Chapter 1 Configuring Login Manager

The Login Manager is a server responsible for displaying a login screen, authenticating users, and starting a user session. The graphical login is an attractive alternative to the traditional character mode login for bitmap displays. Displays managed by the login server can be directly attached to the login server or attached to an X terminal or workstation on the network.

---

Note –

You must be a root user to start, stop, or customize the login server.

---

• Starting the Login Server

• Managing Local and Network Displays

• Checking for Errors

• Stopping the Login Server

• Changing the Login Screen Appearance

• Administering Login Manager

• Login Manager Files

The login server:

• Can display a login screen on bitmap displays unconditionally or by request on local and network bitmap displays

• Accommodates directly attached character console displays

• Can display a chooser screen that enables users to display login screens from other login servers on the network

• Allows controlled access to the login server

• Provides access to the traditional character-mode login

Displays managed by the Login Manager can be directly attached to the Login Manager server or attached to an X terminal or workstation on the network. For local displays, the login server will automatically start an X server and display a login screen. For network displays, such as X terminals, the login server supports the X Display Manager Protocol (XDMCP) 1.0, which allows displays to request that the login server display a login screen on the display.

Starting the Login Server

The login server is usually started when the system is booted. You can also start the login server from a command line.

• To set the login server to start when the system is booted, type /usr/dt/bin/dtconfig -e

  The login server will then start automatically when you reboot.

For more information about the desktop configuration utility, dtconfig, see Appendix A, dtconfig(1) Man Page. It provides a copy of the dtconfig.1 man page.

• To start the login server from a command line, type /usr/dt/bin/dtlogin -daemon; exit

---

Note –

Although starting the login server from the command line is available for temporary configuration testing, you should normally start the login server when the system is booted.

---

Managing Local and Network Displays

Figure 1-1 shows a possible login server configuration.

Figure 1–1 Possible login server configuration

Finding the Login Server Process ID

By default, the login server stores its process ID in /var/dt/Xpid.

To change this, you can set the Dtlogin.pidFile resource in the Xconfig file. If changed, the directory specified must exist when the login server is started.

To modify Xconfig, copy Xconfig from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xconfig, tell the login server to reread Xconfig by typing:

/usr/dt/bin/dtconfig -reset

This issues the command kill -HUP login_server_process_ID.

For example, to store the login server process ID in /var/myservers/Dtpid, set the following in the Xconfig file:

Dtlogin.pidFile: /var/myservers/Dtpid

When the login server is restarted, the login server will store its process ID in /var/myservers/Dtpid. The /var/myservers directory must exist when the login server is started.

Displaying a Login Screen on a Local Display

Upon startup, the login server checks the Xservers file to determine if an X server needs to be started and to determine if and how login screens should be displayed on local or network displays.

To modify Xservers, copy Xservers from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xservers, tell the login server to reread Xservers by typing:

/usr/dt/bin/dtconfig -reset

This issues the command kill -HUP login_server_process_ID

The format of an Xservers line is:

display_name display_class display_type X_server_command 

where

display_name—tells the login server the connection name to use when connecting to the X server (:0 in the following example). A value of * (asterisk) is expanded to host name:0. The number specified must match the number specified in the X_server_command connection number.

display_class—identifies resources specific to this display (Local in the following example).

display_type—tells the login server whether the display is local or a network display, and how to manage the Command Line Login option on the login screen (local@console in the following example).

X_server_command—identifies the command line, connection number, and other options the login server will use to start the X server (/usr/bin/X11/X: 0 in the following example). The connection number specified must match the number specified in the display_name.

The default Xservers line is similar to:

:0 Local local@console /usr/bin/X11/X :0 

Running the Login Server without a Local Display

If your login server system has no bitmap display, run the login server without a local display by commenting out the Xservers line for the local display using a # (pound sign). For example,

# :0 Local local@console /usr/bin/X11/X :0

When the login server starts, it runs in the background waiting for requests from network displays.

Accessing Command Line Login on a Local Display

When the user selects Command Line Login on the login screen, the login server temporarily terminates the X server, allowing access to the traditional command-line login running on the bitmap display terminal device. After the user has logged in and then out, or after a specified time-out, the login server will restart the X server.

