Common Desktop Environment: Advanced User's and System Administrator's Guide
1 Configuring Login Manager
Contents of Chapter:
- Starting the Login Server
-
- Managing Local and Network Displays
-
- Finding the Login Server Process ID
-
- Displaying a Login Screen on a Local Display
-
- Running the Login Server without a Local Display
-
- Accessing Command Line Login on a Local Display
-
- Accommodating a Character Display Console
-
- Displaying a Login Screen on a Network Display
-
- Controlling Access to the Login Server
-
- Checking for Errors
-
- Stopping the Login Server
-
- The Login Screen
-
- Changing the Login Screen Appearance
-
- To Change the Logo
-
- To Change the Welcome Message
-
- To Change the Fonts
-
- To Provide Alternate Text to Display for Each Language
-
- Changing the Login Screen Behavior Per Display
-
- Changing the X Server Access
-
- To Change the X Server Environment
-
- To Change the Default Language
-
- To Change the Content of the Login Screen Language Menu
-
- Issuing Commands Before the Login Screen Appears
-
- Starting a Failsafe Session
-
- After the User's Session Ends
-
- The Login Server Environment
-
- Changing the User or System Path
-
- To Change the User Path
-
- To Change the System Path
-
- To Change the System Shell
-
- To Change the Time Zone
-
- Administering Login Manager
-
- Login Manager Files
-
The Login Manager is a server responsible for displaying a login screen, authenticating users, and starting a user's session. The graphical login is an attractive alternative to the traditional character mode login for bitmap displays. Displays managed by the login server can be directly attached to the login server or attached to an X terminal or workstation on the network.
Note: You must be a root user to start, stop, or customize the login server.
The login server:
- Can display a login screen on bitmap displays unconditionally or by request on local and network bitmap displays
- Accommodates directly attached character console displays
- Can display a chooser screen that enables users to display login screens from other login servers on the network
- Allows controlled access to the login server
- Provides access to the traditional character-mode login
Displays managed by the Login Manager can be directly attached to the Login Manager server or attached to an X terminal or workstation on the network. For local displays, the login server will automatically start an X server and display a login screen. For network displays, such as X terminals, the login server supports the X Display Manager Protocol (XDMCP) 1.0, which allows displays to request that the login server display a login screen on the display.
The login server is usually started when the system is booted. You can also start the login server from a command line.
Note: Although starting the login server from the command line is available for temporary configuration testing, you should normally start the login server when the system is booted.
Figure 1-1 shows a possible login server configuration.
Figure 1-1 Possible login server configuration
By default, the login server stores its process ID in /var/dt/Xpid.
To change this, you can set the Dtlogin.pidFile resource in the Xconfig file. If changed, the directory specified must exist when the login server is started.
To modify Xconfig, copy Xconfig from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xconfig, tell the login server to reread Xconfig by typing:
/usr/dt/bin/dtconfig -reset
This issues the command kill -HUP login server process ID.
For example, to store the login server process ID in /var/myservers/Dtpid, set the following in the Xconfig file:
Dtlogin.pidFile: /var/myservers/Dtpid
When the login server is restarted, the login server will store its process ID in /var/myservers/Dtpid. The /var/myservers directory must exist when the login server is started.
Displaying a Login Screen on a Local Display
Upon startup, the login server checks the Xservers file to determine if an X server needs to be started and to determine if and how login screens should be displayed on local or network displays.
To modify Xservers, copy Xservers from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xservers, tell the login server to reread Xservers by typing:
/usr/dt/bin/dtconfig -reset
This issues the command kill -HUP login server process ID
The format of an Xservers line is:
display_name display_class display_type X_server_command
where
- display_name
- Tells the login server the connection name to use when connecting to the X server (:0 in the following example). A value of * (asterisk) is expanded to
host name:0. The number specified must match the number specified in the X_server_command connection number.
- display_class
- Identifies resources specific to this display (Local in the following example).
