dtlogin Command
Purpose
Performs a CDE login service.
Syntax
dtlogin [ -config configuration_file ] [ -daemon ] [ -debug debug_level ] [ -error error_log_file ] [ -nodaemon ] [ -resources resource_file ] [ -server server_entry ] [ -session session_program ] [ -udpPort port_number ]
Description
- Launching dtgreet login screen for explicitly managed local and remote displays and XDMCP-managed remote displays.
- Accessing traditional terminal (character) login from GUI login screen
- Authenticating and logging in system-dependent users
- Launching the selected session
The dtlogin command provides services similar to those provided by init, getty, and login on character terminals, which include prompting for login and password, authenticating the user, and running a session. A session is defined by the lifetime of a particular process. In the traditional character-based terminal world, a session is the user's login shell process; in the DT context, it is the DT Session Manager. If the DT Session Manager is not used, the typical substitute is either a window manager with an exit option, or a terminal emulator running a shell, where the lifetime of the terminal emulator is the lifetime of the shell process that it is running. This reduces the X session to an emulation of the character-based terminal session. When the session is terminated, dtlogin resets the X server and (optionally) restarts the whole process.
The dtlogin command supports management of remote displays using the X Display Manager Control Protocol, Version 1.0. (XDMCP). When dtlogin receives an indirect query from XDMCP, it can run a chooser process to perform an XDMCP BroadcastQuery (or an XDMCP Query to specified hosts) on behalf of the display and offer a menu of possible hosts that offer XDMCP display management. This feature is useful with X terminals that do not offer a host menu.
Because dtlogin provides the first interface that users see, it is designed to be simple to use and easy to customize according to the needs of a particular site.
Login Window
The Login window allows users to enter a user ID and password, select a startup session, and select a startup locale. Users can also reset the X server or temporarily suspend the X server to access the character login prompt.
- login field
- Provides an entry field in which users enter their IDs.
- password field
- Provides an entry field in which users enter their passwords (no-echo).
- OK button
- Authenticates a user and launches a session.
- Clear button
- Clears login and password fields.
- Options
- Lets users select a locale name and login session type. It also
lets users restart the X server or switch to a character login prompt
(for local displays). The contents of the Options menu are as follows:
- Languages
- Displays the Languages menu. Selecting the language from the login screen Options menu immediately localizes the login screen and sets the LANG variable for the next session. Login screen localization and LANG return to the default value upon conclusion of the session. The contents of this menu can vary depending upon the locales installed on the system. They can be overridden by using the languageList resource. The default locale of C can be overridden using the language resource. The system or languageList locales specified are displayed as menu items in the Languages menu. Alternate text to be displayed can be specified for a given locale name by using the languageName resource.
- No-windows
- Displays character login prompt (local displays only).
- Reload Login
- Restarts the X Server and returns to login screen.
- Resources
- Lists resources to be used.
- Sessions
- Displays Sessions menu. Allows users to select which session type
should be started upon login. Menu items include the following:
- DT Session
- Starts a regular desktop session (Xsession).
- Fail-safe Session
- Starts a fail-safe session (Xfailsafe).
- Help
- Displays help messages.
Controlling the Server
The dtlogin command controls local servers using POSIX signals. The SIGHUP signal is expected to reset the server, closing all client connections and performing other clean up duties. The SIGTERM signal is expected to terminate the server. If these signals do not perform the expected actions, the resetSignal and termSignal resources can specify alternate signals.
To control remote servers that are not using XDMCP, dtlogin searches the window hierarchy on the display and uses the KillClient X protocol request in an attempt to clean up the terminal for the next session. This might not actually kill all of the clients, because only those that have created windows are noticed. XDMCP provides a more sure mechanism; when dtlogin closes its initial connection, the session is over and the terminal is required to close all other connections.
Controlling dtlogin
The dtlogin command responds to two signals: SIGHUP and SIGTERM. When it is sent a SIGHUP, dtlogin rereads the configuration file and the file specified by the servers resource, and determines whether entries have been added or removed. If a new entry has been added, dtlogin starts a session on the associated display. Entries that have been removed are disabled immediately, meaning that any session in progress is terminated without notice, and no new session is started. When sent a SIGTERM, dtlogin terminates all sessions in progress and exits. This can be used when shutting down the system.
Internationalization
All labels and messages are localizable. The dtlogin.cat message catalog contains the localized representations of the default labels and messages. The dtlogin command reads the appropriate message catalog indicated by the LANG environment variable and displays the localized strings. An option on the authentication screen allows the user to override the default language for the subsequent session. If the authentication screen has been localized for the selected language, the screen is redisplayed in that language; otherwise, it is displayed in the default language. In either case, the LANG environment variable is set appropriately for the resulting session.
