The Login Manager is a server responsible for displaying a login screen, authenticating users, and starting a user's session. The graphical login is an attractive alternative to the traditional character mode login for bitmap displays. Displays managed by the login server can be directly attached to the login server or attached to an X terminal or workstation on the network.
You must be a root user to start, stop, or customize the login server.
The login server:
Can display a login screen on bitmap displays unconditionally or by request on local and network bitmap displays
Accommodates directly attached character console displays
Can display a chooser screen that enables users to display login screens from other login servers on the network
Allows controlled access to the login server
Provides access to the traditional character-mode login
Displays managed by the Login Manager can be directly attached to the Login Manager server or attached to an X terminal or workstation on the network. For local displays, the login server will automatically start an X server and display a login screen. For network displays, such as X terminals, the login server supports the X Display Manager Protocol (XDMCP) 1.0, which allows displays to request that the login server display a login screen on the display.
The login server is usually started when the system is booted. You can also start the login server from a command line.
To set the login server to start when the system is booted, type /usr/dt/bin/dtconfig -e
The login server will then start automatically when you reboot.
For more information about the desktop configuration utility, dtconfig, see Appendix A, dtconfig(1) Man Page. It provides a copy of the dtconfig.1 man page.
To start the login server from a command line, type /usr/dt/bin/dtlogin -daemon; exit
Although starting the login server from the command line is available for temporary configuration testing, you should normally start the login server when the system is booted.
Figure 1-1 shows a possible login server configuration.
By default, the login server stores its process ID in /var/dt/Xpid.
To change this, you can set the Dtlogin.pidFile resource in the Xconfig file. If changed, the directory specified must exist when the login server is started.
To modify Xconfig, copy Xconfig from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xconfig, tell the login server to reread Xconfig by typing:
/usr/dt/bin/dtconfig -reset
This issues the command kill -HUP login_server_process_ID.
For example, to store the login server process ID in /var/myservers/Dtpid, set the following in the Xconfig file:
Dtlogin.pidFile: /var/myservers/Dtpid
When the login server is restarted, the login server will store its process ID in /var/myservers/Dtpid. The /var/myservers directory must exist when the login server is started.
Upon startup, the login server checks the Xservers file to determine if an X server needs to be started and to determine if and how login screens should be displayed on local or network displays.
To modify Xservers, copy Xservers from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xservers, tell the login server to reread Xservers by typing:
/usr/dt/bin/dtconfig -reset
This issues the command kill -HUP login_server_process_ID
The format of an Xservers line is:
display_name display_class display_type X_server_command
where
display_name--tells the login server the connection name to use when connecting to the X server (:0 in the following example). A value of * (asterisk) is expanded to host name:0. The number specified must match the number specified in the X_server_command connection number.
display_class--identifies resources specific to this display (Local in the following example).
display_type--tells the login server whether the display is local or a network display, and how to manage the Command Line Login option on the login screen (local@console in the following example).
X_server_command--identifies the command line, connection number, and other options the login server will use to start the X server (/usr/bin/X11/X: 0 in the following example). The connection number specified must match the number specified in the display_name.
The default Xservers line is similar to:
:0 Local local@console /usr/bin/X11/X :0
If your login server system has no bitmap display, run the login server without a local display by commenting out the Xservers line for the local display using a # (pound sign). For example,
# :0 Local local@console /usr/bin/X11/X :0
When the login server starts, it runs in the background waiting for requests from network displays.
When the user selects Command Line Login on the login screen, the login server temporarily terminates the X server, allowing access to the traditional command-line login running on the bitmap display terminal device. After the user has logged in and then out, or after a specified time-out, the login server will restart the X server.
The Command Line Login option is unavailable on network displays.
The display_type controls the behavior of Command Line Login. The format of display_type is:
When local@display_terminal_device is specified, the login server assumes that the X server and /dev/display_terminal_device are on the same physical device, and that a command line login (usually getty) is running on the device. When the user selects Command Line Login, the X server is terminated, allowing access to the running command-line login (getty) running on the /dev/display_terminal_device.
To disable the Command Line Login option on a display, specify none as the display_terminal_device. The default display_terminal_device is console. When local is specified, display_terminal_device defaults to console. When foreign is specified, Command Line Login is disabled.
The Command Line Login option will be disabled on the local display when the login server is started from the command line.
If your login server system has a directly attached character display serving as a console, you may also want to set display_terminal_device to none to disable Command Line Login on the bitmap display login screen.