---

Note –

The Command Line Login option is unavailable on network displays.

---

The display_type controls the behavior of Command Line Login. The format of display_type is:

• local@display_ terminal_device

• local

• foreign

When local@display_terminal_device is specified, the login server assumes that the X server and /dev/display_terminal_device are on the same physical device, and that a command line login (usually getty) is running on the device. When the user selects Command Line Login, the X server is terminated, allowing access to the running command-line login (getty) running on the /dev/display_terminal_device.

To disable the Command Line Login option on a display, specify none as the display_terminal_device. The default display_terminal_device is console. When local is specified, display_terminal_device defaults to console. When foreign is specified, Command Line Login is disabled.

---

Note –

The Command Line Login option will be disabled on the local display when the login server is started from the command line.

---

Accommodating a Character Display Console

If your login server system has a directly attached character display serving as a console, you may also want to set display_terminal_device to none to disable Command Line Login on the bitmap display login screen.

Alternatively, if a command-line login (getty) is running on both the character display console and the bitmap display, you can change display_terminal_device to the command line login (getty) device on the bitmap display.

For example, if the bitmap display command-line login (getty) is on device /dev/tty01, change the display_type to local@tty01.

Displaying a Login Screen on a Network Display

The login server can accept requests from network displays to display a login screen on that particular display. The network display is usually an X terminal but can also be a workstation.

To manage requests from network displays, the login server supports the X Display Manager Protocol (XDMCP) 1.0. This protocol enables the login server to negotiate and accept or reject requests from network displays. Most X terminals have XDMCP built in.

XDMCP Direct Requests from Network Displays

When you configure your X terminal to use XDMCP direct (query mode), you tell your X terminal the host name of the login server host. When the X terminal is booted, it automatically contacts the login server, and the login server displays a login screen on the X terminal. See your X terminal documentation for information describing how to configure your X terminal for XDMCP direct mode.

Most X servers also support the -query option. In this mode, your X server behaves as if it were an X terminal, contacting the login server host directly and requesting that it display a login screen on the X server. For example, starting the X server on a bitmap display on workstation bridget will have login server anita display a login screen on the X server:

X -query anita

XDMCP Indirect Requests from Network Display

When you configure your X terminal to use XDMCP indirect mode, you tell your X terminal the host name of the login server host. When the X terminal is booted, it will contact the login server, and the login server will present a list, through a chooser screen, of other login server hosts on the network. From this list, the user can select a host, and that host will display a login screen on the user's X terminal. See your X terminal documentation for information describing how to configure your X terminal for XDMCP indirect mode.

As with direct mode, most X servers support the -indirect option, which causes your X server to contact the login server in XDMCP indirect mode.

Managing Non-XDMCP Network Displays

Older X terminals may not support XDMCP. For the login server to display a login screen on this type of X terminal, list the X terminal name in the Xservers file.

Since the display is on the network, display_name includes the host name as part of the name. The display class can be used to specify resources specific to a particular class of X terminals. (Your X terminal documentation should tell you the display class of your X terminal.) The display_type of foreign tells the login server to connect to an existing X server rather than to start its own. In this case, an X_server_command is not specified.

Example

The following lines in the Xservers file direct the login server to display a login screen on two non-XDMCP X terminals, ruby and wolfie:

ruby.blackdog.com:0 AcmeXsta foreign 
wolfie:0 PandaCo foreign

Controlling Access to the Login Server

By default, any host on your network that has access to your login server host can request a login screen be displayed. You can limit access to the login server by modifying the Xaccess file.

To modify Xaccess, copy Xaccess from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xaccess, tell the login server to reread Xaccess by typing:

/usr/dt/bin/dtconfig -reset

This issues the command kill -HUP login server process ID.

XDMCP Direct

When a host attempts to connect to the login server via XDMCP-direct, the host name is compared to the Xaccess entries to determine whether the host is allowed access to the login server. Each Xaccess entry is a host name including the wildcards * (asterisk) and ? (question mark). An * (asterisk) matches zero or more characters and a ? (question mark) matches any one character. An ! (exclamation point) prefacing an entry disallows access, while no preface allows access.