The resource language is available in the dtlogin configuration file to change the default language for a display. The languageList resource is available in the dtlogin configuration file to override the default set of languages displayed on the authentication screen. The languageName resource is available to provide a mapping from locale names to the text displayed on the Language menu.
Authentication and Auditing
The dtlogin command is a login service enabled by PAM with service name dtlogin. The dtlogin client supports PAM authentication in addition to traditional local UNIX login and auditing. Additional authentication or auditing functions, such as Kerberos or B1 can be added by individual vendors.
To use PAM for system-wide
authentication, establish root user permissions and modify the value
of the auth_type attribute in the usw stanza of the /etc/security/login.cfg file to PAM_AUTH
.
dtlogin auth required /usr/lib/security/pam_aix
dtlogin account required /usr/lib/security/pam_aix
dtlogin password required /usr/lib/security/pam_aix
dtlogin session required /usr/lib/security/pam_aix
X Server Security
The X server provides both user-based and host-based access control. By default, dtlogin uses user-based access control to the X server (MIT-MAGIC-COOKIE-1). This level of security allows access control on a per-user basis. It is based on a scheme where if a client passes authorization data that matches what the server has, the client is allowed access. When a user logs in, this authorization data is by default stored and protected in the $HOME/.Xauthority file.
However, using host-based access control mechanisms might be preferable in environments with unsecure networks, because user-based access control allows any host to connect if the host has discovered the private key. Another drawback to user-based access control is that R2 or R3 clients are unable to connect to the server.
The authorize resource controls whether user-based or host-based access control is used by dtlogin. See the xhost, and xauth commands for more information.
Resources
The dtlogin command is controlled by the contents of the dtlogin configuration file, which defaults to /usr/dt/config/Xconfig. Some resources control the behavior of dtlogin in general, and others can be specified for a particular display.
General Resources
Item | Description |
---|---|
accessFile |
|
authDir |
|
autoRescan |
|
daemonMode |
|
debugLevel |
|
errorLogFile |
|
errorLogSize |
|
exportList |
|
fontPathHead |
|
fontPathTail |
|
keyFile |
|
lockPidFile |
|
networkDevice |
|
pidFile |
|
removeDomainname |
|
requestPort |
|
servers |
|
sysParmsFile |
|
timeZone |
|
wakeupInterval |
|
Display Resources
The dtlogin command display resources
can be specified for all displays or for a particular display. To
specify a particular display, the display name is inserted into the
resource name between Dtlogin
and the final resource
name segment. For example, Dtlogin.expo_0.startup
is the name of the resource defining the startup shell file on the expo:0
display. The resource manager separates the name
of the resource from its value with colons, and separates resource
name parts with dots, so dtlogin uses underscores
(_
) for the dots (.
) and colons
(:
) when generating the resource name.
Resources can also be specified for a class of displays by inserting the class name instead of a display name. A display that is not managed by XDMCP can have its class affiliation specified in the file referenced by the servers resource. A display using XDMCP supplies its class affiliation as part of the XDMCP packet.
Item | Description |
---|---|
authorize |
|
authName |
|
authFile |
|
chooser |
|
cpp |
|
environment |
|
failsafeClient |
|
grabServer |
|
grabTimeout |
|
language |
|
languageList |
|
languageName |
|
openDelay |
|
openRepeat |
|
openTimeout |
|
pingInterval |
|
pingTimeout |
|
reset |
|
resetForAuth |
|
resetSignal |
|
resources |
|
session |
|
setup |
|
startAttempts |
|
startup |
|
systemPath |
|
systemShell |
|
terminateServer |
|
termSignal |
|
userAuthDir |
|
userPath |
|
xdmMode |
|
xrdb |
|
Logo Resources
Dtlogin*logo*
when specified.
Item | Description |
---|---|
bitmapFile |
|
background |
|
topShadowPixmap |
|
Dtlogin*greeting*
when specified.
Item | Description |
---|---|
foreground |
|
background |
|
fontlist |
|
labelString |
|
perLabelString |
|
alignment |
|
Matte Resources
Dtlogin*matte.
string when specified.
Item | Description |
---|---|
width |
|
height |
|
Label Resources
string Dtlogin*.
when specified.
Item | Description |
---|---|
labelFont |
|
textFont |
|
Flags
All flags, except -config, specify values that can also be specified in the configuration file as resources. Typically, customization is done using the configuration file rather than command line options. These flags are most useful for debugging and one-shot tests.
