From: John.Pshyk@atcoelectric.com
Date: Tue Apr 18 2006 - 17:53:19 EDT
Original Question:
I am attempting to tighten up the security on our Tru64 5.1B server (with current security patches) but I am having some difficulties with understanding XDMCP services.
Background: We currently run CDE on the server console, but do not use any "X Windows" PC Workstation applications to connect to it. For added security, I would like to disable the XDMCP services on the server.
Questions: What Tru64 process or services are related to the XMDCP? Can I disable the XDMCP services on the server without affecting the use of CDE on the console? What are the steps to correctly disable this service? If I cannot disable this service because it will affect the use of CDE on the console, how can I strengthen its security configuration?
Thank you for your time.
SUMMARY:
Thank you for all who replied!
I started off by renaming xlogin link so that it would not be run at boot time which was suggested by Johan Brusche.
>To stop it:
>/sbin/init.d/xlogin stop
>
>To prevent from starting at boot:
>mv /sbin/rc3.d/S95xlogin /sbin/rc3.d/_S95xlogin
This worked but we require CDE on the console. The other option I was to limit the connection to the service.
For this, I followed Eric Sisson suggestions:
>Make a backup copy of /usr/dt/config/Xaccess and comment (by placing
>a ``#'' sign at the beginning) the following two lines:
>
> * # grant service to all remote displays
>
> * CHOOSER BROADCAST #any indirect host can get a chooser
>
>These changes will prevent remote XDMCP logins. When I did this, I
>rebooted the system for it to take effect. That works, but may be
>more than is necessary. I think that /sbin/init.d/xlogin is the
>controlling init script. However, since it does affect the console,
>starting and stopping this may or may not be sufficient.
Once again, thanks.
John Pshyk I.S.P.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:29 EDT