Problems protecting XWindows on Sun Solaris with RSA SecurID
Originally Published: 2001-07-17
Article Number
Applies To
Sun Solaris 2.6
XWindows
Issue
Difficulty following Appendix D: Protecting XWindows Logins in the UNIX Installation Guide
Resolution
Locate the systems display manager configuration files. These files are usually found in the /usr/dt/config directory for a Sun Solaris system, as per the Solaris documentation, these would be then copied to /etc/dt/config. This allows for Sun to issue new files and not overwrite site specific information.
In the instructions below the symbol <ACEPROG> is used to represent the ace/prog directory of the ACE/Server, e.g. /export/home/ace/prog/
1. A change is required to a file called 'Xconfig' in the directory /etc/dt/config/:
- Use an editor such as vi to make the changes required
- Locate the line 'Dtlogin*authorize: False' and uncomment the line and save the changes.
for example, after the change has been made it will look this:
# To disable R4 MIT-MAGIC-COOKIE-1 per-user authorization.
#
Dtlogin*authorize: False
NOTE: Information from the MIT-X consortium describes the MIT-MAGIC-COOKIE as weak security. Implementing SecurID in its place should enhance the general security of your system.
2. Append the contents of <ACEPROG>/XPrompt to the '/etc/dt/config/Xstartup' script as follows:
cd /etc/dt/config
cp Xstartup Xstartup.orig
cat <ACEPROG>/XPrompt >> Xstartup
Ensure the variables DEFVARACE and DEFUSERACE in the Xstartup script are pointing to the correct ACE directory where your ACE/Server software is installed.
Step Three:
----------------
Add four lines to near the top of the /etc/dt/bin/Xsession script.
Xsession looks like this before changes made:
#!/bin/ksh
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#
Xsession file will look like this after an addition of four lines has been made:
#!/bin/ksh
TESTSHELL=`<ACEPROG>/sdfindshell`
if [ -n ?$TESTSHELL? ] ; then
SHELL=$TESTSHELL ; export SHELL
fi
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#
After making changes to scripts Xconfig, Xstartup, and Xsession, it is important to reboot the system to reset the MAGIC-COOKIE used by XWindows.
NOTE: The line TESTSHELL=`<ACEPROG>/sdfindshell` uses backquotes, meaning the value of the variable TESTSHELL is the results of running the command <ACEPROG>/sdfindshell. Using the wrong quote marks will fail to give correct results.
Related Articles
Troubleshooting X-Windows for SecurID protection Number of Views RSA MFA Agent 9.0 for Apache Third Party Licenses Number of Views RSA MFA Agent 3.0 for Microsoft AD FS Third Party Licenses Number of Views RSA MFA Agent 2.2.1 for Microsoft Windows Third-Party Licenses Number of Views Security scan shows a possible denial of service vulnerability Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