For example, say Xaccess contains the following three entries:

amazon.waterloo.com
 *.dept5.waterloo.com
 !*

The first entry allows access to the login server from host amazon.waterloo.com, the second entry allows access from any host whose full domain name ends in dept5.waterloo.com, and the last entry disallows access from any other host.

XDMCP Indirect

When a host attempts to connect to the login server via XDMCP-indirect, the host name is compared to the Xaccess entries to determine whether the host is allowed access to the login server. Each Xaccess entry is similar to the XDMCP-direct entries, including wildcards, except that each entry is marked with a CHOOSER string. For example:

amazon.waterloo.com   CHOOSER BROADCAST
 *.dept5.waterloo.com  CHOOSER BROADCAST
 !*		CHOOSER BROADCAST

Again, the first entry allows access to the login server from host amazon.waterloo.com, the second entry allows access from any host whose full domain name ends in dept5.waterloo.com, and the last entry disallows access from any other host.

One of the following can be listed after the CHOOSER.

• BROADCAST

• list of host names

BROADCAST tells the login server to broadcast to the login server sub-network to generate a list of available login server hosts. A list of host names tells the login server to use that list for the list of available login hosts. For example:

amazon.waterloo.com   CHOOSER shoal.waterloo.com alum.waterloo.com
 *.dept5.waterloo.com  CHOOSER BROADCAST
 !*		CHOOSER BROADCAST

If amazon.waterloo.com connects via XDMCP-indirect, it will be presented a list containing shoal and alum. If alice.dept5.waterloo.com connects, it will be presented with a list of all available login server hosts on the login server sub-network. Other XDMCP-indirect requests will be denied.

An alternative to specifying a list of host names is to define one or more macros containing the list of host names. For example:

%list1			shoal.waterloo.com alum.waterloo.com
 amazon.waterloo.com  CHOOSER %list1

Checking for Errors

By default, the login server logs errors in the /var/dt/Xerrors file. To change this, you can set the Dtlogin.errorLogFile resource in the Xconfig file. The directory specified must exist when the login server is started.

For example, to have the login server log errors in the /var/mylogs/Dterrors file, set the following in the Xconfig file:

Dtlogin.errorLogFile: /var/mylogs/Dterrors

When the login server is restarted, the login server will log errors to the /var/mylogs/Dterrors file. The /var/mylogs directory must exist when the login server is started.

Stopping the Login Server

• To disable login server startup when the system is booted, type:

	/usr/dt/bin/dtconfig -d

This will tell the system not to start the login server when you next reboot.

• To stop the login server by killing the process ID, type:

	/usr/dt/bin/dtconfig -kill

This issues the command kill login_server_process_ID)

---

Note –

Killing the login server process terminates all user sessions managed by the login server.

---

You can also stop the login server by killing the process ID. The login server process ID is stored in /var/dt/Xpid or in the file specified in Xconfig by the Dtlogin.pidFile resource.

If you are logged in to the desktop at the time you kill the login server, your desktop session will immediately terminate.

The Login Screen

The login screen displayed by the login server is an attractive alternative to the traditional character-mode login screen and provides capabilities beyond those provided by a character-mode login.

Figure 1–2 Desktop login screen

As with a character mode login, the user enters a user name followed by a password. If authenticated, the login server starts a desktop session for the user. When the user exits the desktop session, the login server displays a new login screen, and the process begins again.

To customize the login screen, you can:

• Change the login screen appearance

• Configure X server authority

• Change the default language

• Issue commands prior to display of the login screen

• Change the contents of the login screen Language menu

• Specify the command to start the user's session

• Issue commands prior to the start of the user's desktop session

• Issue commands after the user's session ends

Each of these can be done for all displays or on a per-display basis.

Changing the Login Screen Appearance

To customize the login screen appearance, you can change the logo or graphic, the welcome messages, and the fonts.

