Bug 118200

Summary:	YaST XDMCP firewall support and description of /etc/sysconfig/displaymanager DISPLAYMANAGER_REMOTE_ACCESS
Product:	[openSUSE] SUSE LINUX 10.0	Reporter:	Stanislav Brabec <sbrabec>
Component:	Basesystem	Assignee:	Ruediger Oertel <ro>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Enhancement
Priority:	P0 - Crit Sit	CC:	lnussel, ro
Version:	Final
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Stanislav Brabec 2005-09-21 11:14:51 UTC

I was surprised by problems while enabling XDMCP. Comment does not say anything
about needed firewall change and XDMCP support is not yet present in SuSE firewall.

AFAIK, xdmcp uses only xdmcp TCP/UDP port and opening it should be sufficient.
If server should be visible (probably yes), it must be able to listen xdmcp
broadcasts.

Proposed text for /etc/sysconfig/displaymanager. Firewall maintainer could
provide more accurate one.

Old:

# Allow remote access to your display manager (xdm/kdm/gdm). Please note
# that a modified kdm or xdm configuration, e.g. by KDE control center
# will not be changed. For gdm, values will be updated after change.

New:

# Allow remote access (XDMCP) to your display manager (xdm/kdm/gdm). Please note
# that a modified kdm or xdm configuration, e.g. by KDE control center
# will not be changed. For gdm, values will be updated after change.
# You have to open XDMCP TCP/UDP firewall port to allow this service.
# If you want to make your server visible, you have to listen XDMCP broadcasts.

Comment 1 Ruediger Oertel 2005-09-21 23:12:43 UTC

well, asking firewall maintainer then ... 
  
Ludwig: ok with that text ?

Comment 2 Lukas Ocilka 2005-09-23 07:58:00 UTC

XDMCP support has been added into the yast2 firewall module...
ms: is that file /etc/sysconfig/displaymanager yours?

Comment 3 Marcus Schaefer 2005-09-23 08:37:58 UTC

no it's Stefans

Comment 4 Stanislav Brabec 2005-09-23 11:39:23 UTC

Well. There is one another configuration option and one another port in the same
file:

# TCP port 6000 of Xserver. When set to "no" (default) Xserver is
# started with "-nolisten tcp". Only set this to "yes" if you really
# need to. Then you have to open TCP port 6000 to allow this access.
# Use ssh X11 port forwarding whenever possible.

DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN="no"

And firewall should contain following ports:

TCP 6000 - X :0 - remote access to X display
and maybe
TCP 6001 - X :1 - remote access to X display
I am not sure whether to open more ports.

Comment 5 Stefan Dirsch 2005-09-24 05:54:15 UTC

Rudi, please make the changes for DISPLAYMANAGER_REMOTE_ACCESS in 
sysconfig.displaymanager mentioned in comment #1 and reassign to Ludwig 
afterwards.

Comment 6 Ludwig Nussel 2005-09-26 09:34:58 UTC

It's just a bunch of tcp and udp ports so no special firewall support needed. 
I'd explicitely mention which ones are needed in the config file though. Btw 
IIRC gdm opens the second display at :20.

Comment 7 Ruediger Oertel 2005-09-27 11:26:36 UTC

comment for DISPLAYMANAGER_REMOTE_ACCESS changed.

Comment 8 Ludwig Nussel 2005-09-27 11:31:09 UTC

I don't see what I am supposed to do.

Comment 9 Stanislav Brabec 2005-09-27 13:49:28 UTC

Reopening, taking the bug.

I will check, what exactly must be done with firewall for following scenarios:

- Private XDMCP server (invisible to others).
- Public XDMCP server (visible to others).
- Remote XDMCP client.
- Server opened for direct use by remote X application.

Comment 10 Stanislav Brabec 2005-10-22 16:18:16 UTC

Ports required for X remote access:

TCP 6000+server_no (it means 6000 for :0, 6001 for :1 etc.)


Ports required for XDMCP client:

TCP 6000+server_no (it means 6000 for :0, 6001 for :1 etc.)
UDP 1025-5999 (all these packets has source port 177)

Other non-critical ports tried by gdm client:
UDP 5353 (multicast DNS)


Ports required for XDMCP server:

UDP 177
UDP broadcast 177 (without it you can create invisible XDMCP server, which can be used by X -query, but invisible for chooser)

Other non critical ports tried by gdm server:

UDP 68 (bootpc, source port = 67)

Comment 11 Michael Radziej 2005-10-24 09:47:25 UTC

Stanislav, what are we supposed to do with your information?

Comment 12 Stanislav Brabec 2005-10-24 10:25:29 UTC

Either Ludwig will decide, that opening UDP port range (or even providing remote X access) is bad. In this case we should change above mentioned commets again and recommend turning firewall off for interfaces, where XDMCP service is provided.

Or it is OK for security team and then YaST2 team should create firewall settings: XDMCP client, XDMCP server, Remote X access and otionally Invisible XDMCP server (without broadcast port).

Please note, that all three services should run only in trusted networks, because are by design vulnerable to DoS and remote X access traffic contains unencrypted key presses.

Comment 13 Ludwig Nussel 2005-10-24 10:40:04 UTC

Opening such a large port range certainly is a bad thing. I agree with Stanislav that xdcmp is a service for trusted networks, ie internal zone or no firewall at all. The internal zone has all ports open anyways. There is no yast frontend for configuring xdcmp right? So no need for extra xdcmp gui options in yast either IMO. I expect noone is going to test them in every release anyways.

Comment 14 Stanislav Brabec 2005-10-24 11:27:27 UTC

There is a YaST sysconfig editor for configuring XDMCP. And help in these options has to be consistent with real behavior. And because default behavior disables both XDMCP and port 6000, we muse cleanly state, that XDMCP server has to be in zone not protected by firewall.

For port 6000, it depends on your decission - either firewall will support it or not. If not, we should say the same in the help of DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN.

Proposed change:

# Allow remote access (XDMCP) to your display manager (xdm/kdm/gdm). Please note
# that a modified kdm or xdm configuration, e.g. by KDE control center
# will not be changed. For gdm, values will be updated after change.
# XDMCP service should run only on trusted networks and you have to disable
# firewall for interfaces, where you want to provide this service.

Comment 15 Michael Radziej 2005-10-24 14:19:35 UTC

Nice, now we're back at comment #1.

Rudi:
mir@chu:src > rpm -qf /var/adm/fillup-templates/sysconfig.displaymanager
aaa_base-10.0-28

Please don't reassign to yast2 ;-)

Comment 16 Stanislav Brabec 2005-10-24 14:40:19 UTC

In this case please also change:

# TCP port 6000 of Xserver. When set to "no" (default) Xserver is
# started with "-nolisten tcp". Only set this to "yes" if you really
# need to. Remote X service should run only on trusted networks and
# you have to disable firewall for interfaces, where you want to
# provide this service. Use ssh X11 port forwarding whenever possible.

Comment 17 Ruediger Oertel 2005-10-26 22:27:33 UTC

both comments updated.