No remote login with GDM3, XDMCP, Xvnc, inetd
andrew glaeser
bugs at irregulaire.info
Fri Aug 28 09:24:46 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is my GDM-configuration:
> root at bsdpcb:/usr/local/etc/gdm # cat custom.conf
> # GDM configuration storage
>
> [daemon]
> # Uncoment the line below to force the login screen to use Xorg
> #WaylandEnable=false
>
> HaltCommand=/sbin/shutdown -p now
> RebootCommand=/sbin/shutdown -r now
>
> [security]
> DisallowTCP=false
>
> [xdmcp]
> DisplaysPerHost=1
> Enable=true
>
> [chooser]
>
> [debug]
> # Uncomment the line below to turn on debugging
> #Enable=true
>
rc.conf:
> root at bsdpcb:/usr/local/etc/gdm # cat /etc/rc.conf
> clear_tmp_enable="YES"
> syslogd_flags="-ss"
> sendmail_enable="NONE"
> hostname="bsdpcb"
> keymap="de.noacc.kbd"
> ifconfig_bge0="inet 192.168.0.110 netmask 255.255.255.0"
> defaultrouter="192.168.0.231"
> ifconfig_bge0_ipv6="inet6 accept_rtadv"
> sshd_enable="YES"
> moused_enable="YES"
> ntpd_enable="YES"
> powerd_enable="YES"
> powerd_flags="-a minimum"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> zfs_enable="YES"
> dbus_enable="YES"
> hald_enable="YES"
> #sddm_enable="YES"
> gdm_enable="YES"
> kld_list="amdgpu"
> gnome_enable="YES"
> inetd_enable="YES"
indetd:
> root at bsdpcb:/usr/local/etc/gdm # cat /etc/inetd.conf
> # $FreeBSD: releng/12.1/usr.sbin/inetd/inetd.conf 337687 2018-08-12
> 13:29:40Z brd $ #
> # Internet server configuration database
> #
> # Define *both* IPv4 and IPv6 entries for dual-stack support.
> # To disable a service, comment it out by prefixing the line with '#'.
> # To enable a service, remove the '#' at the beginning of the line.
> #
> #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
> #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
> #ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
.
.
.
> #
> #auth stream tcp nowait root internal
> #auth stream tcp6 nowait root internal
> #
> # Provide internally a real "ident" service which provides ~/.fakeid
> support, # provides ~/.noident support, reports UNKNOWN as the operating
> system type # and times out after 30 seconds.
> #
> #auth stream tcp nowait root internal auth -r -f -n -o
> UNKNOWN -t 30 #auth stream tcp6 nowait root internal auth
> -r -f -n -o UNKNOWN -t 30 #
> # Example entry for an external ident server
> #
> #auth stream tcp wait root /usr/local/sbin/identd identd -w
> -t120 #
> # Example entry for the optional qmail MTA
> # NOTE: This is no longer the correct way to handle incoming SMTP
> # connections for qmail. Use tcpserver
> (http://cr.yp.to/ucspi-tcp.html) # instead.
> #
> #smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env
> tcp-env /var/qmail/bin/qmail-smtpd #
> # Enable the following two entries to enable samba startup from inetd
> # (from the Samba documentation). Enable the third entry to enable the swat
> # samba configuration tool.
> #
> #netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd
> #netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd
> #swat stream tcp nowait/400 root /usr/local/sbin/swat swat
> #
> # Example entry for the Prometheus sysctl metrics exporter
> #
> #prom-sysctl stream tcp nowait
> nobody /usr/sbin/prometheus_sysctl_exporter prometheus_sysctl_exporter
> -dgh
> 5950 stream tcp nowait nobody /usr/local/bin/Xvnc Xvnc -inetd -query
> localhost -once securitytypes=none
(this was taken directly from Xvnc manpage):
> In the nowait mode, Xvnc uses its standard input and output directly as
> the connection to a viewer. It never has a listening socket, so
> cannot
accept further connections from viewers (it can however connect out to
> listening viewers by use of the vncconfig program). Further viewer
> connections to the same TCP port result in inetd spawning off a new
> Xvnc to deal with each connection. When the connection to the viewer
> dies, the Xvnc and any associated X clients die. This behaviour is
> most useful when combined with the XDMCP options -query and -once.
