

2.4. Remote Client Piece

I use the Hummingbird Exceed 10.0 (Exceed 6.x and 7.0 are also working fine)
on my PC and have tested them on Windows NT 4.0, Windows 2000 Pro, Windows
XP. I found out that other popular choices are X-Win32 and X-ThinPro, but I
did not have a chance to test them out. There are also many open-source
applications, as well as commercial one available, if you happen to have one.
-----------------------------------------------------------------------------

2.5. Server Preparation

In RH 7.x and other newer dists, you would need to setup DNS lookup, in order
for some networking function to work properly (such as telnet that we will
use to test the setup). You can use "netstat -r" and/or "arp -a" command to
verify your DNS setup or response time. If you are in a small environment
(like home or small office) that do not have your own DNS and are relying on
your ISP's DNS Server, then add the entry of your Linux workstation or server
name(s) in the "/etc/resolv.conf" file. If you are only use it in the lab or
at home, then, you can add the host name of all workstations in your local
static hosts table in "/etc/host". You would need the root privileges to
update the naming information.

To prepare your X Server for XDMCP session, you would need to make sure the
following are properly installed:

 1. Install your Linux OS. In my case, I use mostly Fedora Core 6 in my lab
    and Ubuntu 7.04 at home. If you plan to use SSH Port Forwarding, you need
    to install the OpenSSH package or compile SSH with your kernel. Also,
    most dists now come with firewall installed by default (unless you choose
    not to). You may encounter problem, if you do not add firewall rules or
    temporary disable it in setting up XDMCP. I will not cover the firewall
    rules here in details, since this is not the focus of this document. I
    will share with you only on how to make it works first and you can
    fine-tune it yourself.
   
    To show your firewall rules, in kernel 2.2x, use the command ipchains -L
    to list your default rule sets. To temporary disable it, use this command
    ipchains -F to flush the rules (Don't worry, it will restore by
    re-loading or re-boot). For kernel 2.4x and up, replace the command 
    ipchains with iptables. To start with it, you can try to edit this /etc/
    sysconfig/ipchains file and commented out this rule (this is a feedback
    from a user. You can test it by yourself):
    +---------------------------------------------------------------+
    |-A input -p upd -s 0/0 -d 0/0 0:1023 -j REJECT                 |
    +---------------------------------------------------------------+
   
    and insert these two rules to allow packets pass through port 177:
    +---------------------------------------------------------------+
    |-A input -p udp -s 0/0 -d 0/0 0:176 -j REJECT                  |
    +---------------------------------------------------------------+
    +---------------------------------------------------------------+
    |-A input -p udp -s 0/0 -d 0/0 178:1023 -j REJECT               |
    +---------------------------------------------------------------+
   
    (Note: XDMCP uses TCP, UDP port 177 and TCP port 6000 to 6005. xfs server
    is using port 7100 in our setup).
   
    You should be able to use the iptables in the similar way. (Check for
    iptables references at the [#REFS] Resources area or this [http://
    msmvps.com/blogs/rexiology/archive/2006/12/19/
    windows-x-client-server-to-connect-linux-server-xdmcp-and-vnc-approaches.aspx]
    setup example).
   
    For more firewall details, check the [http://www.ibiblio.org/pub/Linux/
    docs/HOWTO/other-formats/html_single/IP-Masquerade-HOWTO.html] IP
    Masquerade HOWTO page.
   
    One other easy way is to add rules that only accept certain IP address
    (es) from your trusted workstations. Please feel free to experiment it by
    using the iptables command. Again, I will not cover the details here. I
    am the lucky one, because I have my company's firewall to protect me from
    the outside world.
   
    If you would like to use the GUI tool to configure the firewall using
    iptables, try this good one: the [http://www.fs-security.com]
    Firestarter.
   
 2. Setup your Networking. To test it out, you can use the ping, ftp and 
    telnet command to determine if your are networking. RH 7.x and up do not
    have telnet daemon turn on by default (for security reason). Remember to
    enable it, if you prefer to use it for your test. You can always turn it
    off when you are done (Using ntsysv in RH, or rcconf, sysvconfig in
    Ubuntu and Debian, with root privilege). One other thing is to remember
    firewall rules are there. Add your own rules or temporary disable it (as
    mentioned above) to make these commands work.
   