To modify Xresources, copy Xresources from /usr/dt/config/language to /etc/dt/config/language. The login screen will reflect any changes the next time the login screen is displayed. To force a redisplay of a login screen, select Reset Login Screen from the login screen Options menu.

Attributes of the login screen that can be determined by resource specifications in the Xresources file include:

Dtlogin*logo*bitmapFile—bitmap or pixmap file to display as logo image

Dtlogin*greeting*persLabelString—personalized welcome message

Dtlogin*greeting*labelString—welcome message

Dtlogin*greeting*fontList Font for welcome messages

Dtlogin*labelFont Font for push buttons and labels

Dtlogin*textFont Font for help and error messages

Dtlogin*language*languageName Alternate text for locale name language

To Change the Logo

Set the Dtlogin*logo*bitmapFile resource in Xresources.

The logo can be a color pixmap or a bitmap file.

The following example uses the Mylogo bitmap as the logo:

Dtlogin*logo*bitmapFile: /usr/local/lib/X11/dt/bitmaps/Mylogo.bm

To Change the Welcome Message

By default, the login server displays the message Welcome to host name on the login screen. To change this message:

Set the Dtlogin*greeting*labelString resource in Xresources.

The value of the labelString resource can contain %LocalHost%, which will be replaced by the login server host name, and %DisplayName%, which will be replaced by the X server display name.

The following example changes the welcome message to Here's host name!:

Dtlogin*greeting*labelString: Here's %LocalHost%!

Once the user name has been entered, the login server displays the message Welcome username by default. You can change this message by setting the Dtlogin*greeting*persLabelString resource in Xresources. The value of the persLabelString can contain %s, which will be replaced by the username.

The following example changes the personalized welcome message to Hello username.

Dtlogin*greeting*persLabelString: Hello %s 

To Change the Fonts

You can change the fonts used on the login screen by setting one of the following font resources in Xresources:

Dtlogin*greeting*fontList—font for welcome messages

Dtlogin*labelFont—font for push buttons and labels

Dtlogin*textFont—font for help and error messages

To list the available fonts, type:

xlsfonts [-options] [-fn pattern]

The following example uses a large font for the welcome message (the value you specify must be contained on one line):

Dtlogin*greeting*fontList: -dt-interface \
 system-medium-r-normal-xxl*-*-*-*-*-*-*-*-*:

To Provide Alternate Text to Display for Each Language

To display per-locale text on the login screen Language menu instead of the default display of the locale name, modify the Dtlogin*language*languageName resource name resource in Xresources:

Dtlogin*En_US*languageName: American

The text American will now be displayed rather than the locale name En_US.

Changing the Login Screen Behavior

To customize the login screen behavior, you can modify resources specified in the Xconfig file.

To modify Xconfig, copy Xconfig from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xconfig, tell the login server to reread Xconfig by typing:

/usr/dt/bin/dtconfig -reset

This which issues the command kill -HUP login server process ID)

Resources specified in the Xconfig file include:

Dtlogin*authorize—Xaccess file specification

Dtlogin*environment—X server environment

Dtlogin*language—default language

Dtlogin*languageList—language list for login screen Language menu

Dtlogin*resources—Xresources specification

Dtlogin*setup—Xsetup file specification

Dtlogin*startup—Xstartup file specification

Dtlogin*session—Xsession file specification

Dtlogin*failsafeClient—Xfailsafe script specification

Dtlogin*reset—Xreset script specification

Dtlogin*userPath—PATH for Xsession and Xfailsafe

Dtlogin*systemPath—PATH for Xsetup, Xstartup, and Xfailsafe

Dtlogin*systemShell—SHELL for Xsetup, Xstartup, and Xfailsafe

Dtlogin.timeZone—TZ for all scripts

Changing the Login Screen Behavior Per Display

In the examples below, changing an Xconfig resource changes the login screen behavior for all displays. The resources listed with an * (asterisk) can be specified on a per-display basis. This enables you to specify custom login screen behavior for certain displays. To specify a resource for a particular display, the resource is specified as Dtlogin*displayName*resource. For example, if you would like to turn off user based access control for display expo:0 but leave it on for other displays, you would specify:

Dtlogin*expo_0*authorize: False

---

Note –

Any special character in the display name, such as a : (colon) or . (period), is replaced by an _ (underbar).

