AIX 下如何为VNC 配置CDE

http://www.ibm.com/developerworks/wikis/display/WikiPtype/VNCinetCDE

Configuring AIX inetd to launch a VNC session managed by CDE

The contents of this web page solely reflect the personal views of the authors and do not necessarily represent the views, positions, strategies or opinions of IBM or IBM management. Please use the Add Comment link at the bottom of the page to provide feedback. Note: Until you sign up and log in (using links in the upper right corner of this web page), you will not see the Add Comment link and you can not add a comment. To contact an author directly (without adding a comment) after signing up and logging in, click on a link to an author's profile (eg, OneSkyWalker) and then click the Invite to my network link in the author's profile.

Please see VNC/CDE usage notes for information on using VNC/CDE in this way.

The USAGE WITH INETD section near the bottom of the man page for the Xvnc command at the 4.1 level has a discussion of use of VNC with inetd, but the discussion there is not generally applicable to use of VNC 3.3.3r2 with AIX inetd.

The Frequently Asked Questions for the Common Desktop Environment (CDE) web page has useful hints and tips for tailoring CDE once it is working.

This web page documents a quick and dirty way to get the AIX Common Desktop Environment (CDE) working with VNC. This method is "dirty" because it has several security exposures:

1. The communication protocol used between a VNC server and a VNC client (RFB) is insecure, at least in the version of VNC available on the AIX Toolbox for Linux Applications CD. Please see the VNC article on Wikipedia for more information. Because the RFB protocol is insecure, it is reckless to permit users to specify their login credentials via CDE on VNC without taking steps to prevent the credentials from being sniffed off the network. One can use SSH port tunneling to prevent credentials from being sniffed. To use SSH port tunneling, a user must log in to the server using SSH before starting a VNC session.
   
   
2. The dtlogin Command article, "By default, dtlogin uses user-based access control to the X server (MIT-MAGIC-COOKIE-1)."
   
   When used properly, MIT-MAGIC-COOKIE-1 access control can be quite secure. When used improperly, it can be very insecure. Please see X-Windows on AIX for more information.
   
   When MIT-MAGIC-COOKIE-1 access control is used properly, users are protected from attacks which capture keystrokes and/or display images from X-Windows servers. Because cookies/keys are managed/generated by CDE, they must be transmitted from CDE to the X-Windows server (in this case, Xvnc). The dtlogin Command article, "By default, dtlogin does not include support for XDM-AUTHENTICATION-1 because it requires DES, which is not generally distributable." Because XDM-AUTHENTICATION-1 is not used, cookies/keys are not encyrpted. That is not an issue with -query localhost, since cookies/keys are transmitted from one process to another in the same host and are not vulnerable to an attacker who can monitor a network in promiscuous mode. But use of -query to another host makes MIT-MAGIC-COOKIE-1 access control vulnerable.

Here are instructions to get CDE working with VNC. These instructions have been tested and work with VNC installed from the vnc-3.3.3r2-6.aix5.1.ppc.rpm file which can be downloaded from the AIX Toolbox for Linux Applications downloads web page or from the Groupe Bull Large Open Source Software Archive for AIX. These instructions have been tried and do not work with VNC installed from the vnc-3.3.3.2 fileset which can be downloaded from the Groupe Bull AIX V5.1 web page. (Xvnc delivered in the vnc-3.3.3.2 fileset does not correctly support the XDMCP protocol.) These instructions have been tested and work on AIX V5.3 TL6 SP1, AIX V6.1 TL6 SP1, and AIX V7.1 TL1 SP4.

1. Use 'ls -al /usr/sbin/lsof' to confirm that the lsof command is installed. If not, follow instructions here to install it. Note: lsof is needed in /usr/local/VNC/CDE/Xreset (configured below) to find the Xvnc process associated with an X-Windows display number.
   
   
2. Use 'lslpp -l X11.Dt.rte' to confirm that the AIX CDE fileset is installed. If not, install it. Also, make sure locale and message filesets are installed for languages which will be used (eg, X11.loc.en_US.Dt.rte and X11.msg.en_US.Dt.rte). In particular, make sure locale and message filesets are installed for the language specified in /etc/environment (eg, "LANG=en_US"). If not, install them.
   
   
3. Use 'lsitab dt' to confirm that an entry exists in /etc/inittab which will start CDE automatically at AIX boot time. If not, follow advice here to (1) add the entry and (2) ensure that XDM is not configured to start at AIX boot time.
   
   
4. By default, CDE is configured to start an X server on DISPLAY=:0 and to present a login prompt there. On an LPAR which does not have a graphics adapter, this wastes resources and generates spurious error messages.
   