 3. Setup X. Do not setup with a resolution higher than what the remote users
    are able to use for their display. The newer version is now capable of
    probing the video chipset and determine that for you. Some older (X)
    version may not! Test the X Server by typing either startx or telinit 5.
    Make sure X is running properly.
   
 4. Creates the necessary user account(s) (and associated group) for user who
    will access via the Xterminal.
   

-----------------------------------------------------------------------------
2.6. Steps to Complete the Procedures

Although X can use the local fonts, it is better to use the xfs font server
in an networking environment. If this is what you want in Linux X
environment, you need to provide font using either X font server (xfs) or
hard coded font path in XF86Config and XF86Config-4 configuration files. If
you plan to use xfs font server (check here to see the [http://www.redhat.com
/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-x-fonts.html] xfs
advantages). xfs server can also offload the burden from your local
workstations. If you plan to use local fonts, you can skip step 1.

These are the steps I used to setup the X Server for accepting XDMCP
requests:

 1. In earlier version of RH and Mandrake, modify /etc/rc.d/init.d/xfs and
    make the following changes. Change all lines(this is where the Font
    Server port), if the port is not set to 7100.
    +---------------------------------------------------------------+
    |daemon xfs -droppriv -daemon -port -1                          |
    +---------------------------------------------------------------+
   
    to:
    +---------------------------------------------------------------+
    |daemon xfs -droppriv -daemon -port 7100                        |
    +---------------------------------------------------------------+
   
    In some new distributions, it is by default, for security enhancement,
    not listening to TCP port any longer! If you would like to setup X font
    server, you need to do the following steps:
   
    Change this line in /etc/rc.d/init.d/xfs (or in /etc/init.d/xfs for some
    dists):
    +---------------------------------------------------------------+
    |daemon xfs -droppriv -daemon                                   |
    +---------------------------------------------------------------+
   
    to:
    +---------------------------------------------------------------+
    |daemon xfs -droppriv -daemon -port 7100                        |
    +---------------------------------------------------------------+
   
    In Ubuntu 7.04 Desktop version, you need to download and install the xfs
    package. then modify /etc/init.d/xfs and change the following line:
    +---------------------------------------------------------------+
    |start-stop-daemon --start --quiet $SSD_START_ARGS -- -daemon \ |
    +---------------------------------------------------------------+
   
    to:
    +-----------------------------------------------------------------------------------+
    |start-stop-daemon --start --quiet $SSD_START_ARGS -- -droppriv -daemon -port 7100 \|
    +-----------------------------------------------------------------------------------+
   
    Then, in /etc/X11/fs/config, comment out this line:
    +---------------------------------------------------------------+
    |# don't listen to TCP ports by default for security reasons    |
    |#no-listen = tcp                                               |
    |                                                               |
    +---------------------------------------------------------------+
   
    If you change or add the port, use this command to restart your X font
    server (requires root):
    +---------------------------------------------------------------+
    |service xfs restart                                            |
    +---------------------------------------------------------------+
   
    You do not have to use port 7100. You can set a different port, as long
    as you carefully plan it first to make sure no conflicts in using the
    port number and change it accordingly. It is better to consult your Linux
    admin before doing so, so that he/she knows the port has been taken!
    Different Linux distribution may put the xfs in different folder under /
    etc/rc.d. You may search for it if that's the case.
   
 2. If you plan to use the XDM, modify /etc/X11/xdm/xdm-config and make the
    following change. Be default (in most Linux distributions), this line is
    set, so that it is not listening to XDMCP connection. This is for
    security reason. For Caldera and other dists that uses kdm, this file is
    at /etc/X11/kdm. Find this line:
    +---------------------------------------------------------------+
    |DisplayManager.requestPort:     0                              |
    +---------------------------------------------------------------+
   
    and comment it out as:
    +---------------------------------------------------------------+
    |! DisplayManager.requestPort:     0                            |
    +---------------------------------------------------------------+
   
    Remember, this does not affects gdm. For gdm setup, it is in the
    following section.
   
 3. In /etc/X11/xdm/Xaccess, change this. (this allow all hosts to connect).
    For Caldera using kdm, this file is at /etc/X11/kdm. Set the security to
    644 (chmod 644):
    +---------------------------------------------------------------+
    |#*    # any host can get a login window                        |
    +---------------------------------------------------------------+
   
    to:
    +---------------------------------------------------------------+
    |*     # any host can get a login window                        |
    +---------------------------------------------------------------+
   
    The above setup is in a Broadcast mode, which will list all the X Server
    that are listening and willing to manage your X connection. If you only
    want to allow certain connections, use the CHOOSER section in this same
    file. An example can be found in the [#REFS] Resources.
   