> An
typical example in inetd.conf might be (all on one line):
>
> 5950 stream tcp nowait nobody /usr/local/bin/Xvnc Xvnc -inetd
> -query localhost -once securitytypes=none
>
> In this example a viewer connection to :50 will result in a new Xvnc
> for that connection which should display the standard XDM login
> screen
on that machine. Because the user needs to login via XDM, it is
> usually OK to accept connections without a VNC password in this case.
So why isn't this workable actually?
[inetd was started and GDM has been restarted]
Result:
> andrew at a68n:~$ xvncviewer bsdpcb:50
>
> TigerVNC Viewer 64-bit v1.9.0
> Built on: 2020-06-16 19:36
> Copyright (C) 1999-2018 TigerVNC Team and many others (see README.rst)
> See http://www.tigervnc.org for information on TigerVNC.
>
> Fri Aug 28 10:57:48 2020
> DecodeManager: Detected 3 CPU core(s)
> DecodeManager: Creating 3 decoder thread(s)
> CConn: unable connect to socket: Connection refused (111)
> andrew at a68n:~$
In comparison, nearly the same is in the debian-handbook:
> https://debian-handbook.info/browse/stable/sect.remote-login.html
> VNC also works for mobile users, or company executives, who occasionally
> need to login from their home to access a remote desktop similar to the one
> they use at work. The configuration of such a service is more complicated:
> you first install the vnc4server package, change the configuration of the
> display manager to accept XDMCP Query requests (for gdm3, this can be done
> by adding Enable=true in the “xdmcp” section of /etc/gdm3/daemon.conf), and
> finally, start the VNC server with inetd so that a session is automatically
> started when a user tries to login. For example, you may add this line
> to /etc/inetd.conf: 5950 stream tcp nowait nobody.tty /usr/bin/Xvnc
> Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16
> securitytypes=none Redirecting incoming connections to the display manager
> solves the problem of authentication, because only users with local
> accounts will pass the gdm3 login screen (or equivalent kdm, xdm, etc.). As
> this operation allows multiple simultaneous logins without any problem
> (provided the server is powerful enough), it can even be used to provide
> complete desktops for mobile users (or for less powerful desktop systems,
> configured as thin clients). Users simply login to the server's screen
> with vncviewer server:50, because the port used is 5950.
And I remember, I did try this out once, and it did not work, but remote-login
was workable rather with xinetd, which does not exist in FreeBSD.
So: Any suggestions? No x2go-server port yet ?
> WAS: Fw: FreeBSD 12-1 installed anew on my end-of-life home-server
> Begin forwarded message:
>
> Date: Fri, 21 Aug 2020 15:25:35 +0200
> From: andrew glaeser <bugs at irregulaire.info>
> To: x11 at FreeBSD.org
> Subject: Fw: FreeBSD 12-1 installed anew on my end-of-life home-server
>
>
> Gold, excellent!
>
> but the criticism is really, that attachments get stripped, and as far as I
>
> can see, the amdgpu - ports twist of wickedness is not properly documented,
> I
>
> found out only upon cracking my head over this for several hours, didn't I?
>
> And luckily I remembered.
>
>
>
> Begin forwarded message:
>
> Date: Thu, 20 Aug 2020 18:21:38 +0200
> From: andrew glaeser <bugs at irregulaire.info>
> To: x11 at FreeBSD.org
> Subject: FreeBSD 12-1 installed anew on my end-of-life home-server
>
>
> - - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Graphics basically workable already, but software-rasterized, not
> hardware accelerated.
>
> xorg had to be set up separately, and then I remember again, that AMD
> drivers respective firmware had to be compiled from ports-collection, so
> graphics become in fact hardware-accelerated, looking forward to it.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQTF9uNaslvnJpWt8kXn6sEfJS3nCwUCX0jNTwAKCRDn6sEfJS3n
C7MCAKCx+0yPzdA3y9mlNh6xgSVB7hSgOwCgroe2e7Lvc2C2DuxQwQECE7Pt5Vo=
=bq5/
-----END PGP SIGNATURE-----
More information about the freebsd-x11
mailing list