   On LPARs which do not have a graphics adapter, use 'cp -ip /usr/dt/config/Xservers /etc/dt/config' to create a copy of the default Xservers file. Then, comment out the last line of /etc/dt/config/Xservers:

   #  :0   Local local@console /usr/lpp/X11/defaults/xserverrc -T -force :0
   

5. Create executable file /usr/local/VNC/CDE/Xreset:

   #!/bin/ksh
   ################################################################################
   #									       #
   # Shell script which resets a VNC session at logout from CDE.		       #
   #									       #
   # Needed since CDE does not reset the X session when the EXIT button is	       #
   # pressed on the CDE taskbar, likely because a VNC session is configured to    #
   # CDE as foreign (in Xservers or when managed via XDMCP) and CDE therefore     #
   # believes it is working with an X-station and has no way of cancelling the    #
   # X session.								       #
   #									       #
   # Author: Steve Pittman - IBM - 925-277-5080 - 12/7/2011		       #
   #									       #
   ################################################################################
   # If 'set -x' is uncommented, all commands executed will be written to stderr
   # which ends up in /var/dt/Xerrors
   # set -x
   
   # Run Xreset command which is normally run by CDE when a session ends
   . /usr/dt/config/Xreset $*
   
   # If possible and appropriate, reset VNC session with kill -HUP
   lsofcmd=/usr/sbin/lsof
   if [ -x $lsofcmd ]
   then
     dispnbr=${DISPLAY#*:}
     ((xwinport=6000+dispnbr))
     lsofout=$($lsofcmd -Pn -i :$xwinport 2>/dev/null | tail -1)
     echo $lsofout | read command pid user fd type device size type port state
     if [ "$command" = "Xvnc" ]
     then kill -HUP $pid
     else print -u2 "$(date "+%D %T"): $0: Command is not Xvnc: '$lsofout'!"
     fi
   else print -u2 "$(date "+%D %T"): $0: File $lsofcmd not found: Install fileset lsof.base!"
   fi
   
   exit 0
   

   File /usr/local/VNC/CDE/Xreset should be owned by root.system with permissions 755.
   
   

6. Use 'ln -s /usr/local/VNC/CDE/Xreset /etc/dt/config' to create a symbolic link from /etc/dt/config/Xreset to /usr/local/VNC/CDE/Xreset. If /etc/dt/config/Xreset already exists, then care must be taken to integrate /etc/dt/config/Xreset and /usr/local/VNC/CDE/Xreset together.
   
   
7. Use 'ps -fp $(cat /var/dt/Xpid)' to confirm that the CDE dtlogin daemon is running. If so, use '/usr/dt/bin/dtconfig -reset' to refresh the daemon. If not, use '/etc/rc.dt' to start the daemon.
   
   
8. Create executable file /usr/local/VNC/CDE/vnccde:

   #!/bin/ksh
   #
   # This shell script starts a VNC server when invoked by AIX inetd
   #
   # Author: Steve Pittman - IBM - 8/17/2012
   #
   # Note: /etc/inetd.conf permits only five arguments on a command, the first of
   # which is the command itself.  So this script can be configured to accept at
   # most four arguments.
   #
   # The first and only argument in this case is the desktop geometry.
   #
   geometry=$1
   /opt/freeware/bin/Xvnc -desktop 'VNC CDE' -geometry $geometry -depth 24 -rfbwait 120000 \
   -fp /usr/lib/X11/fonts/,/usr/lib/X11/fonts/misc/,/usr/lib/X11/fonts/75dpi/,\
   /usr/lib/X11/fonts/100dpi/,/usr/lib/X11/fonts/Type1/ -inetd -query localhost
   

   File /usr/local/VNC/CDE/vnccde should be owned by root.system with permissions 755.
   
   

9. Add appropriate entries to /etc/services file:

   #			5860-5900		# Unassigned
   vnccde1			5901/tcp		# VNC with CDE
   vnccde2			5902/tcp		# VNC with CDE
   #			5903-5967		# Unassigned
   

   Note: Once inetd begins listening for a connection on ports 5901 and 5902, the vncserver command will not use X-Windows display numbers 1 or 2.
   
   

10. Add appropriate entries to /etc/inetd.conf file:

    vnccde1	stream	tcp	nowait	root	/usr/local/VNC/CDE/vnccde	vnccde	1024x768
    vnccde2	stream	tcp	nowait	root	/usr/local/VNC/CDE/vnccde	vnccde	800x600
    

    Note: /etc/inetd.conf can be configured to run VNC as nobody rather than root, but then permissions on the /var/adm directory must be changed so that users other than root can write files in the directory, allowing Xvnc to log errors in /var/adm/X?msgs when running as nobody.
    