- display_type
- Tells the login server whether the display is local or a network display, and how to manage the Command Line Login option on the login screen (local@console in the following example).
- X_server_command
- Identifies the command line, connection number, and other options the login server will use to start the X server (/usr/bin/X11/X: 0 in the following example). The connection number specified must match the number specified in the display_name.
- The default Xservers line is similar to:
:0 Local local@console /usr/bin/X11/X :0
Running the Login Server without a Local Display
If your login server system has no bitmap display, run the login server without a local display by commenting out the Xservers line for the local display using a # (pound sign). For example,
# :0 Local local@console /usr/bin/X11/X :0
Note:
On Digital Platforms, /usr/dt/config/Xservers
is a symbolically
linked to an appropriate file based on your system configuration. The link is
established at system bootup.
When the login server starts, it runs in the
background waiting for requests from network displays.
Accessing Command Line Login on a Local Display
When the user selects Command Line Login on the login screen, the login server temporarily terminates the X server, allowing access to the traditional command-line login running on the bitmap display terminal device. After the user has logged in and then out, or after a specified time-out, the login server will restart the X server.
Note: The Command Line Login option is unavailable on network displays.
The display_type controls the behavior of Command Line Login. The format of display_type is:
When local@display_terminal_device is specified, the login server assumes that the X server and /dev/display_terminal_device are on the same physical device, and that a command line login (usually getty) is running on the device. When the user selects Command Line Login, the X server is terminated, allowing access to the running command-line login (getty) running on the /dev/display_terminal_device.
To disable the Command Line Login option on a display, specify none as the display_terminal_device. The default display_terminal_device is console. When local is specified, display_terminal_device defaults to console. When foreign is specified, Command Line Login is disabled.
Note: The Command Line Login option will be disabled on the local display when the login server is started from the command line.
Accommodating a Character Display Console
If your login server system has a directly attached character display serving as a console, you may also want to set display_terminal_device to none to disable Command Line Login on the bitmap display login screen.
Alternatively, if a command-line login (getty) is running on both the character display console and the bitmap display, you can change display_terminal_device to the command line login (getty) device on the bitmap display.
For example, if the bitmap display command-line login (getty) is on device /dev/tty01, change the display_type to local@tty01
.
The login server can accept requests from network displays to display a login screen on that particular display. The network display is usually an X terminal but can also be a workstation.
To manage requests from network displays, the login server supports the X Display Manager Protocol (XDMCP) 1.0. This protocol enables the login server to negotiate and accept or reject requests from network displays. Most X terminals have XDMCP built in.
XDMCP Direct Requests from Network Displays
When you configure your X terminal to use XDMCP direct (query mode), you tell your X terminal the host name of the login server host. When the X terminal is booted, it automatically contacts the login server, and the login server displays a login screen on the X terminal. See your X terminal documentation for information describing how to configure your X terminal for XDMCP direct mode.
Most X servers also support the -query option. In this mode, your X server behaves as if it were an X terminal, contacting the login server host directly and requesting that it display a login screen on the X server. For example, starting the X server on a bitmap display on workstation bridget will have login server anita display a login screen on the X server:
X -query anita
When you configure your X terminal to use XDMCP indirect mode, you tell your X terminal the host name of the login server host. When the X terminal is booted, it will contact the login server, and the login server will present a list, through a chooser screen, of other login server hosts on the network. From this list, the user can select a host, and that host will display a login screen on the user's X terminal. See your X terminal documentation for information describing how to configure your X terminal for XDMCP indirect mode.
As with direct mode, most X servers support the -indirect option, which causes your X server to contact the login server in XDMCP indirect mode.
Managing Non-XDMCP Network Displays
Older X terminals may not support XDMCP. For the login server to display a login screen on this type of X terminal, list the X terminal name in the Xservers file.
