Problems protecting XWindows on Sun Solaris with RSA SecurID
Originally Published: 2001-07-17
Article Number
Applies To
Sun Solaris 2.6
XWindows
Issue
Difficulty following Appendix D: Protecting XWindows Logins in the UNIX Installation Guide
Resolution
Locate the systems display manager configuration files. These files are usually found in the /usr/dt/config directory for a Sun Solaris system, as per the Solaris documentation, these would be then copied to /etc/dt/config. This allows for Sun to issue new files and not overwrite site specific information.
In the instructions below the symbol <ACEPROG> is used to represent the ace/prog directory of the ACE/Server, e.g. /export/home/ace/prog/
1. A change is required to a file called 'Xconfig' in the directory /etc/dt/config/:
- Use an editor such as vi to make the changes required
- Locate the line 'Dtlogin*authorize: False' and uncomment the line and save the changes.
for example, after the change has been made it will look this:
# To disable R4 MIT-MAGIC-COOKIE-1 per-user authorization.
#
Dtlogin*authorize: False
NOTE: Information from the MIT-X consortium describes the MIT-MAGIC-COOKIE as weak security. Implementing SecurID in its place should enhance the general security of your system.
2. Append the contents of <ACEPROG>/XPrompt to the '/etc/dt/config/Xstartup' script as follows:
cd /etc/dt/config
cp Xstartup Xstartup.orig
cat <ACEPROG>/XPrompt >> Xstartup
Ensure the variables DEFVARACE and DEFUSERACE in the Xstartup script are pointing to the correct ACE directory where your ACE/Server software is installed.
Step Three:
----------------
Add four lines to near the top of the /etc/dt/bin/Xsession script.
Xsession looks like this before changes made:
#!/bin/ksh
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#
Xsession file will look like this after an addition of four lines has been made:
#!/bin/ksh
TESTSHELL=`<ACEPROG>/sdfindshell`
if [ -n ?$TESTSHELL? ] ; then
SHELL=$TESTSHELL ; export SHELL
fi
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#
After making changes to scripts Xconfig, Xstartup, and Xsession, it is important to reboot the system to reset the MAGIC-COOKIE used by XWindows.
NOTE: The line TESTSHELL=`<ACEPROG>/sdfindshell` uses backquotes, meaning the value of the variable TESTSHELL is the results of running the command <ACEPROG>/sdfindshell. Using the wrong quote marks will fail to give correct results.
Related Articles
Errors: ?User not in database? and 'User not on Agent Host' in ACE/Server activity log when trying to authenticate via RAD… Number of Views Best Practices to Mitigate Password-Spraying Attacks Number of Views RSA Authentication Manager On-Demand Authentication (ODA) failing with the following error: User provided incorrect On-De… Number of Views Authentication for the Cloud Administration APIs Number of Views While running the RSA Authentication Manager 8.x bulk token sync utility the following e rror is seen: FAILED: Concurrent… Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) How to factory reset an RSA Authentication Manager 8.x hardware appliance without a factory reset button from the Operatio… Deploying RSA Authenticator 6.2.2 for Windows Using DISM Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