Item | Description |
---|---|
-config configuration_file | Specifies a resource file that specifies the remaining configuration parameters. This replaces the dtlogin default Xconfig file. See the Xconfig file section for more information. |
-daemon | Specifies true as the value
for the daemonMode resource. This makes dtlogin close all file descriptors, disassociate
the controlling terminal, and put itself in the background when it
first starts up (just like the host of other daemons). |
-debug debug_level | Specifies the numeric value for the debug_level resource. A nonzero value causes dtlogin to print debugging statements to the terminal; it also disables the daemonMode resource, forcing dtlogin to run synchronously. |
-error error_log_file | Specifies the value for the error_log_file resource. See the Xerrors file section for more information. |
-nodaemon | Specifies false as the value
for the resources. |
-resources resource_file | Specifies the value for the resource_file resource. See the the Xresources file section for more information. |
-server server_entry | Specifies the value for the server_entry resource. See the the Xservers file section for more information. |
-udpPort port_number | Specifies the value for the requestPort resource. This sets the port number that dtlogin monitors for XDMCP requests. Because XDMCP uses the well-known registered udp port 177, avoid changing this resource except for debugging. |
-session session_program | Specifies the value for the session_program resource. See the Xconfig file section for more information. |
Environment Variables
The dtlogin command invokes the user's session with the following default environment:
Item | Description |
---|---|
DISPLAY | Set to the associated display name. |
EDITOR | Set to /usr/dt/bin/dtpad. |
HOME | Set to the home directory of the user. |
KBD_LANG | Set to the value of LANG for applicable languages. |
LANG | Set to the current NLS language (if any). |
LC_ALL | Set to the current NLS language (if any). |
LC_MESSAGES | Set to the current NLS language (if any). |
LOGNAME | Set to the user name. |
Set to /usr/mail/$USER (system dependent). | |
PATH | Set to the value of the userPath resource. |
USER | Set to the user name. |
SHELL | Set to the user's default shell (from /etc/passwd). |
TERM | Set to dtterm. |
TZ | Set to the value of the timeZone resource or system default. |
XAUTHORITY | Set to authority file. |
Adding to the Environment List
- The exportList resource is available to allow the export of variables provided to the dtlogin process by its parent. Variables specified by this method are available to both the display's X server process and the user's session, and they override any default settings. The resource accepts a string of name=value separated by at least one space or tab.
- The environment resource is available
in the dtlogin configuration file to allow
setting of environment variables on a global or per-display basis.
Variables specified by this method are available to both the display's
X server process and the user's session, and they override any default
settings. The resource accepts a string of name=value separated by at least one space
or tab. The values specified must be constants because no shell is
used to parse the string. For example:
Dtlogin*environment:MAIL_HOST=blanco MAIL_SERVER=pablo
Note: The LANG and TZ environment variables have their own dedicated resources in the configuration file and should not be set by the environment. - Environment variables that require processing by a shell or are
dependent on the value of another environment variable can be specified
in the startup script Xsession. These variables
are loaded into the environment of all users on the display, but not
to the X server process. They override any previous settings of the
same variable. The Xsession script accepts ksh syntax for setting environment variables.
For example:
MAIL=/usr/mail/$USER
- Personal environment variables can be set on a per-user basis
in the $HOME/.dtprofile script file. The dtlogin command accepts either sh, ksh, or csh syntax for the commands in this file. The commands should
only be those that set environment variables, not any that perform
terminal I/O, with the exception of tset or stty. If the first line of .dtprofile is
#!/bin/sh, #!/bin/ksh
or#!/bin/csh
, dtlogin uses the appropriate shell to parse .dtprofile. Otherwise, the user's default shell ($SHELL) is used.
Exit Status
The following exit values are returned:
Item | Description |
---|---|
0 | Successful completion. |
>0 | An error occurred. |
Examples
- To start the CDE login service as a daemon, enter:
/usr/dt/bin/dtlogin -daemon
- To start the CDE login service in debug mode, enter:
/usr/dt/bin/dtlogin -debug 1
Location
/usr/dt/bin/dtlogin
Standard Errors
Login incorrect; please try again.
Unable to change to home directory.
Sorry. Maximum number of users already logged in.
Login error, invalid user ID.
Login error, invalid group ID.
Login error, invalid audit ID.
Login error, invalid audit flag.
Logins are currently disabled.
Your current password has expired.