    

11. Use 'refresh -s inetd' to refresh inetd.

If a VNC client (not a web browser) is pointed at port 5902 (by, for example, specifying server <hostname>:2), then a VNC session should appear in the client window and a CDE login prompt should appear in the session.

Usage notes

When invoked via inetd, Xvnc logs errors in file /var/adm/X?msgs, where '?' is the X-Windows display number chosen by Xvnc as it starts.

By default, CDE logs errors in file /var/dt/Xerrors.

Note: Log files will grow without limit, so some plan to periodically prune them is appropriate.

Logs at $HOME/.dt/startlog and $HOME/.dt/errorlog might also be worth checking.

CDE implements MIT-MAGIC-COOKIE-1 user-based access control, but it is not necessary to specify a -auth parameter on the Xvnc command in the /usr/local/VNC/CDE/vnccde file. That's because CDE generates a cookie and sends it to Xvnc as part of the XDMCP protocol exchange. (Since XDMCP traffic is not encrypted, the cookie can be sniffed off the network.) The cookie is cached in memory by Xvnc (not written to a .Xauthority file). When a user logs in, CDE writes entries to the user's .Xauthority file which include the cookie, thereby granting the user access to the CDE/Xvnc desktop. When the user exits the CDE session and a new session starts (with a new CDE login prompt), CDE generates a new cookie and sends it to Xvnc. The former user loses access to the CDE desktop as a consequence. (Oddly enough, when the CDE login prompt is up, connection attempts by X-Windows clients hang rather than failing until a successful login occurs, at which point the hung clients fail. If you can explain this odd behavior, please login to developerWorks and then use the Add Comment link at the bottom of the page to generate a comment with your explanation. Thanks!)

If the VNC server fails with a message such as, "reading version failed: not an RFB server?", try telneting to the port to which the VNC server was pointed, which should provide an indication why the /etc/inetd.conf entry is failing:

repoman:/ # telnet localhost 5901
Trying...
Connected to loopback.
Escape character is '^]'.
/usr/local/VNC/CDE/vnccde[14]: Xvnc:  not found
Connection closed.
repoman:/ # 

If the CDE login prompt does not appear on the Xvnc desktop, if there are no useful diagnostic messages in the CDE and Xvnc error logs, and if CDE is not being used for anything else, then the CDE daemon can be stopped and CDE can be started in debug mode:

/usr/dt/bin/dtconfig -kill
rm /var/dt/Xpid
LANG=C			# Eliminate any need for CDE locale and message filesets
/usr/dt/bin/dtlogin -debug 3

Debugging output will appear on the terminal (SSH?) session where CDE is running.

Known issues

The following error seems to appear frequently in /var/dt/Xerrors:

_X11TransTRANS(ibmSHMConnect) () can't connect: errno = 68

The error message can be reproduced by opening a dtterm window on the CDE desktop and issuing the command 'xclock'. It is interesting to note that xclock works (that is, a clock appears on the CDE desktop) in spite of the error message.

The error does not occur when the vncserver command is used to start a more conventional VNC server. That is, an xclock command issued in the terminal window on a conventional VNC server does not generate the error message. It is, however, possible to induce the error message by setting 'DISPLAY=:?' (where '?' is the X-Windows display number chosen by Xvnc as it starts) and issuing xclock again. In this case, the xclock command fails hard:

repoman:/home/pittman $ xclock
_X11TransTRANS(ibmSHMConnect) () can't connect: errno = 68
Xlib: connection to "localhost:3.0" refused by server
Xlib: Client is not authorized to connect to Server
Error: Can't open display: :3
repoman:/home/pittman $

But if the command 'xauth add $(hostname)/unix$DISPLAY . ba385882576d4d9342be2e78bebcd1ec' (where 'ba385882576d4d9342be2e78bebcd1ec' is the appropriate magic cookie for the $DISPLAY desktop) is then issued, the xclock command throws the error message yet succeeds, just as on a CDE desktop.

The error message does not appear on AIX V5.3, so seems to be new in AIX V6.1.

Memory requirements

If pmrmemuse is used to analyze VNC/CDE memory use, one finds that two logged in CDE sessions consume about 35 MB of memory. 20 MB are consumed by processes running as the logged in user (dtwm, dtsession, ttsession, and dtfile) and 15 MB are consumed by Xvnc processes running as root. The total working set size of all the processes is likely less than 35 MB, so if/when memory gets tight, the memory footprint will be less, but 17.5 MB consumed per user logged in via VNC/CDE seems like a reasonable (somewhat conservative) estimate of memory use.