Problems protecting XWindows on Sun Solaris with RSA SecurID
Originally Published: 2001-07-17
Article Number
Applies To
Sun Solaris 2.6
XWindows
Issue
Difficulty following Appendix D: Protecting XWindows Logins in the UNIX Installation Guide
Resolution
Locate the systems display manager configuration files. These files are usually found in the /usr/dt/config directory for a Sun Solaris system, as per the Solaris documentation, these would be then copied to /etc/dt/config. This allows for Sun to issue new files and not overwrite site specific information.
In the instructions below the symbol <ACEPROG> is used to represent the ace/prog directory of the ACE/Server, e.g. /export/home/ace/prog/
1. A change is required to a file called 'Xconfig' in the directory /etc/dt/config/:
- Use an editor such as vi to make the changes required
- Locate the line 'Dtlogin*authorize: False' and uncomment the line and save the changes.
for example, after the change has been made it will look this:
# To disable R4 MIT-MAGIC-COOKIE-1 per-user authorization.
#
Dtlogin*authorize: False
NOTE: Information from the MIT-X consortium describes the MIT-MAGIC-COOKIE as weak security. Implementing SecurID in its place should enhance the general security of your system.
2. Append the contents of <ACEPROG>/XPrompt to the '/etc/dt/config/Xstartup' script as follows:
cd /etc/dt/config
cp Xstartup Xstartup.orig
cat <ACEPROG>/XPrompt >> Xstartup
Ensure the variables DEFVARACE and DEFUSERACE in the Xstartup script are pointing to the correct ACE directory where your ACE/Server software is installed.
Step Three:
----------------
Add four lines to near the top of the /etc/dt/bin/Xsession script.
Xsession looks like this before changes made:
#!/bin/ksh
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#
Xsession file will look like this after an addition of four lines has been made:
#!/bin/ksh
TESTSHELL=`<ACEPROG>/sdfindshell`
if [ -n ?$TESTSHELL? ] ; then
SHELL=$TESTSHELL ; export SHELL
fi
# #########################################################################
#
# Xsession
#
# Common Desktop Environment (CDE)
#
# Configuration script for the Login Manager
#
After making changes to scripts Xconfig, Xstartup, and Xsession, it is important to reboot the system to reset the MAGIC-COOKIE used by XWindows.
NOTE: The line TESTSHELL=`<ACEPROG>/sdfindshell` uses backquotes, meaning the value of the variable TESTSHELL is the results of running the command <ACEPROG>/sdfindshell. Using the wrong quote marks will fail to give correct results.
Related Articles
Errors: ?User not in database? and 'User not on Agent Host' in ACE/Server activity log when trying to authenticate via RAD… Number of Views Best Practices to Mitigate Password-Spraying Attacks Number of Views RSA Authentication Manager On-Demand Authentication (ODA) failing with the following error: User provided incorrect On-De… Number of Views Authentication for the Cloud Administration APIs Number of Views While running the RSA Authentication Manager 8.x bulk token sync utility the following e rror is seen: FAILED: Concurrent… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