Alternatively, if a command-line login (getty) is running on both the character display console and the bitmap display, you can change display_terminal_device to the command line login (getty) device on the bitmap display.
For example, if the bitmap display command-line login (getty) is on device /dev/tty01, change the display_type to local@tty01.
The login server can accept requests from network displays to display a login screen on that particular display. The network display is usually an X terminal but can also be a workstation.
To manage requests from network displays, the login server supports the X Display Manager Protocol (XDMCP) 1.0. This protocol enables the login server to negotiate and accept or reject requests from network displays. Most X terminals have XDMCP built in.
When you configure your X terminal to use XDMCP direct (query mode), you tell your X terminal the host name of the login server host. When the X terminal is booted, it automatically contacts the login server, and the login server displays a login screen on the X terminal. See your X terminal documentation for information describing how to configure your X terminal for XDMCP direct mode.
Most X servers also support the -query option. In this mode, your X server behaves as if it were an X terminal, contacting the login server host directly and requesting that it display a login screen on the X server. For example, starting the X server on a bitmap display on workstation bridget will have login server anita display a login screen on the X server:
X -query anita
When you configure your X terminal to use XDMCP indirect mode, you tell your X terminal the host name of the login server host. When the X terminal is booted, it will contact the login server, and the login server will present a list, through a chooser screen, of other login server hosts on the network. From this list, the user can select a host, and that host will display a login screen on the user's X terminal. See your X terminal documentation for information describing how to configure your X terminal for XDMCP indirect mode.
As with direct mode, most X servers support the -indirect option, which causes your X server to contact the login server in XDMCP indirect mode.
Older X terminals may not support XDMCP. For the login server to display a login screen on this type of X terminal, list the X terminal name in the Xservers file.
Since the display is on the network, display_name includes the host name as part of the name. The display class can be used to specify resources specific to a particular class of X terminals. (Your X terminal documentation should tell you the display class of your X terminal.) The display_type of foreign tells the login server to connect to an existing X server rather than to start its own. In this case, an X_server_command is not specified.
The following lines in the Xservers file direct the login server to display a login screen on two non-XDMCP X terminals, ruby and wolfie:
ruby.blackdog.com:0 AcmeXsta foreign wolfie:0 PandaCo foreign
By default, any host on your network that has access to your login server host can request a login screen be displayed. You can limit access to the login server by modifying the Xaccess file.
To modify Xaccess, copy Xaccess from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xaccess, tell the login server to reread Xaccess by typing:
/usr/dt/bin/dtconfig -reset
This issues the command kill -HUP login server process ID.
When a host attempts to connect to the login server via XDMCP-direct, the host name is compared to the Xaccess entries to determine whether the host is allowed access to the login server. Each Xaccess entry is a host name including the wildcards * (asterisk) and ? (question mark). An * (asterisk) matches zero or more characters and a ? (question mark) matches any one character. An ! (exclamation point) prefacing an entry disallows access, while no preface allows access.
For example, say Xaccess contains the following three entries:
amazon.waterloo.com *.dept5.waterloo.com !*
The first entry allows access to the login server from host amazon.waterloo.com, the second entry allows access from any host whose full domain name ends in dept5.waterloo.com, and the last entry disallows access from any other host.
When a host attempts to connect to the login server via XDMCP-indirect, the host name is compared to the Xaccess entries to determine whether the host is allowed access to the login server. Each Xaccess entry is similar to the XDMCP-direct entries, including wildcards, except that each entry is marked with a CHOOSER string. For example:
amazon.waterloo.com CHOOSER BROADCAST *.dept5.waterloo.com CHOOSER BROADCAST !* CHOOSER BROADCAST
Again, the first entry allows access to the login server from host amazon.waterloo.com, the second entry allows access from any host whose full domain name ends in dept5.waterloo.com, and the last entry disallows access from any other host.
One of the following can be listed after the CHOOSER.
BROADCAST tells the login server to broadcast to the login server sub-network to generate a list of available login server hosts. A list of host names tells the login server to use that list for the list of available login hosts. For example:
amazon.waterloo.com CHOOSER shoal.waterloo.com alum.waterloo.com *.dept5.waterloo.com CHOOSER BROADCAST !* CHOOSER BROADCAST
If amazon.waterloo.com connects via XDMCP-indirect, it will be presented a list containing shoal and alum. If alice.dept5.waterloo.com connects, it will be presented with a list of all available login server hosts on the login server sub-network. Other XDMCP-indirect requests will be denied.
