From: Fred Kleinsorge [kleinsorge@star.zko.dec.com] Sent: Tuesday, May 15, 2001 10:15 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: XDM logins and Advanced Server external authentication Let's sort this out a little. The original question had to do with why the XDM provided with TCPIP doesn't apparently honor the external authentication. The answer is, I don't know, but you should report this as a bug. My guess is that the XDM implementation uses the DECwindows loginout and the "hooks" it uses may not be up-to-snuff. OpenVMS (Alpha at least) is heading towards conversion of login stuff to the ACM services, so hopefully all this will get sorted out soon. Now for the other authorization/authentication stuff. XDM has two halves. The stuff that sits on the remote display - both in the display server code, and the widget that starts the connection (usually using XDMCP) -- and the stuff that sits on the host server - the part that listens for connection requests, and starts the X11 client session back to the remote display. As part of the connection setup, if enabled, XDM authorization/authentication can take place if it is supported. VMS doesn't support (yet) XDM on the display server, we only have the "host" part (so you can connect from your PC to a VMS host, but not from a VMS workstation to a remote host). I "believe" that XDM authorization/authentication is supported for what we have - it at least seems to be in the documentation. I don't know how much it supports though. Now, as to xhost and magic cookie. We have our own flavor of an xhost list, it is augmented with the username for transports that support it - like DECnet. In COE, we have added xauth and magic cookie for TCPIP. When we upgrade the client to X11R6, this will make it into the general releases - potentially with the other half of XDM, and the rest of the authentication/authorization methods like Kerboros. FWIW - authorization/authentication is *not* part of the X11 specification. They explicitly punted on its definition. All they did was to provide a hook in the connection prefix message to allow authorization/authentication data to be passed. The current methods were then deployed on top of this, and the "standard" for these methods appears mostly to be the sample implementation reference (xau, xauth, xauthority, and the protocols like magic-cookie, xdm, kerberos, Sun DES, etc, etc, etc). FWIW - When VMS was mostly a DECnet world, most of this wasn't very interesting. As TCPIP becomes more the norm... then all of this becomes important. Dan O'Reilly wrote in message <5.0.2.1.2.20010514164759.00ae6030@ntbsod.psccos.com>... >Generally, with X logins, there is one of two mechanisms employed: Xauthority >or Xhost. Virtually all UNIX systems us Xauthority (also known as >"MIT Magic Cookie" for authentication. This isn't part of XDM, it's part of >the X specification. And DECwindows doesn't support it. > >At 04:12 PM 5/14/2001, Mitchell, David R. wrote: >>Yes. I'm aware of that. The question was why doesn't authentication work >>from an X session when Advanced Servers' external authentication is used. I >>would expect all athentication to be handled the same, so if external >>authentication works from a telnet or rlogin session why wouldn't it work >>from an X session? Apparently some other mechanism is at work when X logins >>are being established. Strange, but perhaps someone else knows something >>about this??? > >------ >+-------------------------------+---------------------------------------+ >| Dan O'Reilly | | >| Principal Engineer | "Why should I care about posterity? | >| Process Software | What's posterity ever done for me?" | >| http://www.process.com | -- Groucho Marx | >+-------------------------------+---------------------------------------+ >