Files
The dtlogin command is designed to operate in a wide variety of environments and provides a suite of configuration files that can be changed to suit a particular system. The default dtlogin configuration files can be found in /usr/dt/config with the exception of Xsession, which is stored in /usr/dt/bin. They are as follows:
Item | Description |
---|---|
/usr/dt/config/Xconfig | Specifies other dtlogin configuration files and dtlogin behavior. |
/usr/dt/config/Xaccess | Controls access from displays requesting XDMCP service. |
/usr/dt/config/Xservers | Contains the list of displays for dtlogin to explicitly manage. |
/usr/dt/config/Xresources | Contains resource definitions specifying the appearance of the login screen. |
/usr/dt/config/Xsetup | A script executed as root prior to display of the login screen. |
/usr/dt/config/Xstartup | A script executed as root after the user has successfully authenticated. |
/usr/dt/bin/Xsession | A script executed as the authenticated user that starts the user's session. |
/usr/dt/config/Xfailsafe | A script executed as the authenticated user that starts a fail-safe session. |
/usr/dt/config/Xreset | A script executed as root after the user's session has exited. |
The Xconfig File
- Dtlogin.errorLogFile
- /var/dt/Xerrors
- Dtlogin.pidFile
- /var/dt/Xpid
- Dtlogin.accessFile
- Xaccess
- Dtlogin.servers
- Xservers
- Dtlogin*resources
- %L/Xresources
- Dtlogin*setup
- Xsetup
- Dtlogin*startup
- Xstartup
- Dtlogin*reset
- Xreset
- Dtlogin*failsafeClient
- Xfailsafe
- Dtlogin*session
- /usr/dt/bin/Xsession
*
separating the components. These resources can be made
unique for each different display, by replacing the *
with the display-name. Refer to Display Resources for more information.The default Xconfig file is /usr/dt/config/Xconfig. A system administrator can customize Xconfig by copying /usr/dt/config/Xconfig to /etc/dt/config/Xconfig and modifying /etc/dt/config/Xconfig. The default Xconfig file contains the preceding configuration and log file entries in addition to a few vendor specific resource definitions and examples.
The Xaccess File
The database file specified by the accessFile resource provides information which dtlogin uses to control access from displays requesting XDMCP service. This file contains three types of entries: entries which control the response to Direct and Broadcast queries, entries which control the response to Indirect queries, and macro definitions.
The format of a
Direct entry is either a host name or a pattern. A pattern is distinguished
from a host name by the inclusion of one or more meta characters
(*
matches any sequence of 0 or more characters,
and ?
matches any single character) which are compared
against the host name of the display device. If the entry is a host
name, all comparisons are done using network addresses, so any name
which converts to the correct network address can be used. For patterns,
only canonical host names are used in the comparison, so ensure that
you do not attempt to match aliases. Putting an exclamation point
(!
) character before either a host name or a pattern
causes hosts that match that entry to be excluded.
An Indirect entry also contains a host name or pattern, but follows it with a list of host names or macros to which indirect queries should be sent. Indirect entries can also specify to have dtlogin run dtchooser to offer a menu of hosts to which a login screen can be displayed.
A macro
definition contains a macro name and a list of host names and other
macros that the macro expands to. To distinguish macros from host
names, macro names start with a %
character. Macros
can be nested.
When the access for a particular display host
is checked, each entry is scanned in turn and the first matching entry
determines the response. Direct and Broadcast entries are ignored
when scanning for an Indirect entry and vice-versa. Blank lines are
ignored, #
is treated as a comment delimiter causing
the rest of that line to be ignored, and \newline
causes the newline to be ignored, allowing indirect host lists to
span multiple lines.
#
# Xaccess - XDMCP access control file
#
#
# Direct/Broadcast query entries
#
!xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
bambi.ogi.edu # allow access from this particular display
*.lcs.mit.edu # allow access from any display in LCS
#
# Indirect query entries
#
#define %HOSTS macro
%HOSTS expo.lcs.mit.edu xenon.lcs.mit.edu \
excess.lcs.mit.edu kanga.lcs.mit.edu
#force extract to contact xenon
extract.lcs.mit.edu xenon.lcs.mit.edu
#disallow indirect access by xtra
!xtra.lcs.mit.edu dummy
#all others get to choose among %HOSTS
*.lcs.mit.edu %HOSTS
If XDMCP access is granted, a temporary file can be created in the directory specified by authDir which contains authorization information for the X-terminal. It is deleted when the session starts.
For X terminals that do not offer a host menu for use with Broadcast
or Indirect queries, the chooser program
can do this for them. In the Xaccess file,
specify CHOOSER
as the first entry in the Indirect
host list. The chooser program sends a Query
request to each of the remaining host names in the list and displays
a menu of all the hosts that respond. The list might consist of the
word BROADCAST
, in which case chooser sends a Broadcast instead, again displaying a menu of all
hosts that respond. On some operating systems, UDP packets cannot
be broadcast, so this feature will not work.
