000018888 - Problems protecting XWindows on Sun Solaris with RSA SecurID

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018888
Applies ToRSA ACE/Server 4.1 (no longer supported as of 2-1-2004)
Sun Solaris 2.6
XWindows
IssueProblems protecting XWindows on Sun Solaris with RSA SecurID
Difficulty following Appendix D: Protecting XWindows Logins in the UNIX Installation Guide
ResolutionHere is a simplified procedure to Protecting XWindows on a system where ACE/Server is installed:

Locate the systems display manager configuration files. These files are usually found in the /usr/dt/config directory for a Sun Solaris system, as per the Solaris documentation, these would be then copied to /etc/dt/config. This allows for Sun to issue new files and not overwrite site specific information.

In the instructions below the symbol <ACEPROG> is used to represent the ace/prog directory of the ACE/Server, e.g. /export/home/ace/prog/

1. A change is required to a file called 'Xconfig' in the directory /etc/dt/config/:

- Use an editor such as vi to make the changes required

- Locate the line 'Dtlogin*authorize:       False' and uncomment the line and save the changes.

for example, after the change has been made it will look this:

# To disable R4 MIT-MAGIC-COOKIE-1 per-user authorization.
#
Dtlogin*authorize:      False

NOTE: Information from the MIT-X consortium describes the MIT-MAGIC-COOKIE as weak security.  Implementing SecurID in its place should enhance the general security of your system.


2. Append the contents of <ACEPROG>/XPrompt to the '/etc/dt/config/Xstartup' script as follows:

 cd /etc/dt/config
 cp Xstartup Xstartup.orig
 cat <ACEPROG>/XPrompt >> Xstartup

Ensure the variables DEFVARACE and DEFUSERACE in the Xstartup script are pointing to the correct ACE directory where your ACE/Server software is installed.

Step Three:
----------------
Add four lines to near the top of the /etc/dt/bin/Xsession script.

Xsession looks like this before changes made:

#!/bin/ksh
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#

Xsession file will look like this after an addition of four lines has been made:

#!/bin/ksh
TESTSHELL=`<ACEPROG>/sdfindshell`
if [ -n ?$TESTSHELL? ] ; then
 SHELL=$TESTSHELL ; export SHELL
fi
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#

After making changes to scripts Xconfig, Xstartup, and Xsession, it is important to reboot the system to reset the MAGIC-COOKIE used by XWindows.

NOTE: The line TESTSHELL=`<ACEPROG>/sdfindshell` uses backquotes, meaning the value of the variable TESTSHELL is the results of running the command <ACEPROG>/sdfindshell. Using the wrong quote marks will fail to give correct results.
Legacy Article IDa3870

Attachments

    Outcomes