An alternative to specifying a list of host names is to define one or more macros containing the list of host names. For example:
%list1 shoal.waterloo.com alum.waterloo.com amazon.waterloo.com CHOOSER %list1
By default, the login server logs errors in the /var/dt/Xerrors file. To change this, you can set the Dtlogin.errorLogFile resource in the Xconfig file. The directory specified must exist when the login server is started.
For example, to have the login server log errors in the /var/mylogs/Dterrors file, set the following in the Xconfig file:
Dtlogin.errorLogFile: /var/mylogs/Dterrors
When the login server is restarted, the login server will log errors to the /var/mylogs/Dterrors file. The /var/mylogs directory must exist when the login server is started.
/usr/dt/bin/dtconfig -d
This will tell the system not to start the login server when you next reboot.
To stop the login server by killing the process ID, type:
/usr/dt/bin/dtconfig -kill
This issues the command kill login_server_process_ID)
Killing the login server process terminates all user sessions managed by the login server.
You can also stop the login server by killing the process ID. The login server process ID is stored in /var/dt/Xpid or in the file specified in Xconfig by the Dtlogin.pidFile resource.
If you are logged in to the desktop at the time you kill the login server, your desktop session will immediately terminate.
The login screen displayed by the login server is an attractive alternative to the traditional character-mode login screen and provides capabilities beyond those provided by a character-mode login.
As with a character mode login, the user enters a user name followed by a password. If authenticated, the login server starts a desktop session for the user. When the user exits the desktop session, the login server displays a new login screen, and the process begins again.
To customize the login screen, you can:
Change the login screen appearance
Configure X server authority
Change the default language
Issue commands prior to display of the login screen
Change the contents of the login screen Language menu
Specify the command to start the user's session
Issue commands prior to the start of the user's desktop session
Issue commands after the user's session ends
Each of these can be done for all displays or on a per-display basis.
To customize the login screen appearance, you can change the logo or graphic, the welcome messages, and the fonts.
To modify Xresources, copy Xresources from /usr/dt/config/language to /etc/dt/config/language. The login screen will reflect any changes the next time the login screen is displayed. To force a redisplay of a login screen, select Reset Login Screen from the login screen Options menu.
Attributes of the login screen that can be determined by resource specifications in the Xresources file include:
Dtlogin*logo*bitmapFile--bitmap or pixmap file to display as logo image
Dtlogin*greeting*persLabelString--personalized welcome message
Dtlogin*greeting*labelString--welcome message
Dtlogin*greeting*fontList Font for welcome messages
Dtlogin*labelFont Font for push buttons and labels
Dtlogin*textFont Font for help and error messages
Dtlogin*language*languageName Alternate text for locale name language
Set the Dtlogin*logo*bitmapFile resource in Xresources.
The logo can be a color pixmap or a bitmap file.
The following example uses the Mylogo bitmap as the logo:
Dtlogin*logo*bitmapFile: /usr/local/lib/X11/dt/bitmaps/Mylogo.bm
By default, the login server displays the message Welcome to host name on the login screen. To change this message:
Set the Dtlogin*greeting*labelString resource in Xresources.
The value of the labelString resource can contain %LocalHost%, which will be replaced by the login server host name, and %DisplayName%, which will be replaced by the X server display name.
The following example changes the welcome message to Here's host name!:
Dtlogin*greeting*labelString: Here's %LocalHost%!
Once the user name has been entered, the login server displays the message Welcome username by default. You can change this message by setting the Dtlogin*greeting*persLabelString resource in Xresources. The value of the persLabelString can contain %s, which will be replaced by the username.
The following example changes the personalized welcome message to Hello username.
Dtlogin*greeting*persLabelString: Hello %s
You can change the fonts used on the login screen by setting one of the following font resources in Xresources:
Dtlogin*greeting*fontList--font for welcome messages
Dtlogin*labelFont--font for push buttons and labels
Dtlogin*textFont--font for help and error messages
To list the available fonts, type:
xlsfonts [-options] [-fn pattern]
The following example uses a large font for the welcome message (the value you specify must be contained on one line):
Dtlogin*greeting*fontList: -dt-interface \ system-medium-r-normal-xxl*-*-*-*-*-*-*-*-*:
To display per-locale text on the login screen Language menu instead of the default display of the locale name, modify the Dtlogin*language*languageName resource name resource in Xresources:
Dtlogin*En_US*languageName: American
The text American will now be displayed rather than the locale name En_US.
To customize the login screen behavior, you can modify resources specified in the Xconfig file.
