HP UX Granting Access, Running From INIT

Though X will usually be run by dtlogin from init, it is possible to run X directly from init. For information about running X from dtlogin, see the dtlogin man page.

To run X directly from init, it is necessary to modify /etc/inittab and /etc/gettydefs. Detailed information on these files may be obtained from the inittab(4) and gettydefs(4) man pages.

To run X from init on display 0, with a login xterm running on /dev/ttypf, in init state 3, the following line must be added to /etc/inittab:

X0:3:respawn:env PATH=/bin:/usr/bin/X11:/usr/bin xinit -L ttyqf -- :0

To run X with a login hpterm, the following should be used instead:

In addition, the following line must be added to /etc/gettydefs (this should be a single line):

Xwindow# B9600 HUPCL PARENB CS7 # B9600 SANE PARENB CS7 ISTRIP IXANY TAB3 00#X login: #Xwindow

There should not be a getty running against the display whenever X is run from xinit.

The sample server implements a simplistic authorization protocol, MIT-MAGIC-COOKIE-1which uses data private to authorized clients and the server. This is a rather trivial scheme; if the client passes authorization data which is the same as the server has, it is allowed access. This scheme is inferior to host-based access control mechanisms in environments with unsecure networks as it allows any host to connect, given that it has discovered the private key. But in many environments, this level of security is better than the host-based scheme as it allows access control per-user instead of per-host.

In addition, the server provides support for a DES-based authorization scheme, XDM- AUTHORIZATION-1, which is more secure (given a secure key distribution mechanism), but as DES is not generally distributable, the implementation is missing routines to encrypt and decrypt the authorization data. This authorization scheme can be used in conjunction with XDMCP's authentication scheme, XDM-AUTHENTICATION-1or in isolation.

The authorization data is passed to the server in a private file named with the -authcommand line option. Each time the server is about to accept the first connection after a reset (or when the server is starting), it reads this file. If this file contains any authorization records, the local host is not automatically allowed access to the server, and only clients which send one of the authorization records contained in the file in the connection setup information will be allowed access. See the Xau manual