 4. If you plan to use the GDM as default, one benefit of gdm login window is
    that it allows you to switch between KDE and GNOME. For gdm, edit /etc/
    X11/gdm/gdm.conf. This activates XDMCP, causing it to listen to the
    request. For kdm (if you pick KDE as your DM in your installation), edit
    /usr/share/config/kdm/kdmrc for Mandrake and /etc/kde/kdm/kdmrc for Red
    Hat or /opt/kde2/share/config/kdm/kdmrc for Slackware version (KDE2).
    Change this line:
    +---------------------------------------------------------------+
    |[xdmcp]                                                        |
    |Enable=false (may shown as 0 in some distributions)            |
    +---------------------------------------------------------------+
   
    to:
    +---------------------------------------------------------------+
    |Enable=true (or 1 in some distributions)                       |
    +---------------------------------------------------------------+
   
    Make sure "Port=177" is at the end of this block, i.e., by commenting out
    the line "#Port=177".
   
    (As a side note for Ubuntu user who care only about ease of use, this is
    what you can do (just turn on XDMCP w/o xfs). From "System" menu, go to
    "Administration" and the "Login Window" Alternatively, you can use "sudo
    gdmsetup" command). Click the "Remote" tab and in "Style", select "Same
    as Local". Then click the bottom "Configure XDMCP" button to verify the
    setup. If you choose "Remote login disabled" in style, it will disable
    the XDMCP. Additional setup is in the "Security" tab and the lower
    "Configure X Server..." button and select "Chooser" in Server. You must
    restart gdm to enable it! Doing this is quick and simple, but you lose
    the sense of what files are being touched and changed! Easy of use or
    controllability is your choice here!)
   
 5. (For Ubuntu and new Debian see notes below) Now edit /etc/inittab and
    change the following line. The digit here meaning the default runlevel.
    For X, the runlevel should be "5".
    +---------------------------------------------------------------+
    |id:3:initdefault:                                              |
    +---------------------------------------------------------------+
   
    to:
    +---------------------------------------------------------------+
    |id:5:initdefault:                                              |
    +---------------------------------------------------------------+
   
    In Slackware, the X11 mode is number "4", not "5". Refer to this [http://
    en.wikipedia.org/wiki/Runlevel] runlevel wiki page for different dists'
    definition.
   
    This is switching from Text Mode login to Graphical Mode using Display
    Manager. Before changing this line, you can use the telinit command to
    test prior to modifying the line. Use either telinit 3 to set to level 3,
    or telinit 5 to set to level 5, graphics mode (you can issue this command
    on the second machine that telnets into this server).
   
    Runlevel 2-5 is the same in Debian and Ubuntu. Since Ubuntu 6.10 (and
    future Debian), the way to start the runlevel were changed from the init
    daemon to the [http://upstart.ubuntu.com] Upstart, with which the tasks
    and services are managed by events. Each runlevel is defined by the files
    in the system in the format of /etc/rcx.d, where the "x" represent. Each
    event is trigger (or changed) by issuing the telinit 3 command.
   
 6. Make sure the proper security of the file /etc/X11/xdm/Xservers is set to
    444 (chmod 444).
   
 7. Locate /etc/X11/xdm/Xsetup_0 and chmod 755 this file.
   
 8. Edit the xorg.conf file in the /etc/X11 folder and change the line (for
    older version, it is either XF86Config or the XF86Config-4 file for
    XFree86 4.x):
    +---------------------------------------------------------------+
    |FontPath    "unix/:-1"                                         |
    +---------------------------------------------------------------+
   
    to:
    +---------------------------------------------------------------+
    |FontPath    "unix/:7100"                                       |
    +---------------------------------------------------------------+
   
    If you decide to use the port number other than the usual 7100, be sure
    to change both in "/etc/rc.d/init.d/xfs" (or in "/etc/init.d/xfs") file
    and here!
   