To modify Xconfig, copy Xconfig from /usr/dt/config to /etc/dt/config. After modifying /etc/dt/config/Xconfig, tell the login server to reread Xconfig by typing:
/usr/dt/bin/dtconfig -reset
This which issues the command kill -HUP login server process ID)
Resources specified in the Xconfig file include:
Dtlogin*authorize--Xaccess file specification
Dtlogin*environment--X server environment
Dtlogin*language--default language
Dtlogin*languageList--language list for login screen Language menu
Dtlogin*resources--Xresources specification
Dtlogin*setup--Xsetup file specification
Dtlogin*startup--Xstartup file specification
Dtlogin*session--Xsession file specification
Dtlogin*failsafeClient--Xfailsafe script specification
Dtlogin*reset--Xreset script specification
Dtlogin*userPath--PATH for Xsession and Xfailsafe
Dtlogin*systemPath--PATH for Xsetup, Xstartup, and Xfailsafe
Dtlogin*systemShell--SHELL for Xsetup, Xstartup, and Xfailsafe
Dtlogin.timeZone--TZ for all scripts
In the examples below, changing an Xconfig resource changes the login screen behavior for all displays. The resources listed with an * (asterisk) can be specified on a per-display basis. This enables you to specify custom login screen behavior for certain displays. To specify a resource for a particular display, the resource is specified as Dtlogin*displayName*resource. For example, if you would like to turn off user based access control for display expo:0 but leave it on for other displays, you would specify:
Dtlogin*expo_0*authorize: False
Any special character in the display name, such as a : (colon) or . (period), is replaced by an _ (underbar).
By default, the login server allows X server access control on a per user basis and is based on authorization data stored and protected in the HomeDirectory/.Xauthority file. Only users who can read this file are allowed to connect to the X server. Generally, this is the preferred method of X server access control.
An alternative to user-based access control is host-based access control. Using this method, if a host is granted access to the X server, any user on that host is allowed to connect to the X server. Reasons to use host-based control include:
Older R2 and R3 X clients will not be able to connect to an X server using user-based access control.
On unsecured networks, a snooper may be able to intercept the authorization data passed between the X client and X server on the network.
The Xconfig Dtlogin*authorize resource tells the login server to use user-based X server access control. To use host-based access control, change the authorize resource value to False, for example:
Dtlogin*authorize: False
If you want to provide the X server with one or more environment variables and values when started by the login server, you can specify them using the Dtlogin*environment resource in Xconfig. For example:
Dtlogin*environment: VAR1=foo VAR2=bar
will make the variables VAR1 and VAR2 available to the local X server process. These variables will also be exported to the Xsession and Xfailsafe scripts.
When the user logs in to the desktop from the login screen, the user session is run under the locale selected from the Language submenu of the Options menu. If the user does not select a language, the login server default language is used. You can control the value of the default language by setting the Dtlogin*language resource in Xconfig. For example:
Dtlogin*language: Ja_JP
Check your system documentation to determine the languages installed on your system.
By default the login server creates the login screen Language menu containing a list of all locales installed on the system. When the user selects a locale from the login screen language list, the login server will redisplay the login screen in the selected locale. When the user subsequently logs in, the login server will start a desktop session for the user in that locale.
You can specify your own list of languages by modifying the Dtlogin*languageList resource in Xconfig:
Dtlogin*languageList: En_US De_DE
The login server now displays only En_US and De_DE in the login screen Language menu.
After the X server has started but before the login screen appears, the login server runs the Xsetup script. Xsetup runs with root authority and issues commands needing to be run before the display of the login screen.
To modify Xsetup, copy Xsetup from /usr/dt/config to /etc/dt/config. The next time the login screen is displayed, the modified Xsetup will be run.
After the user enters the user name and password and they are authenticated, but before the user session is started, the login server runs the Xstartup script. Xstartup runs with root authority and issues commands needing to be run as root prior to the user session start.
To modify Xstartup, copy Xstartup from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xstartup will be run.
By default, the login server starts the user session by running the Xsession script. Xsession runs with the user's authority and issues commands needed to start the desktop.
Do not directly update the Xsession script.
See Chapter 2, Configuring Session Manager , for information on how to customize the user's desktop session startup.
If the user selects Failsafe Session from the Sessions submenu of the login screen Options menu, the login server runs the Xfailsafe script. Xfailsafe runs with the user's authority and issues commands needed to start a minimal windowing environment, usually a Terminal window and an optional window manager.
To modify Xfailsafe, copy Xfailsafe from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xfailsafe will be run.