Example
The following lines in the Xservers file direct the login server to display a login screen on two non-XDMCP X terminals, ruby and wolfie:
ruby.blackdog.com:0 AcmeXsta foreign
wolfie:0 PandaCo foreign
Since the display is on the network, display_name includes the host name as part of the name. The display class can be used to specify resources specific to a particular class of X terminals. (Your X terminal documentation should tell you the display class of your X terminal.) The display_type of foreign tells the login server to connect to an existing X server rather than to start its own. In this case, an X_server_command is not specified.
By default, any host on your network that has access to your login server host can request a login screen be displayed. You can limit access to the login server by modifying the Xaccess file.
To modify Xaccess, copy Xaccess from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xaccess, tell the login server to reread Xaccess by typing:
/usr/dt/bin/dtconfig -reset
This issues the command kill -HUP login server process ID.
XDMCP Direct
When a host attempts to connect to the login server via XDMCP-direct, the host name is compared to the Xaccess entries to determine whether the host is allowed access to the login server. Each Xaccess entry is a host name including the wildcards * (asterisk) and ? (question mark). An * (asterisk) matches zero or more characters and a ? (question mark) matches any one character. An ! (exclamation point) prefacing an entry disallows access, while no preface allows access.
For example, if Xaccess contains the following three entries:
amazon.waterloo.com
*.dept5.waterloo.com
!*
The first entry allows access to the login server from host amazon.waterloo.com, the second entry allows access from any host whose full domain name ends in dept5.waterloo.com, and the last entry disallows access from any other host.
XDMCP Indirect
When a host attempts to connect to the login server via XDMCP-indirect, the host name is compared to the Xaccess entries to determine whether the host is allowed access to the login server. Each Xaccess entry is similar to the XDMCP-direct entries, including wildcards, except that each entry is marked with a CHOOSER string. For example:
amazon.waterloo.com CHOOSER BROADCAST
*.dept5.waterloo.com CHOOSER BROADCAST
!* CHOOSER BROADCAST
Again, the first entry allows access to the login server from host amazon.waterloo.com, the second entry allows access from any host whose full domain name ends in dept5.waterloo.com, and the last entry disallows access from any other host.
One of the following can be after the CHOOSER:
BROADCAST tells the login server to broadcast to the login server sub-network to generate a list of available login server hosts. A list of host names tells the login server to use that list for the list of available login hosts. For example:
amazon.waterloo.com CHOOSER shoal.waterloo.com alum.waterloo.com
*.dept5.waterloo.com CHOOSER BROADCAST
!* CHOOSER BROADCAST
If amazon.waterloo.com connects via XDMCP-indirect, it will be presented a list containing shoal and alum. If alice.dept5.waterloo.com connects, it will be presented with a list of all available login server hosts on the login server sub-network. Other XDMCP-indirect requests will be denied.
An alternative to specifying a list of host names is to define one or more macros containing the list of host names. For example:
%list1 shoal.waterloo.com alum.waterloo.com
amazon.waterloo.com CHOOSER %list1
By default, the login server logs errors in the /var/dt/Xerrors file. To change this, you can set the Dtlogin.errorLogFile resource in the Xconfig file. The directory specified must exist when the login server is started.
For example, to have the login server log errors in the /var/mylogs/Dterrors file, set the following in the Xconfig file:
Dtlogin.errorLogFile: /var/mylogs/Dterrors
When the login server is restarted, the login server will log errors to the /var/mylogs/Dterrors file. The /var/mylogs directory must exist when the login server is started.
You can also stop the login server by killing the process ID. The login server process ID is stored in /var/dt/Xpid or in the file specified in Xconfig by the Dtlogin.pidFile resource.
If you are logged into the desktop at the time you kill the login server, your desktop session will immediately terminate.
The login screen displayed by the login server is an attractive alternative to the traditional character-mode login screen and provides capabilities beyond those provided by a character-mode login.
Figure 1-2 Desktop login screen
As with a character mode login, the user enters a user name followed by a password. If authenticated, the login server starts a desktop session for the user. When the user exits the desktop session, the login server displays a new login screen, and the process begins again.
