SUMMARY: XDMCP / CDE Questions

[John.Pshyk@xxxxxxxxxxxxxxxx]

Original Question:
I am attempting to tighten up the security on our Tru64 5.1B server (with current security patches) but I am having some difficulties with understanding XDMCP services.

Background:  We currently run CDE on the server console, but do not use any "X Windows" PC Workstation applications to connect to it.  For added security, I would like to disable the XDMCP services on the server.

Questions:  What Tru64 process or services are related to the XMDCP? Can I disable the XDMCP services on the server without affecting the use of CDE on the console?  What are the steps to correctly disable this service?  If I cannot disable this service because it will affect the use of CDE on the console, how can I strengthen its security configuration?  

Thank you for your time.


SUMMARY:

Thank you for all who replied!
I started off by renaming xlogin link so that it would not be run at boot time which was suggested by Johan Brusche.

>To stop it:
>/sbin/init.d/xlogin stop
>
>To prevent from starting at boot:
>mv /sbin/rc3.d/S95xlogin /sbin/rc3.d/_S95xlogin

This worked but we require CDE on the console.  The other option I was to limit the connection to the service.
For this, I followed Eric Sisson suggestions:

>Make a backup copy of /usr/dt/config/Xaccess and comment (by placing 
>a ``#'' sign at the beginning) the following two lines:
>
>     *      # grant service to all remote displays
>
>     * CHOOSER BROADCAST #any indirect host can get a chooser
>
>These changes will prevent remote XDMCP logins.  When I did this, I 
>rebooted the system for it to take effect.  That works, but may be 
>more than is necessary.  I think that /sbin/init.d/xlogin is the 
>controlling init script.  However, since it does affect the console, 
>starting and stopping this may or may not be sufficient.

Once again, thanks.


John Pshyk  I.S.P.