After the user exits the desktop or failsafe session, the login server runs the Xreset script. Xreset runs with root authority and issues commands needing to be run as root after the end of the user's session.
If you wish to modify Xreset, copy Xreset from /usr/dt/config to /etc/dt/config. The next time the user logs in, the modified Xreset will be run.
The login server provides an environment that it exports to the Xsetup, Xstartup, Xsession, Xfailsafe and Xreset scripts. This environment is described in Table 1-1. Additional variables may also be exported by the login server.
Table 1-1 Login Server Environments
Environment Variable |
Xsetup |
Xstartup |
Xsession |
Xreset |
Description |
---|---|---|---|---|---|
X |
X |
X |
X |
Default or selected language |
|
X |
X |
X |
X |
Alternate X authority file (optional) |
|
X |
X |
X |
X |
Value of the Dtlogin*userPath resource (Xsession, Xfailsafe) or Dtlogin*systemPath resource (Xsetup, Xstartup, Xreset) |
|
X |
X |
X |
X |
X server connection number |
|
X |
X |
X |
X |
Shell specified in /etc/passwd (Xsession, Xfailsafe) or Dtlogin*systemShell resource (Xsetup, Xstartup, Xreset) |
|
X |
X |
X |
X |
Value of Dtlogin.timeZone resource or timezone determined from system |
|
|
X |
X |
X |
User name |
|
|
X |
X |
X |
Home directory specified in /etc/passwd |
|
|
X |
X |
X |
User name |
The login server sets the PATH environment variable when it runs the Xsession and Xfailsafe scripts. You can provide an alternate path to these scripts
Dtlogin*userPath:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11
Dtlogin*systemPath: /usr/bin/X11:/etc:/bin:/usr/bin:/usr/ucb
The login server sets the SHELL environment variable when it runs the Xsetup, Xstartup and Xfailsafe scripts. The default is /bin/sh. If you wish to provide an alternate shell to these scripts, you can set the Dtlogin*systemShell resource in Xconfig. For example:
Dtlogin*systemShell: /bin/ksh
The login server sets the TZ environment variable when it runs the Xsetup, Xstartup, Xsession, Xfailsafe, and Xreset scripts. The default value is derived from the system so usually you will not need to change this behavior. To provide an alternate time zone to these scripts, set the Dtlogin.timeZone resource in Xconfig. For example:
Dtlogin.timeZone: CST6CDT
When the login server starts, one dtlogin process is started. The dtlogin process reads the Xconfig file to determine the initial login server configuration and locate other login server configuration files. The login server then reads the Xservers file to see if it has any displays to explicitly manage, and also reads the Xaccess file to control access to the login server.
If the login server finds from the Xservers file that it needs to manage a local display, it will start an X server as instructed in the Xservers file and then display a login screen on that display.
If the login server finds from the Xservers file that it needs to manage a network display, it will assume an X server is already running with the specified display name and display a login screen on that display.
The login server will then wait for XDMCP requests from the network.
For each display managed, the login server first creates a new dtlogin process for that display. This means if the login server is managing n displays, there will be n+1 dtlogin processes. The login server will run the Xsetup script, load the Xresources file, then run dtgreet to display the login screen. Once the user has entered a username and password and has been authenticated, the login server will run the Xstartup script and then the Xsession or Xfailsafe script. When the user has exited the session, the login server will run the Xreset script.
If the login server gets an XDMCP-indirect request, it will run dtchooser to present a list of login server hosts on the display. When the user selects a host from the list, the login server on that host will manage the display.
For the Xaccess, Xconfig, Xfailsafe, Xreset, language/Xresources, Xservers, Xsetup, and Xstartup configuration files, the login server will by default look first in /etc/dt/config, then /usr/dt/config, and use the first file found.
The default locations of the Login Manager files are:
/usr/dt/bin/dtlogin--the login server and display manager
/usr/dt/bin/dtgreet--displays a login screen for a display
/usr/dt/bin/dtchooser--displays a chooser screen for a display
/usr/dt/bin/Xsession--starts a desktop session
/usr/dt/config/Xfailsafe--starts a failsafe session
/usr/dt/config/Xconfig--login server configuration file
/usr/dt/config/Xservers--login server display description file
/usr/dt/config/Xaccess--login server access description file
/usr/dt/config/language/Xresources--display layout resources
/usr/dt/config/Xsetup--display setup file
/usr/dt/config/Xstartup--pre-session startup file
/usr/dt/config/Xreset--post-session reset file
/var/dt/Xpid--process ID of the login server
/var/dt/Xerrors--error log file of the login server