System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot remote Xlogin after C2 enhanced security enabled

Yan Sze Kit
Occasional Advisor

Cannot remote Xlogin after C2 enhanced security enabled

Dear all,

I have a Alpha box currrently running Tru64 4.0G. After I enabled the C2 security. I have done all the configuration in ttys, devassign and generated the ttys.db. But I cannot remote login using Xclient software (Exceed). No error message occurred. Can I have any suggestion to do the troubleshooting in this issue. Many thanks.

Yan
9 REPLIES
Ralf Puchner
Honored Contributor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Hello Yan,

please change the files

/etc/auth/system/ttys,
/etc/auth/system/devassign
/etc/securettys

as follows:

In the following, replace host, host.sub.domain and n.n.n.n by the
hostname, full domain name and IP address of the host(s) you are trying to connect from.

Add lines like the following to /etc/auth/system/ttys :

host\:0:t_devname=host\:0:t_xdisplay:t_login_timeout#0:chkent:

Add lines like the following to /etc/auth/system/devassign :

host\:0:v_devs=host\:0,host.sub.domain\:0,n.n.n.n\:0:v_type=xdisplay
:chkent:

Add lines like the following to /etc/securettys :

host.sub.domain:0
host:0

Have Exceed worked without C2? If not why have you enabled it ;-)
Help() { FirstReadManual(urgently); Go_to_it;; }
Yan Sze Kit
Occasional Advisor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Dear Ralf Puchner,

Thanks for your clear instructions. I have done all the configuration as you taught me in the forum. But Exceed still doesn't work. However, I have another Alpha box that running Tru64 4.0D. Again, I enable the C2 security feature that as same as you taught me in the forum. Then the Exceed works.

I am wondering there is a difference between 4.0G C2 security and 4.0D c2 Security.

In Addition, I found there is a error message in /var/dt/Xerrors when I try connected the server (Tru64 4.0G)


Error Message is shown as below :-

XIO: fatal IO error 54 (Connection reset by peer) on X server "ncdxterm:1.0" after 37 requests (36 known processed) with 0 events remaining.

Many thanks .

yan
Ralf Puchner
Honored Contributor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Yan,

please check if there is a name resolution problem on alpha and pc side. Is there a possiblity to enable debugging on exceed side?
Help() { FirstReadManual(urgently); Go_to_it;; }
Yan Sze Kit
Occasional Advisor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Dear Ralf Puchner

I have added the client IP in /etc/hosts and also added the server IP and hostname in client PC (Exceed). But it still doesn't work.

Is it possible to get more info (message log) from the Alpha server?

Is any ports blocked after the C2 security service is enabled?

Many thanks


Yan
Ralf Puchner
Honored Contributor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Hello Yan,

ports are not blocked but the used devices must be "unlocked". This was done by the commands within my previous answer.

There is a log-file called Xerrors logging X11-problems and maybe within /var/adm/syslog.dated/current are more informations about security issues.

You wrote you have double checked the settings, are you sure you are using the correct hostname/ip translation, e.g. full qualified hostname/shortname?

Is it possible to login to the Alpha from another maschine without Exceed?
Help() { FirstReadManual(urgently); Go_to_it;; }
Yan Sze Kit
Occasional Advisor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Dear HP engineer,

I have successfully login the Alpha server using telnet session. Only the Xclient cannot login after the C2 security is enabled. I have double checked the setting that is correct. There is not much infomation that in /var/adm/syslog.dated/current.


What do you mean full qualified hostname/shortname?

I have added my client PC (Xclient) in Alpha server /etc/hosts.
e.g.
ncdxterm 10.1.1.12

Am I right?

Yan
Dave Bechtold
Respected Contributor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Hi Yan,

Regarding getting more detailed errors about C2 login failures. If you touch a file in /var/adm/ named sialog you will see C2 login's - Time stamp, device used, user etc... and errors.

Example:
# touch /var/adm/sialog

Then just try a login again and check the file. This will show if the problem is C2 related - may not be.

The issue could be related to XDM protocol used for the session and authentication protocol XDM-AUTHENTICATION-1, or Fonts not being available under Exceed etc...

Under Exceed you should be able to enable error logging - I'd do that and see if you are not getting an error related to the X Login trying to display to the Exceed PC and failing. I say this because you are seeing the "XIO fatal IO Error" message in the Xerrors file. I think you are getting authenticated OK but failing to display the Login Box for some other reason.

Post any errors from Exceed when trying to launch a session.

Another approach to this type of problem is to start Exceed as a standalone Xserver and then push dtlogin display to it and see if it fails.

- Start Exceed without using XDM Login
- Start a telent session to the Tru64 Unix system
- In the telnet session set the DISPLAY variable to point back at the PC IP Address/Name and Xserver.

Ex:
sh & ksh
# DISPLAY=ncdxterm:1.0;export DISPLAY

Maybe also try...
# DISPLAY=ncdxterm:0;export DISPLAY

csh
# setenv DISPLAY ncdxterm:1.0
Or...
# setenv DISPLAY ncdxterm:0

- Now let's try to launch a Login Box running the dtlogin, assuming your using CDE and not XDM as the default GUI.

# /usr/dt/bin/dtlogin


Hope that helps.

Regards,
Dave Bechtold
Ralf Puchner
Honored Contributor

Re: Cannot remote Xlogin after C2 enhanced security enabled

The /etc/hosts entries should be done in the following order:

10.1.1.12 ncdxterm.domainname.de ncdxterm

shortname = ncdxterm
longname = ncdxterm.domainname.de

If you type in "hostname" what is delivered back? long or shortname?
Help() { FirstReadManual(urgently); Go_to_it;; }
Alex Glennie
Honored Contributor

Re: Cannot remote Xlogin after C2 enhanced security enabled

Start Exceed : Xconfig -> Troubleshooting -> View Log and also note the Trace initially on check box too .... hopefully you can use this feature of exceed to establish whether this is C2 related or more likely a case of hostname resolution : use Exceeds on-line help to check out the meaning of the exceed errors you see in the log file .

One other question are the PC and the Alpah box on the same subnet ? traditionally X does not broadcast out XDMCP requests to different subnets without configuration of the s/w involved in this case Exceed.

lastly what does nslookup 10.1.1.12 yield when run on the alpha server ? I'm wondering if you are going to a DNS server first rather than reading the local /etc/hosts file.