How to set up secure XDM ?

Hello.

My IIci has 250MB HDD, it's not big enough to install and
run
X window system. So, I'm preparing;

1) mount /usr and swap with nfs
2) use xdm

With some tests (learning NetBSD is fun), it seems work
fine.
I worry about "Security".
Can an attacker snoop those data traffic ?  Maybe
"YES", I guess.

My idea is:
There is no important data in 1), I don't need to worry
about that.
Set and run SSH for xdm (ssh X11 port forwarding).

Does this make a sense ? Any hint or advice is appreciated.
(I read some man-pages with my poor English, I got
headaches.)

Thanks,
Kazu Inanaga

On 11/26/06, Kazuyuki Inanaga <happydaypp.iij4u.or.jp> wrote:
> Hello.
>
> My IIci has 250MB HDD, it's not big enough to install
and run
> X window system. So, I'm preparing;
>
> 1) mount /usr and swap with nfs
> 2) use xdm
>
> With some tests (learning NetBSD is fun), it seems work
fine.
> I worry about "Security".
> Can an attacker snoop those data traffic ?  Maybe
"YES", I guess.
>
> My idea is:
> There is no important data in 1), I don't need to worry
about that.
> Set and run SSH for xdm (ssh X11 port forwarding).
>
> Does this make a sense ? Any hint or advice is
appreciated.
> (I read some man-pages with my poor English, I got
headaches.)
>
> Thanks,
> Kazu Inanaga
>
>

I have a similar setup running, although with no X. NFS is
an
unecrypted protocol. /usr, however, shouldn't have anything
on it that
isn't already available for public download anyway. As far
as
potential injection and man-in-the-middle attacks go, well,
if you
have a halfway decent firewall you should be just fine (as
long as
your picky about who you let into your network).

Since you're running /usr over NFS, why not just run X
locally?

- mngrif

Hi,

On 2006/11/27, at 5:40, mngrifgmail.com wrote:
> I have a similar setup running, although with no X. NFS
is an
> unecrypted protocol. /usr, however, shouldn't have
anything on it that
> isn't already available for public download anyway.

Thanks.
How about 'netboot' ? /etc or /var goes on the network.
Unfortunatly (fortunately ?) I've not got a success yet.

> As far as
> potential injection and man-in-the-middle attacks go,
well, if you
> have a halfway decent firewall you should be just fine
(as long as
> your picky about who you let into your network).

My router(ready-made) has some filters, but I don't trust
it.
Now I notice I should make a decent firewall first. It's the
most important thing. Thanks. I'll try;
"NetBSD Security Processes and Services"
htt
p://www.netbsd.org/Documentation/network/nsps/

>
> Since you're running /usr over NFS, why not just run X
locally?
>

I read "A new use for old and outdated PCs".
http://www.kaszeta.org/rich/unix/xterminal/index.html

I like '030 Macintoshes, and I'm 'trying to find a way to
get
some good use out of them', too.

Please see "Figure 1." in "XDM: The basic
concept:" page.
My xdmserver is Quadra which has Gimp. My Xterminal is IIci.
Direct query to xdmserver, and run Gimp.

   I knew nothing about xdm before, and never thought to run
   any graphic application on my '030.

In this case, IIci is just a Xterminal (display), not
required
much CPU power and memory, right ?

 > The only requirement is that the remote machine speak
X.

Yes, this is the reason to mount /usr (or /usr/X11R6) over
nfs.
Gimp runs on IIci, it's a little bit slow, but fun to see
it.


Regards,
Kazu Inanaga

Kazuyuki Inanaga wrote:
> I read "A new use for old and outdated PCs".
> http://www.kaszeta.org/rich/unix/xterminal/index.html
> 
> I like '030 Macintoshes, and I'm 'trying to find a way
to get
> some good use out of them', too.
> 
> Please see "Figure 1." in "XDM: The
basic concept:" page.
> My xdmserver is Quadra which has Gimp. My Xterminal is
IIci.
> Direct query to xdmserver, and run Gimp.

This is actually my goal for my Mystic CC as well.  I
thought it would 
be a great little color X terminal.


Tim
-- 
Tim & Alethea
christtrek.org

Tim & Alethea Larson wrote:
> Kazuyuki Inanaga wrote:
> 
>> I read "A new use for old and outdated
PCs".
>> http://www.kaszeta.org/rich/unix/xterminal/index.html
>>
>> I like '030 Macintoshes, and I'm 'trying to find a
way to get
>> some good use out of them', too.
>>
>> Please see "Figure 1." in "XDM: The
basic concept:" page.
>> My xdmserver is Quadra which has Gimp. My Xterminal
is IIci.
>> Direct query to xdmserver, and run Gimp.
> 
> 
> This is actually my goal for my Mystic CC as well.  I
thought it would 
> be a great little color X terminal.
> 
> 
> Tim
<first thought> still is.
<second thought> whooow .. them go fast ;)
--N

Hi,

On 2006/12/02, at 2:52, Noud deBrouwer wrote:
> Tim & Alethea Larson wrote:
>> This is actually my goal for my Mystic CC as well. 
I thought it  
>> would be a great little color X terminal.
>> Tim
> <first thought> still is.
> <second thought> whooow .. them go fast ;)
> --N

Yes, I think XDM is one of the good use for little '030s.

As you all know, 8 bit grey X screen is beautiful.
I'm a photographer, I have a lot of monochrome negative
films.
If I could see them on my favolite '030, I'd be happy.