---

Changing the X Server Access

By default, the login server allows X server access control on a per user basis and is based on authorization data stored and protected in the HomeDirectory/.Xauthority file. Only users who can read this file are allowed to connect to the X server. Generally, this is the preferred method of X server access control.

An alternative to user-based access control is host-based access control. Using this method, if a host is granted access to the X server, any user on that host is allowed to connect to the X server. Reasons to use host-based control include:

• Older R2 and R3 X clients will not be able to connect to an X server using user-based access control.

• On unsecured networks, a snooper may be able to intercept the authorization data passed between the X client and X server on the network.

  The Xconfig Dtlogin*authorize resource tells the login server to use user-based X server access control. To use host-based access control, change the authorize resource value to False, for example:

  Dtlogin*authorize: False

To Change the X Server Environment

If you want to provide the X server with one or more environment variables and values when started by the login server, you can specify them using the Dtlogin*environment resource in Xconfig. For example:

Dtlogin*environment: VAR1=foo VAR2=bar

will make the variables VAR1 and VAR2 available to the local X server process. These variables will also be exported to the Xsession and Xfailsafe scripts.

To Change the Default Language

When the user logs in to the desktop from the login screen, the user session is run under the locale selected from the Language submenu of the Options menu. If the user does not select a language, the login server default language is used. You can control the value of the default language by setting the Dtlogin*language resource in Xconfig. For example:

Dtlogin*language: Ja_JP

Check your system documentation to determine the languages installed on your system.

To Change the Content of the Login Screen Language Menu

By default the login server creates the login screen Language menu containing a list of all locales installed on the system. When the user selects a locale from the login screen language list, the login server will redisplay the login screen in the selected locale. When the user subsequently logs in, the login server will start a desktop session for the user in that locale.

You can specify your own list of languages by modifying the Dtlogin*languageList resource in Xconfig:

Dtlogin*languageList: En_US De_DE

The login server now displays only En_US and De_DE in the login screen Language menu.

Issuing Commands Before the Login Screen Appears

After the X server has started but before the login screen appears, the login server runs the Xsetup script. Xsetup runs with root authority and issues commands needing to be run before the display of the login screen.

To modify Xsetup, copy Xsetup from /usr/dt/config to /etc/dt/config. The next time the login screen is displayed, the modified Xsetup will be run.

Issuing Commands Before Starting the User Session

After the user enters the user name and password and they are authenticated, but before the user session is started, the login server runs the Xstartup script. Xstartup runs with root authority and issues commands needing to be run as root prior to the user session start.

To modify Xstartup, copy Xstartup from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xstartup will be run.

Starting a Desktop Session

By default, the login server starts the user session by running the Xsession script. Xsession runs with the user's authority and issues commands needed to start the desktop.

---

Note –

Do not directly update the Xsession script.

---

See Chapter 2, Configuring Session Manager , for information on how to customize the user's desktop session startup.

Starting a Failsafe Session

If the user selects Failsafe Session from the Sessions submenu of the login screen Options menu, the login server runs the Xfailsafe script. Xfailsafe runs with the user's authority and issues commands needed to start a minimal windowing environment, usually a Terminal window and an optional window manager.

To modify Xfailsafe, copy Xfailsafe from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xfailsafe will be run.

After the User's Session Ends

After the user exits the desktop or failsafe session, the login server runs the Xreset script. Xreset runs with root authority and issues commands needing to be run as root after the end of the user's session.

If you wish to modify Xreset, copy Xreset from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xreset will be run.

The Login Server Environment

The login server provides an environment that it exports to the Xsetup, Xstartup, Xsession, Xfailsafe and Xreset scripts. This environment is described in Table 1–1. Additional variables may also be exported by the login server.