To customize the login screen, you can:
- Change the login screen appearance
- Configure X server authority
- Change the default language
- Issue commands prior to display of the login screen
- Change the contents of the login screen Language menu
- Specify the command to start the user's session
- Issue commands prior to the start of the user's desktop session
- Issue commands after the user's session ends
Each of these can be done for all displays or on a per-display basis.
To customize the login screen appearance, you can change the logo or graphic, the welcome messages, and the fonts.
To modify Xresources, copy Xresources from /usr/dt/config/language to /etc/dt/config/language. The login screen will reflect any changes the next time the login screen is displayed. To force a redisplay of a login screen, select Reset Login Screen from the login screen Options menu.
Attributes of the login screen that can be determined by resource specifications in the Xresources file include:
- Dtlogin*logo*bitmapFileBitmap or pixmap file to display as logo image
- Dtlogin*greeting*labelString
- Welcome message
- Dtlogin*greeting*persLabelString
- Personalized welcome message
- Dtlogin*greeting*fontList
- Font for welcome messages
- Dtlogin*labelFont
- Font for push buttons and labels
- Dtlogin*textFont
- Font for help and error messages
- Dtlogin*language*languageName
- Alternate text for locale name language
To Change the Logo
Set the Dtlogin*logo*bitmapFile resource in Xresources.
The logo can be a color pixmap or a bitmap file.
The following example uses the Mylogo bitmap as the logo:
Dtlogin*logo*bitmapFile: /usr/local/lib/X11/dt/bitmaps/Mylogo.bm
To Change the Welcome Message
By default, the login server displays the message Welcome to host name on the login screen. To change this message:
Set the Dtlogin*greeting*labelString resource in Xresources.
The value of the labelString resource can contain %LocalHost%, which will be replaced by the login server host name, and %DisplayName%, which will be replaced by the X server display name.
The following example changes the welcome message to Here's host name!:
Dtlogin*greeting*labelString: Here's %LocalHost%!
Once the user name has been entered, the login server displays the message Welcome username by default. You can change this message by setting the Dtlogin*greeting*persLabelString resource in Xresources. The value of the persLabelString can contain %s, which will be replaced by the username.
The following example changes the personalized welcome message to Hello username.
Dtlogin*greeting*persLabelString: Hello %s
To Change the Fonts
You can change the fonts used on the login screen by setting one of the following font resources in Xresources:
To list the available fonts, type:
xlsfonts [-options] [-fn pattern]
- Dtlogin*greeting*fontList
- Font for welcome messages
- Dtlogin*labelFont
- Font for push buttons and labels
- Dtlogin*textFont
- Font for help and error messages
The following example uses a large font for the welcome message (the value you specify must be contained on one line):
Dtlogin*greeting*fontList: -dt-interface system-medium-r-normal-xxl*-*-*-*-*-*-*-*-*:
To display per-locale text on the login screen Language menu instead of the default display of the locale name, modify the
Dtlogin*language *languageName resource name resource in Xresources:
Dtlogin*En_US*languageName: American
The text American will now be displayed rather than the locale name En_US.
Changing the Login Screen Behavior
To customize the login screen behavior, you can modify resources specified in the Xconfig file.
To modify Xconfig, copy Xconfig from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xconfig, tell the login server to reread Xconfig by typing:
/usr/dt/bin/dtconfig -reset
This which issues the command kill -HUP login server process ID)
Resources specified in the Xconfig file include:
- Dtlogin*authorize
- Xaccess
file specification
- Dtlogin*environmentX server environment
- Dtlogin*languageDefault language
- Dtlogin*languageListLanguage list for login screen Language menu
- Dtlogin*resources
- Xresources specification
- Dtlogin*setup
- Xsetup file specification
- Dtlogin*startup
- Xstartup file specification
- Dtlogin*session
- Xsession file specification
- Dtlogin*failsafeClient
- Xfailsafe script specification
- Dtlogin*reset
- Xreset script specification
- Dtlogin*userPath
- PATH for Xsession and Xfailsafe
- Dtlogin*systemPath
- PATH for Xsetup, Xstartup and Xfailsafe
- Dtlogin*systemShell
- SHELL for Xsetup, Xstartup and Xfailsafe
- Dtlogin.timeZone
- TZ for all scripts
Changing the Login Screen Behavior Per Display
In the examples below, changing an Xconfig resource changes the login screen behavior for all displays. The resources listed with an * (asterisk) can be specified on a per-display basis. This enables you to specify custom login screen behavior for certain displays. To specify a resource for a particular display, the resource is specified as Dtlogin*displayName*resource. For example, if you would like to turn off user based access control for display expo:0 but leave it on for other displays, you would specify:
Dtlogin*expo_0*authorize: False
Note: Any special character in the display name, such as a : (colon) or . (period), is replaced by an _ (underbar).
