port-mac68k: Re: Can I set up a NetBSD-box to work as an X-terminal?

Subject: Re: Can I set up a NetBSD-box to work as an X-terminal?
To: Bernd Sieker <bsieker@freenet.de>
From: Frederick Bruckman <fredb@immanent.net>
List: port-mac68k
Date: 11/23/2002 10:05:52

On Sat, 23 Nov 2002, Bernd Sieker wrote:

> Actually there are two lines, both slightly different, that need to be
> uncommented:
>
>   *		# any host can get a login winodw
>
> and:
>
>   *	CHOOSER BROADCAST  # any indirect host can get a chooser

Yes, I forgot that.

> > Xserver manually on the designated X server, as ``X -indirect
> > xdm_host_name &''. Then authorize the "xdm" host to connect, via
> > ``xhost +xdm_host_name''. The chooser window should appear shortly.
>   ^^^^^^^^^^^^^^^^^^^^^^^^
>
> _NEVER_ do that! Allowing a complete host unrestricted access is
> a gaping security hole. Anyone on that host could open a Window on
> the X-Terminal's display, and try all sorts of login-spoofing, etc.
> Never, ever use xhost. Besides, in this setup, it's unneccessary.
>
> You also need to comment out the line in <XRoot>/lib/X11/xdm/xdm-config
> that says "DisplayManager.requestPort:   0". Use a "!" for comments in
> xdm config files.

Have you tried this with the NetBSD/mac68k Xserver? I use keys and all
that for my other hosts, but the mac68k Xserver doesn't know DES, so I
had to use "xhost" anyway. If you have a firewall, it's not a big
deal, and if you don't have a firewall, you shouldn't run X anyhow.

> I have almost all my systems configured to work as X-Terminals, so I can
> cross-login from any to any other host.

Me too!

>   ttyE4   "/usr/X11R6/bin/X -terminate -indirect boa" unknown on secure
>
> Where boa is the xdm server on which you wish to run the session.
> It then sends an xdmcp broadcast and displays a chooser window on
> the X-Terminal's Xserver showing all hosts that are willing to
> manage a session.
>
> Warning! Only do this if you're certain that either this really
> works[tm], or you have a working network connection with sshd
> running. Otherwise init will try to restart the server over and
> over, and you won't be able to login at all. On a slow machine it
> might not even think that it was "respawning too fast" and disable
> it for a minute or so.

That's a big drawback. I just start it from a script on boot-up, and
if the server messes up, I usually reboot the whole server. I reboot
about once a month, in any case.

Frederick