#offer a menu of these hosts to extract
extract.lcs.mit.edu CHOOSER %HOSTS
#offer a menu of all hosts to xtra
xtra.lcs.mit.edu CHOOSER BROADCAST
The program to use for chooser is specified by the chooser resource. Resources for this program can be put into the file named by resources. The default Xaccess file is /usr/dt/config/Xaccess. A system administrator can customize Xaccess by copying /usr/dt/config/Xaccess to /etc/dt/config/Xaccess and then modifying /etc/dt/config/Xaccess. The default Xaccess file contains no entries.
The Xservers File
The Xservers file contains the list of displays to manage. The default Xservers file is /usr/dt/config/Xservers. A system administrator can customize Xservers by copying /usr/dt/config/Xservers to /etc/dt/config/Xservers and then modifying /etc/dt/config/Xservers. The default Xservers file contains an entry for one local display.
The Xresources File
The Xservers file contains the resource definitions specifying the appearance of the login screen. The default Xresources file is /usr/dt/config/Xresources. A system administrator can customize Xresources by copying /usr/dt/config/Xresources to /etc/dt/config/Xresources and then modifying /etc/dt/config/Xresources.
The Xsetup File
The Xsetup file typically a shell script. Only root users can run it, and they should be very careful about security. This script is run before the login screen is displayed. No arguments of any kind are passed to the script. The dtlogin command waits until this script exits before displaying the login screen.
The default Xsetup file is /usr/dt/config/Xsetup. A system administrator can customize Xsetup by copying /usr/dt/config/Xsetup to /etc/dt/config/Xsetup and then modifying /etc/dt/config/Xsetup. The default Xsetup file contains vendor specific code but typically contains code that sets up the X server prior to the display of the login screen, such as setting up keyboard maps.
The Xstartup File
- DISPLAY
- Set to the associated display name.
- HOME
- Set to the home directory of the user.
- PATH
- Set to the value of the systemPath resource.
- USER
- Set to the user name.
- SHELL
- Set to the value of the systemShell resource.
No arguments of any kind are passed to the script. The dtlogin command waits until this script exits before starting the user session. If the exit value of this script is nonzero, dtlogin discontinues the session immediately and starts another authentication cycle.
The default Xstartup file is /usr/dt/config/Xstartup. A system administrator can customize Xstartup by copying /usr/dt/config/Xstartup to /etc/dt/config/Xstartup and then modifying /etc/dt/config/Xstartup. The default Xstartup file contains code to change ownership of /dev/console to the user whose session is running on the console.
The Xsession File
The Xsession script initializes a user's session and invokes the desktop session manager. It is run with the permissions of the authorized user, and has several environment variables preset. See Environment Variables for a list of the preset variables.
- Sources the user's $HOME/.dtprofile
- Sources any /etc/dt/config/Xsession.d/* scripts
- Sources any /usr/dt/config/Xsession.d/* scripts
- Launches the desktop welcome client, dthello, in the background
- Sources the application search path setup script, dtsearchpath
- Launches the help setup client, dthelpgen, in the background
- Launches the application manager directory setup client, dtappgather, in the background
- Execs the desktop session manager, dtsession
The Xreset File
Symmetrical with Xstartup, the Xreset script is run after the user session has terminated. Because it is run by a root user, the Xreset script should contain commands that undo the effects of commands in Xstartup, such as unmounting directories from file servers. The collection of environment variables that were passed to Xstartup are also given to Xreset.
The default Xreset file is /usr/dt/config/Xreset. A system administrator can customize Xreset by copying /usr/dt/config/Xreset to /etc/dt/config/Xreset and then modifying /etc/dt/config/Xreset. The default Xreset file contains code change ownership of /dev/console back to root.
The Xerrors File
The Xerrors script contains error messages from dtlogin and anything output to stderr by Xsetup, Xstartup or Xreset. The system administrator can use the contents of this file for dtlogin troubleshooting. The errorLogSize resource limits the size of the Xerrors file and can prevent it from growing without bound. If the file does grow larger than the requested size and is truncated by dtlogin, any user who is accessing the file (for example, using cat or tail) will need to close the file (after the file is truncated) and reopen it for access in order to see subsequent information that is logged to the file.
A system administrator can change the path name of the Xerrors by setting the errorLogFile resource in the Xconfig file.
The Xpid File
The Xpid script contains the process ID of the master dtlogin process, which can be used when sending signals to dtlogin. A system administrator can change the path name of the Xpid by setting the pidFile resource in the Xconfig file.