    To save your time and energy, I recommend you to add the FontPath in the
    xorg.conf (or XF86Config and/or XF86Config-4) configuration files. If you
    are not sure what fonts are available to you, you can use this command to
    check it out (requires root):
    +---------------------------------------------------------------+
    |chkfontpath --list                                             |
    +---------------------------------------------------------------+
   
    The following are some of the example fonts for your reference. Make sure
    you have these fonts before editing these path.
    +---------------------------------------------------------------+
    |         FontPath  "/usr/X11R6/lib/X11/fonts/75dpi/"           |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/misc/"            |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/CID/"             |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/Speedo/"          |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/100dpi/"          |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/Type1/"           |
    |                                                               |
    +---------------------------------------------------------------+
   
    If you don't have the chkfontpath command and you are using the local
    fonts, you can simply edit the file "/etc/X11/fs/config". Find the line
    that starts with "catalog=", and add your directory at the end of the
    list, separated by a comma. An example are like this:
    +---------------------------------------------------------------+
    |     catalogue = /usr/X11R6/lib/X11/fonts/misc:unscaled,       |
    |                 /usr/X11R6/lib/X11/fonts/100dpi:unscaled,     |
    |                 /usr/X11R6/lib/X11/fonts/100dpi,              |
    |                 /usr/X11R6/lib/X11/fonts/75dpi                |
    |                                                               |
    +---------------------------------------------------------------+
   
 9. (You do not have to make this change. You can keep the default setting,
    but this is what I prefer. If you are not sure, leave this alone.) Change
    this line to the end of /etc/inittab:
    +---------------------------------------------------------------+
    |x:5:respawn:/usr/bin/gdm                                       |
    +---------------------------------------------------------------+
   
    If you decided not to change this line, it is fine! This is not a
    required step, but of a personal preference! There is no need to do this
    in Ubuntu and newer Debian dist.
   

You are now ready to run a test.

One other thing to know (that some users have asked) is how to display with 
Willing to manage message with load info As I know this is available in xdm
by adding the following to the /etc/X11/xdm/xdm-config.
+---------------------------------------------------------------------------+
|DisplayManager.willing:  su noboby -c /etc/X11/xdm/Xwilling                |
+---------------------------------------------------------------------------+
and the XWilling script must exist. For gdm, add this line to the /etc/X11/
gdm/gdm.conf in [security] section:
+---------------------------------------------------------------------------+
|Willing=/etc/X11/gdm/Xwilling                                              |
+---------------------------------------------------------------------------+

A sample of [http://www.penguinlovers.net/linux/xwilling.html] Xwilling
script is here for your reference. Adding this script or not is your
preference. It is not required step here!
-----------------------------------------------------------------------------

2.7. Testing

To test if your XDMCP with X Server is ready to accept connection(s), do
these steps. I find it easier using the X Server and another machine to test
it:

 1. (Re-)Start your X (which is in runlevel 5 or runlevel 2 in Ubuntu). If
    you are not sure how to do this, simply reboot your system (but this is
    really not necessary, if you know how to restart it using command line.
    That's the beauty of Linux, when comparing it to MS Windows).
   
 2. If you have not modify your firewall rules, you need to temporary disable
    it by using iptables -F (or ipchains -F).
   
 3. Make sure the graphical login page comes up. Make sure the display
    resolution and mouse work. Log in from the console to see if the local
    access is OK. If OK, do not log off.
   
 4. Setup Hummingbird Exceed (or other X Client software) to either query
    this machine (using the IP address or fully qualified DNS name) or set to
    use XDMCP-Broadcast and try to connect to the X Server. You should see
    the X Session come up and the login screen appear.
   

-----------------------------------------------------------------------------
3. X11 Forwarding using SSH

As I have explained earlier, using XDMCP to display X across Internet is
basically a no-no, due to it's lack of encryption across the Internet. One
way to enforce the traffic security is to use the SSH by the way of X11
tunnelling or port forwarding. SSH (Secure Shell) is developed in 1995 by
Tatu Ylonen to replace the insecure telnet, ftp, scp, rcp, rlogin, rsh, etc.
The first thing you need to know is that X11 forwarding using SSH is
different from your regular, non-secure way of running X Window.