....Of course I use Photoshop and G5 for my professional
works,
I ask myself, what is the most important in using a computer
?
I've not got the answer yet, but I know NetBSD/mac68k is not
just a tool for me.


By the way, have you already tried Hauke Fath's XDM setting
?
"Setting up the X Display Manager on
NetBSD/mac68k"
http://la.ca
useuse.org/hauke/macbsd/xdm/

It may be very nice for me (us).

Thanks,
Kazu Inanaga

Kazuyuki Inanaga wrote:

> Hi,
>
> On 2006/12/02, at 2:52, Noud deBrouwer wrote:
>
>> Tim & Alethea Larson wrote:
>>
>>> This is actually my goal for my Mystic CC as
well.  I thought it  
>>> would be a great little color X terminal.
>>> Tim
>>
>> <first thought> still is.
>> <second thought> whooow .. them go fast ;)
>> --N
>
>
> Yes, I think XDM is one of the good use for little
'030s.
>
> As you all know, 8 bit grey X screen is beautiful.
> I'm a photographer, I have a lot of monochrome negative
films.

i'm (MSE/ing.) Informaticus/Software Engineer .. ;) ..
luckely i don't have _that_ many negatives.. though i did
hear..years
ago whilst working at the local Macintosch Dealer .. those
_are_ in
color..it was even possible to buy a plug-on-card.

> If I could see them on my favolite '030, I'd be happy.

well..that doens't sound as a supprise to me ;) ..

>
> ....Of course I use Photoshop and G5 for my
professional works,

brrrr.. use Gimp.org or pkgsrc/graphics/gimp ..much beter
cause it
's open source ;) ..
o btw .. the G5 does NetBSD to, see
http://mail
-index.netbsd.org/ports-macppc
http://mail-index.netbsd
.org
hope i'm right in the URL.

> I ask myself, what is the most important in using a
computer ?

getting extra capacity.

> I've not got the answer yet, but I know NetBSD/mac68k
is not
> just a tool for me.

interesting

>
>
> By the way, have you already tried Hauke Fath's XDM
setting ?

why should we??

> "Setting up the X Display Manager on
NetBSD/mac68k"
> http://la.ca
useuse.org/hauke/macbsd/xdm/
>
> It may be very nice for me (us).

mmm.you've got an extra in ;)

>
> Thanks,
> Kazu Inanaga
>
2,
--N

Kazuyuki Inanaga wrote:
> By the way, have you already tried Hauke Fath's XDM
setting ?
> "Setting up the X Display Manager on
NetBSD/mac68k"
> http://la.ca
useuse.org/hauke/macbsd/xdm/

I did, and it was very helpful, but could never get the
login screen 
customized as shown.


Tim

-- 
Tim & Alethea
christtrek.org

Hi,

Thanks for the replies.

On 2006/12/04, at 4:06, Tim & Alethea Larson wrote:
> Kazuyuki Inanaga wrote:
>> By the way, have you already tried Hauke Fath's XDM
setting ?
>> "Setting up the X Display Manager on
NetBSD/mac68k"
>> http://la.ca
useuse.org/hauke/macbsd/xdm/
>
> I did, and it was very helpful,

Good! I'm glad 

> but could never get the login screen customized as
shown.

Is this?
http://la.causeuse.org/hauke/macbsd/xdm/xdm-login.gif

I get it with;
1) download the tarball
http://la.causeuse.org/hauke/macbsd/xdm/xdm-scripts.t
ar.bz2
2) copy and save original /etc/X11/xdm
3) move xdm-scripts/* to xdm/
4) start xdm

And my xdmserver(direct XDMCP connection) setting is;
in /etc/X11/xdm/Xaccess, un-comment one line;
 >*                         #any host can get a login
window
 >#*   CHOOSER BROADCAST    #any indirect host can get a
chooser

in xdm-config, comment-out;
 >! DisplayManager.requestPort:     0

Do you see "XDM: too many retransmissions" on your
xterminal??
If so, try comment-out "DisplayManager.requestPort:    
0".

I guess, "xdm-scripts" is prepared for
"indirect XDMCP connection". No?
I confirmed NetBSD/i386 machine (XFree86) works as a
xdmserver,
of course? :p, my next step is setting up "indirect
XDMCP connection".

I'm not sure about;
1) Is my prosedure(above) correct?
2) I'd like to use other Window Manager instead of twm.
    Where is ".xsession"? How Can I make it?
3) "Session Menu" is too large for my tiny monitor
screen.


By the way, I'm happy because now I know there are many nice
people
in this list.

Thanks,
Kazu Inanaga

Kazuyuki Inanaga wrote:
> Is this?
> http://la.causeuse.org/hauke/macbsd/xdm/xdm-login.gif

That's what I'm aiming for.

> I get it with;
> 1) download the tarball
> http://la.causeuse.org/hauke/macbsd/xdm/xdm-scripts.t
ar.bz2
> 2) copy and save original /etc/X11/xdm
> 3) move xdm-scripts/* to xdm/
> 4) start xdm

I need to try it again from start to finish.  I'm sure I'm
missing 
something simple.

> 2) I'd like to use other Window Manager instead of twm.
>    Where is ".xsession"? How Can I make it?

It's ~/.xsession.  Mine is actually a link to my ~/.xinitrc
file.  Just 
install the wm you want, and exec it from that file.  I can
post what I 
have in mine, if that would help.


Tim
-- 
Tim & Alethea
christtrek.org