Changing the X Server Access
By default, the login server allows X server access control on a per user basis and is based on authorization data stored and protected in the HomeDirectory/.Xauthority file. Only users who can read this file are allowed to connect to the X server. Generally, this is the preferred method of X server access control.
An alternative to user-based access control is host-based access control. Using this method, if a host is granted access to the X server, any user on that host is allowed to connect to the X server. Reasons to use host-based control include:
- Older R2 and R3 X clients will not be able to connect to an X server using user-based access control.
- On unsecured networks, a snooper may be able to intercept the authorization data passed between the X client and X server on the network.
The Xconfig Dtlogin*authorize resource tells the login server to use user-based X server access control. To use host-based access control, change the authorize resource value to False, for example:
Dtlogin*authorize: False
If you with to provide the X server with one or more environment variables and values when started by the login server, you can specify them using the Dtlogin*environment resource in Xconfig. For example:
Dtlogin*environment: VAR1=foo VAR2=bar
will make the variables VAR1 and VAR2 available to the local X server process. These variables will also be exported to the Xsession and Xfailsafe scripts.
To Change the Default Language
When the user logs in to the desktop from the login screen, the user session is run under the locale selected from the Language submenu of the Options menu. If the user does not select a language, the login server default language is used. You can control the value of the default language by setting the Dtlogin*language resource in Xconfig. For example:
Dtlogin*language: Ja_JP
Check your system documentation to determine the languages installed on your system.
To Change the Content of the Login Screen Language Menu
By default the login server creates the login screen Language menu containing a list of all locales installed on the system. When the user selects a locale from the login screen language list, the login server will redisplay the login screen in the selected locale. When the user subsequently logs in, the login server will start a desktop session for the user in that locale.
You can specify your own list of languages by modifying the Dtlogin*languageList resource in Xconfig:
Dtlogin*languageList: En_US De_DE
The login server now displays only En_US and De_DE in the login screen Language menu.
Issuing Commands Before the Login Screen Appears
After the X server has started but before the login screen appears, the login server runs the Xsetup script. Xsetup runs with root authority and issues commands needing to be run before the display of the login screen.
To modify Xsetup, copy Xsetup from /usr/dt/config to /etc/dt/config. The next time the login screen is displayed, the modified Xsetup will be run.
Issuing Commands Before Starting the User Session
After the user enters the user name and password and they are authenticated, but before the user session is started, the login server runs the Xstartup script. Xstartup runs with root authority and issues commands needing to be run as root prior to the user session start.
To modify Xstartup, copy Xstartup from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xstartup will be run.
Starting a Desktop Session
By default, the login server starts the user session by running the Xsession script. Xsession runs with the user's authority and issues commands needed to start the desktop.
Note: Do not directly update the Xsession script.
See Chapter 2, "Configuring Session Manager," for information on how to customize the user's desktop session startup.
Starting a Failsafe Session
If the user selects Failsafe Session from the Sessions submenu of the login screen Options menu, the login server runs the Xfailsafe script. Xfailsafe runs with the user's authority and issues commands needed to start a minimal windowing environment, usually a Terminal window and an optional window manager.
To modify Xfailsafe, copy Xfailsafe from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xfailsafe will be run.