To start this setup, you need an additional piece of information. First, you
must have your SSH package installed. In Linux, they are the OpenSSH
packages. Check your distribution to decide what package you need to install
(some installed it as standard packages). Secondly, you need a Windows SSH
Client (other OS version, like MAC, are also available). I recommend PuTTY.
It is a wonderful free SSH client and you can download them from [http://
www.chiark.greenend.org.uk/~sgtatham/putty/] this link. Remember to download
the document and read them carefully. The other good free SSH clients are:
Tera Term Pro + TTSSH: An SSH Extension to Tera Term, SSH Secure Shell Client
by SSH.com (only free for non-commercial use). I will break down again into
steps, so it is easy for you to follow.

 1. Open up the command putty.exe by double-click it. It will brings up the
    interface. First, setup the connection info in Host Name (or use IP)
    field and select SSH (SSH is using port 22). In Connection Category, find
    the Connection tree. In SSH, expand it and you will see Tunnels window.
    Click "Enable X11 forwarding". It is setting the default to X display at
    "localhost:0". Now, go back to Session and save this session with a name
    you like. I normally use the Host Name to make me easily remember where I
    am connecting to.
   
 2. In the example of Hummingbird Exceed, this is what you need to do. (For
    other X client, the setup is similar). Open up the Xconfig from your
    Exceed folder. In your "Screen Definition", change to "Multiple" Window
    mode and save it. Next, open up your "Communication" icon and set the
    Startup mode to "Passive".
   
 3. Now you are done. To test it, first using PuTTY (or other SSH client) to
    connect to your server. The first time connection, it will ask you
    whether you want to cache the Security Key or not. (Yes is normal
    choice). Once log in is done, fire up your Exceed. It will stay in the
    background. Now you can execute any of your X application and it should
    forward the X application via SSH to your local screen. For example:
    +---------------------------------------------------------------+
    |$ xclock &                                                     |
    +---------------------------------------------------------------+
   
    We should now see the Xclock is running on your local screen.
   

Now you see the difference is that you do not see all your X Window. You are
simply running X application one by one and forwarding via SSH to your local
screen. Therefore, you need to know the command for running each X
application. All the control are done via SSH client window. To me, the
security is worthy than the slightly inconvenience!

Hummingbird Exceed's newer version now support the SSH connection. I am sure
other X application may be able to do the same in their latest new version.
Check the application web site you are using or the [#REFS] Resources
belowfor for more details).

If you are using X-Win32 and you want to use [http://www.starnet.com/products
/ssh.htm] SSH with Port Forwarding, you can use this reference to set it up.
-----------------------------------------------------------------------------

4. Troubleshooting

��*�If X cannot come up and is broken:
   
    If X is broken and the connection fails, most of the time it has this
    error messages:
    +----------------------------------------------------------------+
    |       _ FontTransSocketUNIXConnect: Can't connect: errno = 111 |
    |       failed to set dafault font path 'unix:-1'                |
    |       Fatal server error:                                      |
    |       could not open default font 'fixed'                      |
    |                                                                |
    +----------------------------------------------------------------+
   
    This is likely due to xfs not finding the correct port for the Font
    Server or the font path is not set correctly! To resolve this, check
    steps 1 and 8 above. Make sure the configuration are pointing to (port)
    7100 and make sure you have the following fonts installed (if not
    re-install the XFree86 font packages from your CD). Check the listing in
    XF86Config file (if you are using XFree86 4.x, the file is XF86Config-4
    and xorg.conf in newer X11 version) at /etc/X11:
    +---------------------------------------------------------------+
    |         FontPath  "/usr/X11R6/lib/X11/fonts/75dpi/"           |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/misc/"            |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/CID/"             |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/Speedo/"          |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/100dpi/"          |
    |         FontPath  "/usr/X11R6/lib/X11/fonts/Type1/"           |
    |                                                               |
    +---------------------------------------------------------------+
   
    Use the command startx (on local) to restart the X server (or use telinit
    5 to switch the runlevel). To restart xfs, use the command in step 1.
   
    I found out in my RH 7.3 that if my xfs is not setup, it will crash the
    Exceed connection if I use the GNOME. (Using KDE is fine and it does not
    affect my Mandrake GNOME). After I fix it and start up my xfs, it works
    fine.
   
