This section describes how XDM access control works. The System Administrator's Guide describes how to configure the host and terminal for XDM access control.

The XDM access control mechanism ensures that only clients started by authorized users from authorized hosts can connect to a terminal.

Access control under XDM employs an authorization key known to the X server running on the user's terminal and to clients started by the user. The authorization key is generated by XDM, given to the X server, and placed in a file in the user's home directory (the .Xauthority file) each time the user logs in. XDM creates this file automatically.

When the user starts a client, the client obtains the authorization key by reading the user's .Xauthority file. Before connecting to the X server, clients must present the correct key.

NCDware uses MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1 authorization methods:

• XDM-AUTHORIZATION-1 requires X11R5 or X11R6 XDM; this form of authorization uses the DES (Data Encryption Standard) method of encryption to encrypt the key. Encryption prevents anyone from reading the authorization key as it is passed between the X server and clients.
  

• MIT-MAGIC-COOKIE-1 does not use encryption and can be used with X11R4, X11R5, or X11R6 XDM.
  

Both authorization methods are enabled automatically. The XDM-AUTHORIZATION-1 method requires additional configuration steps; you put an encryption key for each terminal in a special file (xdm-keys) and enter the same key on the terminal. If a key is present in the file and entered on the terminal and you are using X11R5 or X11R6 XDM, XDM-AUTHORIZATION-1 is used as the authorization method. Otherwise, MIT-MAGIC-COOKIE-1 is used.

For XDM access control to be effective, you must make sure that X server access control is in effect and the list of hosts having access to the X server is empty. X server access control is described in the NCDware System Administrator's Guide for UNIX Systems.

If XDM Cannot Write to a User's Home Directory

If XDM is not permitted to write to the user's home directory on your network, you must specify a different directory for storing the .Xauthority file. To do this, set the userAuthDir resource in the xdm-config file to specify the alternate directory. For example:

DisplayManager.ncdu85_0:userAuthDir:  /u1/xdm.dir

This results in creation of an .Xauthority file in the alternate directory with the environment variable XAUTHORITY pointing to the alternate directory.