XDMCP notes

From Helpful
Jump to: navigation, search

Shell, admin, and both:

Shell - command line and bash notes · shell login - profiles and scripts ·· find and xargs and parallel · screen and tmux
Linux admin - disk and filesystem · users and permissions · Debugging · security enhanced linux · health and statistics · kernel modules · YP notes · unsorted and muck
Logging and graphing - Logging · RRDtool and munin notes
Network admin - Firewalling and other packet stuff ·


Remote desktops
VNC notes
XDMCP notes



What and how

The X Display Manager Control Protocol (XDMCP) lets you graphically login to a remote computer.


Basically, it asks a remote host to connect to your X server with a client that shows/does session login stuff.

XDMCP works by invitation: A host that would like XDMCP to manage it will advertize itself, inviting an XDMCP-capable host to connect to its X server.


It makes remote X logins about as flexible as local logins -- on local networks, anyway (XDMCP uses UDP, which means it can't be forwarded over SSH (as X itself can). If you want to do XDMCP over larger distances, you would use some type of VPN, probably an encrypted VPN to avoid all sorts of snooping of either protocol)


XDMCP setups can be useful for users as it's a simple way of running things remotely but showing them on your client/workstation.

This can also be a handy way to use thin client, or reuse an old computer, to do little more than display all the work that's done on the more powerful remote host.


Using a login manager this way can be handy for admins, as logins will be mediated by this XDMCP host - a single place: XDMCP runs on some remote host, and itself runs a login manager (like like xdm, gdm, kdm). It runs on a remote host, and is just another X client that connects to your local X server.

(It also avoids the trouble of having to bake your own password setup, and deal with fixed screen numbers -- as is the case for multiple remote logins the VNC way)


Notes:

  • An XDMCP server should obviously be powerful when it serves more than one or two clients, as it's doing most of the work.
  • Since you are running the X server that things get displayed on, there's usually no reason you can't have local X clients connect to it at the same time - though it can get confusing to you in that you don't necessarily know what came from which host.



Technical details

Connection process:

  • The XDMCP server is set up with XDMCP enabled (listens for connections - UDP port 117)
  • Someone starts an X server, and either implicitly or explicitly either queries a specific XDMCP server, or broadcasts to ask whether there are any XDMCP servers on the subnet.
  • The XDMCP server accepts the connection, or notices the broadcast. From the user's point of view, the XDMCP server starts connecting X clients to you. Usually, it gives a login screen as you would also get locally. Once authenticated, it will send you applications.


Networking:

XDMCP uses UDP port 117.

The X protocol will need TCP ports dependent on the X server's display number: 6000+screennumber (6000 for :0, 6001 for :1, etc).


Security:

XDMCP is usually disabled by default since you need to know what you're doing to use it securely. The XDMCP server/port should only be reachable from the computers that should be able to use it, and more importantly, the X servers that connect to it should only accept X clients from the XDMCP server.

More specific access control is possible, and regularly a good idea since the very simplest methods open up XDMCP login to everyone on the local network. A simple option is usually to alter the XDMCP server's firewall so that the only hosts that can reach XDMCP (UDP port 117) are the ones you want to allow.


You may want to make the graphical end (X server) only accept incoming X protocol connections from the XDMCP host(s). Your client may do that automatically.


Setup

On the (XDMCP) Server side, you have a display manager - you can choose one, or use the one you use for local login. GDM or KDM are recommended somewhat over XDM.

Inform the system of the change/choice: set DISPLAYMANAGER, often in /etc/rc.conf or /etc/conf.d/xdm.


Alter the display manager's configuration to enable XDMCP. For example, for gdm this would likely be in /etc/X11/gdm/gdm.conf. Read the manual for details on the settings you're changing.

Once done, (re)Start the display manager. Make it start at bootup if it wasn't configured to do so. Note that the service will probably be /etc/init.d/xdm, regardless of which you configured.


On the XDMCP Client / X server side, you set up your X server to use XDMCP.

For programs that render X themselves, and X when setting up for thin clients, this is a configuration job.

Most regular workstations will also allow remote login: most login managers will have an alternative to local login hidden somewhere in the options, with options for a host query or a broadcast.


Broadcast means it will ask the local network segment whether there are any XDMCP servers (this may locked down). A query tries a specific host.


Example using Cygwin/X (windows) as a client

After installing Cygwin/X (requires a decent bit of basic Cygwin, which I don't otherwise use) I made a link in my start menu to a batch file I created at C:\cygwin\connect.bat containing:

@echo off
C:
chdir C:\cygwin\bin
bash --login -i -c "XWin.exe -query 192.168.0.1 -keyhook -nodecoration" 

Querying a specific server refers to an XDMCP query that will give you that server's login manager.

If you get only the checkered-pattern screen when you try this and no xdm/kdm/gdm/some other login screen shows up, this means no X client is actually connecting to you, usually meaning something like:

  • that server is not serving XDMCP, or not doing so on the local network,
  • the relevant ports are firewalled on one side or the other,
  • the XDMCP query (which is UDP) didn't get routed (e.g. a TCP-only VPN),
  • your local X server rejects the X client (often for authentication reasons)

You can usually tell from errors (or complete lack of response) in logs


Notes on that script:

  • This is probably a dumb way, it leaves a cmd.exe window open, but it works. (I'm open to suggestions on how to get around that, but I wonder whether it's possible, at least in combination with XDMCP)
  • -keyhook means alt-tabbing and such work within the X server
  • -fullscreen would be nice, but for some reason it is exclusive with -keyhook (probably to avoid getting caught in your X display, though there'd usually be the windows key to get around that), however,
  • -nodecoration is rather similar; it makes an as-big-as-your-screen root window without window borders, and it does combine with keyhook

There's also an option to have each program get its own client-side window (and to hide the desktop), which you may prefer when you like to work on two computers at once.


See also the Cygwin/X user guide