After the User's Session Ends
After the user exits the desktop or failsafe session, the login server runs the Xreset script. Xreset runs with root authority and issues commands needing to be run as root after the end of the user's session.
If you wish to modify Xreset, copy Xreset from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xreset will be run.
The Login Server Environment
The login server provides an environment that it exports to the Xsetup, Xstartup, Xsession, Xfailsafe and Xreset scripts. This environment is described in Table 1-1. Additional variables may also be exported by the login server.
Changing the User or System Path
The login server sets the PATH environment variable when it runs the Xsession and Xfailsafe scripts. You can provide an alternate path to these scripts
To Change the User Path
Set the Dtlogin*userPath resource in Xconfig. For example:
Dtlogin*userPath:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11
To Change the System Path
Set the Dtlogin*systemPath resource in Xconfig. For example:
Dtlogin*systemPath: /usr/bin/X11:/etc:/bin:/usr/bin:/usr/ucb
To Change the System Shell
The login server sets the SHELL environment variable when it runs the Xsetup, Xstartup and Xfailsafe scripts. The default is /bin/sh. If you wish to provide an alternate shell to these scripts, you can set the Dtlogin*systemShell resource in Xconfig. For example:
Dtlogin*systemShell: /bin/ksh
To Change the Time Zone
The login server sets the TZ environment variable when it runs the Xsetup, Xstartup, Xsession, Xfailsafe, and Xreset scripts. The default value is derived from the system so usually you will not need to change this behavior. To provide an alternate time zone to these scripts, set the Dtlogin.timeZone resource in Xconfig. For example:
Dtlogin.timeZone: CST6CDT
When the login server starts, one dtlogin process is started. The dtlogin process reads the Xconfig file to determine the initial login server configuration and locate other login server configuration files. The login server then reads the Xservers file to see if it has any displays to explicitly manage, and also reads the Xaccess file to control access to the login server.
If the login server finds from the Xservers file that it needs to manage a local display, it will start an X server as instructed in the Xservers file and then display a login screen on that display.
If the login server finds from the Xservers file that it needs to manage a network display, it will assume an X server is already running with the specified display name and display a login screen on that display.
The login server will then wait for XDMCP requests from the network.
For each display managed, the login server first creates a new dtlogin process for that display. This means if the login server is managing n displays, there will be n+1 dtlogin processes. The login server will run the Xsetup script, load the Xresources file, then run dtgreet to display the login screen. Once the user has entered a username and password and has been authenticated, the login server will run the Xstartup script and then the Xsession or Xfailsafe script. When the user has exited the session, the login server will run the Xreset script.
If the login server gets an XDMCP-indirect request, it will run dtchooser to present a list of login server hosts on the display. When the user selects a host from the list, the login server on that host will manage the display.
For the Xaccess, Xconfig, Xfailsafe, Xreset, language/Xresources, Xservers, Xsetup, and Xstartup configuration files, the login server will by default look first in /etc/dt/config, then /usr/dt/config, and use the first file found.
The default locations of the Login Manager files are:
- /usr/dt/bin/dtlogin
- The login server and display manager
- /usr/dt/bin/dtgreet
- Displays a login screen for a display
- /usr/dt/bin/dtchooser
- Displays a chooser screen for a display
- /usr/dt/bin/Xsession
- Starts a desktop session
- /usr/dt/config/Xfailsafe
- Starts a failsafe session
- /usr/dt/config/Xconfig
- Login server configuration file
- /usr/dt/config/Xservers
- Login server display description file
- /usr/dt/config/Xaccess
- Login server access description file
- /usr/dt/config/language/Xresources
- Display layout resources
- /usr/dt/config/Xsetup
- Display setup file
- /usr/dt/config/Xstartup
- Pre-session startup file
- /usr/dt/config/Xreset
- Post-session reset file
- /var/dt/Xpid
- Process ID of the login server
- /var/dt/Xerrors
- Error log file of the login server
Generated with CERN WebMaker