��*�If Exceed has no respond (in blank screen):
   
    In this case, most likely your xdm (or gdm, depending upon which is used
    in /etc/inittab) is not starting correctly. Issue the command: ps -ef |
    grep gdm (or xdm or kdm, replace it in the command). Also, if your box
    has udp port turned on for XDMCP, you can type netstat -l | grep xdmcp
    and you should see this:
    +---------------------------------------------------------------+
    |udp    0    0  *:xdmcp          *:*                            |
    +---------------------------------------------------------------+
   
    If the process is not running, check the steps on the setup above (make
    sure there are no typo's and that the correct path is given). Restart X
    using the command telinit 5. If the udp port is not there for XDMCP, do
    step 2 as above.
   
    Another possibilities are that your DNS setup is incorrect and/or
    firewall is enabled. An easy way to find out is simply ping or telnet
    your host and if the reply takes a long time, then that's DNS problem. If
    by using telnet and you got a "Connection Refused", then this is a
    firewall problem (assuming that you have your telnet daemon turned on
    already)! Check the section above for details how to resolve this.
   
��*�PC Box with PPPoE (PPP over Ethernet):
   
    A user using PPPoE told me that if you have PPPoE, you might experience
    problem using XDMCP. After uninstall it, he then is able to get XDMCP
    working. I personally do not have the environment to test this, so you
    can test it yourself.
   
��*�Linux to Linux Display export:
   
    If you are using another Linux with X, you do not need to use XDMCP to
    manage your display. You can actually export your display right from your
    X box. To do this, you must enable your access control to allow other to
    make connection to the X Server. The common error you will get without
    doing so are:
    +-------------------------------------------------------------------------------------------------------------------------+
    |       xlib: Connection refused (error 111): unable to connect to X server xlib: No such process (error 3): Server error |
    |                                                                                                                         |
    +-------------------------------------------------------------------------------------------------------------------------+
   
    To resolve the problem, use the command below:
    +---------------------------------------------------------------+
    |         $ xhost +                                             |
    |         $ export DISPLAY=(your local host IP):0.0             |
    |                                                               |
    +---------------------------------------------------------------+
   
    Always remember to enable access control by using the command "xhost -"
    again. One thing to remind you, you do not need this, if you are using PC
    as X-Terminal using XDMCP. This is only required when you have Linux to
    Linux or Linux to UNIX connection.
   
    If you are using many Linux X boxes and you would like to setup the
    Chooser to pick from which X to login, you need to enable the following
    in the /etc/X11/gdm/gdm.conf:
    +------------------------------------------------------------------------------------+
    |        [daemon] Chooser=/usr/bin/gdmchooser --disable-sound --disable-crash-dialog |
    |        ...                                                                         |
    |        [xdmcp] Enable=1                                                            |
    |        HonorIndirect=1                                                             |
    +------------------------------------------------------------------------------------+
   
��*�I got a "Signal 11" error:
   
    The "Signal 11" error, also called "Segmentation Fault", can sometimes be
    a problem of your hardware and/or software. If you have this problem in
    bring up the X Server, you need to fix it before configuring XDMCP.
    Unfortunately, there is no simple way to fix the problem due to many
    possible causes. For details, please check this [http://www.bitwizard.nl/
    sig11/] SIG 11 while compiling the Kernel.
   

-----------------------------------------------------------------------------
5. XDMCP and GDM (Gnome Display Manager)

The following is taken from the [http://www.gnome.org/projects/gdm/docs/2.14/
gdm.html] Gnome Display Manager Reference Manual:

GDM also supports the X Display Manager Protocol (XDMCP) for managing remote
displays. GDM listens to UDP port 177 and will respond to QUERY and
BROADCAST_QUERY requests by sending a WILLING packet to the originator. GDM
can also be configured to honor INDIRECT queries and present a host chooser
to the remote display. GDM will remember the user's choice and forward
subsequent requests to the chosen manager. GDM only supports the
MIT-MAGIC-COOKIE-1 authentication system. Little is gained from the other
schemes, and no effort has been made to implement them so far. Since it is
fairly easy to do denial of service attacks on the XDMCP service, GDM
incorporates a few features to guard against attacks. Please read the XDMCP
reference section below for more information.

Even though GDM tries to outsmart potential attackers, it is still advised
that you block UDP port 177 on your firewall unless you really need it. GDM
guards against DoS attacks, but the X protocol is still inherently insecure
and should only be used in controlled environments. Even though your display
is protected by cookies the XEvents and thus the keystrokes typed when
entering passwords will still go over the wire in clear text. It is trivial
to capture these. You should also be aware that cookies, if placed on an NFS
mounted directory, are prone to eavesdropping too.
-----------------------------------------------------------------------------

6. Additional References

Some additional references on this subject include:

��*�Your local xdm man page.
   