Table 1–1 Login Server Environments

Environment Variable	Xsetup	Xstartup	Xsession	Xreset	Description
LANG	X	X	X	X	Default or selected language
XAUTHORITY	X	X	X	X	Alternate X authority file (optional)
PATH	X	X	X	X	Value of the Dtlogin*userPath resource (Xsession, Xfailsafe) or Dtlogin*systemPath resource (Xsetup, Xstartup, Xreset)
DISPLAY	X	X	X	X	X server connection number
SHELL	X	X	X	X	Shell specified in /etc/passwd (Xsession, Xfailsafe) or Dtlogin*systemShell resource (Xsetup, Xstartup, Xreset)
TZ	X	X	X	X	Value of Dtlogin.timeZone resource or timezone determined from system
USER		X	X	X	User name
HOME		X	X	X	Home directory specified in /etc/passwd
LOGNAME		X	X	X	User name

Changing the User or System Path

The login server sets the PATH environment variable when it runs the Xsession and Xfailsafe scripts. You can provide an alternate path to these scripts

To Change the User Path

Set the Dtlogin*userPath resource in Xconfig. For example:

	Dtlogin*userPath:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11

To Change the System Path

Set the Dtlogin*systemPath resource in Xconfig. For example:

	Dtlogin*systemPath: /usr/bin/X11:/etc:/bin:/usr/bin:/usr/ucb

To Change the System Shell

The login server sets the SHELL environment variable when it runs the Xsetup, Xstartup and Xfailsafe scripts. The default is /bin/sh. If you wish to provide an alternate shell to these scripts, you can set the Dtlogin*systemShell resource in Xconfig. For example:

Dtlogin*systemShell: /bin/ksh

To Change the Time Zone

The login server sets the TZ environment variable when it runs the Xsetup, Xstartup, Xsession, Xfailsafe, and Xreset scripts. The default value is derived from the system so usually you will not need to change this behavior. To provide an alternate time zone to these scripts, set the Dtlogin.timeZone resource in Xconfig. For example:

Dtlogin.timeZone: CST6CDT

Administering Login Manager

When the login server starts, one dtlogin process is started. The dtlogin process reads the Xconfig file to determine the initial login server configuration and locate other login server configuration files. The login server then reads the Xservers file to see if it has any displays to explicitly manage, and also reads the Xaccess file to control access to the login server.

If the login server finds from the Xservers file that it needs to manage a local display, it will start an X server as instructed in the Xservers file and then display a login screen on that display.

If the login server finds from the Xservers file that it needs to manage a network display, it will assume an X server is already running with the specified display name and display a login screen on that display.

The login server will then wait for XDMCP requests from the network.

For each display managed, the login server first creates a new dtlogin process for that display. This means if the login server is managing n displays, there will be n+1 dtlogin processes. The login server will run the Xsetup script, load the Xresources file, then run dtgreet to display the login screen. Once the user has entered a username and password and has been authenticated, the login server will run the Xstartup script and then the Xsession or Xfailsafe script. When the user has exited the session, the login server will run the Xreset script.

If the login server gets an XDMCP-indirect request, it will run dtchooser to present a list of login server hosts on the display. When the user selects a host from the list, the login server on that host will manage the display.

For the Xaccess, Xconfig, Xfailsafe, Xreset, language/Xresources, Xservers, Xsetup, and Xstartup configuration files, the login server will by default look first in /etc/dt/config, then /usr/dt/config, and use the first file found.

Login Manager Files

The default locations of the Login Manager files are:

/usr/dt/bin/dtlogin—the login server and display manager

/usr/dt/bin/dtgreet—displays a login screen for a display

/usr/dt/bin/dtchooser—displays a chooser screen for a display

/usr/dt/bin/Xsession—starts a desktop session

/usr/dt/config/Xfailsafe—starts a failsafe session

/usr/dt/config/Xconfig—login server configuration file

/usr/dt/config/Xservers—login server display description file

/usr/dt/config/Xaccess—login server access description file

/usr/dt/config/language/Xresources—display layout resources

/usr/dt/config/Xsetup—display setup file

/usr/dt/config/Xstartup—pre-session startup file

/usr/dt/config/Xreset—post-session reset file

/var/dt/Xpid—process ID of the login server

/var/dt/Xerrors—error log file of the login server