��*�Your local gdm man page.
   
��*�[http://en.wikipedia.org/wiki/X_display_manager] X Display Manager
    Wikipedia
   
��*�[http://www.gnome.org/projects/gdm/docs/2.18/security.html] GDM and XDMCP
    Security
   
��*�[www.gnome.org/projects/gdm/docs/gdmtalk.pdf] Using and Managing GDM
   
��*�
   
��*�[http://www.linuxjournal.com/article/4720] Configuring XDM (from Linux
    Journal)
   
��*�[http://www.me.umn.edu/~kaszeta/unix/xterminal/config.html] Configuring
    Chooser through X Resources
   
��*�[http://cvs.freedesktop.org/*checkout*/xorg/xc/doc/hardcopy/XDMCP/
    xdmcp.PS.gz] XDMCP Documentation (Compressed PostScript file download)
   
��*�[http://www-uxsup.csx.cam.ac.uk/security/probing/about/xdmcp.html] Should
    you be running XDMCP?
   
��*�[http://www.itworld.com/Net/4158/lw-09-legacy_1/] Accessing Xterms from
    Windows
   
��*�[http://www.umanitoba.ca/campus/acn/support/xwin/xwininst.html] How to
    install X-Win32
   
��*�[http://www.rru.com/~meo/pubsntalks/xrj/xdm.html] Taming the X Display
    Manager
   
��*�[http://www.ox.compsoc.net/~steve/portforwarding.html] Why Port
    Forwarding?; [http://www.ssh.com/support/documentation/online/ssh/
    adminguide/32/Port_Forwarding.html] Port Forwarding; [http://
    www.csociety.org/~sigos/projects/ssh/forwarding/] Secure forwarding of
    services with SSH
   
��*�[http://www.uic.edu/depts/accc/software/exceed/sshexceed.html] Using
    Exceed X Server with SSH X11 Tunneling
   
��*�[http://dragonwall.net/xdeep-putty.html] X11 Forwarding over SSH using
    X-Deep/32 and PuTTY
   
��*�[http://www.gnome.org/projects/gdm/] GNOME Display Manager
   
��*�[http://linux.sys-con.com/read/32837.htm] 10 minutes to an iptables-base
    Linux firewall; [http://www.onlamp.com/linux/cmd/i/iptables.html]
    iptables command introduction
   
��*�[http://cc.uoregon.edu/cnews/summer2002/xonx.html] Running X Window on
    MAC
   
��*�[http://www.debian.org/doc/manuals/securing-debian-howto/
    ch-sec-services.en.html] Securing Services on your system (Debian)
   
��*�[http://www.owlriver.com/tips/gdm-setup/remotexkdm.html] Remote X using
    KDM (Caldera)
   
��*�[http://gentoo-wiki.com/HOWTO_XDMCP] HOWTO XDMCP in Gentoo Linux wiki
    page
   

-----------------------------------------------------------------------------
7. Authors

Current: Thomas Chao, Alcatel-Lucent. <tomchao@alcatel-lucent.com>
-----------------------------------------------------------------------------

8. Copyright Information

This document is copyrighted (c) 2000 - 2007 Thomas Chao and is distributed
under the terms of the Linux Documentation Project (LDP) license, stated
below.

Unless otherwise stated, Linux HOWTO documents are copyrighted by their
respective authors. Linux HOWTO documents may be reproduced and distributed
in whole or in part, in any medium physical or electronic, as long as this
copyright notice is retained on all copies. Commercial redistribution is
allowed and encouraged; however, the author would like to be notified of any
such distributions.

All translations, derivative works, or aggregate works incorporating any
Linux HOWTO documents must be covered under this copyright notice. That is,
you may not produce a derivative work from a HOWTO and impose additional
restrictions on its distribution. Exceptions to these rules may be granted
under certain conditions; please contact the Linux HOWTO coordinator at the
address given below.

In short, we wish to promote dissemination of this information through as
many channels as possible. However, we do wish to retain copyright on the
HOWTO documents, and would like to be notified of any plans to redistribute
the HOWTOs.

If you have any questions, please contact <linux-howto@metalab.unc.edu>