Fw: No remote login with GDM3, XDMCP, Xvnc, inetd
andrew glaeser
bugs at irregulaire.info
Wed Sep 2 09:41:40 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Begin forwarded message:
Date: Wed, 2 Sep 2020 11:34:25 +0200
From: andrew glaeser <bugs at irregulaire.info>
To: x11 at FreeBSD.org
Subject: Fw: No remote login with GDM3, XDMCP, Xvnc, inetd
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, guys, I have tried for two more days, and this is definitely not
workable, now matter how hard you want it to:
This is probably a security issue, see there:
https://help.gnome.org/admin/gdm/stable/security.html.en
https://help.gnome.org/admin/gdm/stable/consolekit.html.en
https://help.gnome.org/admin/gdm/stable/configuration.html.en
There are simply too many details to think about, and for me it is impossible
to tell, which one disables XDMCP particularly, and I am not even looking at
any source-codes..
But the docs also tell, that XDMCP is even more insecure than Xorg protocol
itself, even if you stay inside your local- or home-network, SDDM also does
not provide XDMCP support, as KDM used to, so this is most probably an
option, that is no longer recommended, and one should rather use a romote
X-session directly, VNC is not necessary while staying in the local net,
because enough network bandwidth is usually available.
> andrew at a68n:~$ xvncviewer bsdpcb:50
> xvncviewer: ConnectToTcpAddr: connect: Connection refused
> Unable to connect to VNC server
> andrew at a68n:~$
>
> root at bsdpcb:~ # cat /etc/xinet.d/Xvnc
> /etc/xinet.d/ not found
>
> root at bsdpcb:~ # cat /etc/xinetd.d/Xvnc
> # This file generated by xconv.pl, included with the xinetd
> # package. xconv.pl was written by Rob Braun (bbraun at synack.net)
> #
> # The file is merely a translation of your inetd.conf file into
> # the equivalent in xinetd.conf syntax. xinetd has many
> # features that may not be taken advantage of with this translation.
> # Please refer to the xinetd.conf man page for more information
> # on how to properly configure xinetd.
>
>
> # The defaults section sets some information for all services
> defaults
> {
> #The maximum number of requests a particular service may handle
> # at once.
> instances = 25
>
> # The type of logging. This logs to a file that is specified.
> # Another option is: SYSLOG syslog_facility [syslog_level]
> log_type = FILE /var/log/servicelog
>
> # What to log when the connection succeeds.
> # PID logs the pid of the server processing the request.
> # HOST logs the remote host's ip address.
> # USERID logs the remote user (using RFC 1413)
> # EXIT logs the exit status of the server.
> # DURATION logs the duration of the session.
> log_on_success = HOST PID
>
> # What to log when the connection fails. Same options as above
> log_on_failure = HOST
>
> # The maximum number of connections a specific IP address can
> # have to a specific service.
> per_source = 5
> }
>
> service 5950
> {
> flags = NAMEINARGS
> type = UNLISTED
> disble = no
> socket_type = stream
> protocol = tcp
> wait = no
> user = gdm
> server = /usr/local/bin/Xvnc
> server_args = Xvnc -inetd -query localhost -once securitytypes=none
> }
>
> root at bsdpcb:~ #
> root at bsdpcb:~ # cat /usr/local/etc/gdm/custom.conf
> # GDM configuration storage
>
> [daemon]
> # Uncoment the line below to force the login screen to use Xorg
> WaylandEnable=false
>
> HaltCommand=/sbin/shutdown -p now
> RebootCommand=/sbin/shutdown -r now
>
> [security]
> DisallowTCP=false
>
> [xdmcp]
> DisplaysPerHost=2
> Enable=true
>
> [chooser]
>
> [debug]
> # Uncomment the line below to turn on debugging
> Enable=true
>
> https://attachment.irregulaire.info/gdm-logs.tx.xz
Begin forwarded message:
Date: Sun, 30 Aug 2020 11:18:15 +0200
From: andrew glaeser <bugs at irregulaire.info>
To: x11 at FreeBSD.org
Subject: Fw: No remote login with GDM3, XDMCP, Xvnc, inetd
- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> ..
> .
> .
> > SEE ALSO
> > ipsec_set_policy(3), hosts_access(5), hosts_options(5),
> > login.conf(5), netconfig(5), passwd(5), rpc(5), services(5), comsat(8),
> > fingerd(8), ftpd(8), rlogind(8), rpcbind(8), rshd(8), talkd(8),
> > telnetd(8), tftpd(8)
> >
> > Michael C. St. Johns, Identification Protocol, RFC1413.
> >
> > HISTORY
> > The inetd utility appeared in 4.3BSD. TCPMUX is based on code and
> > documentation by Mark Lottor. Support for ONC RPC based services is
> > modeled after that provided by SunOS 4.1. The IPsec hack was
> > contributed by the KAME project in 1999. The FreeBSD TCP Wrappers support
> > first appeared in FreeBSD 3.2.
> >
> > FreeBSD 12.1-RELEASE-p8 January 12, 2008 FreeBSD
> > 12.1-RELEASE-p8 root at bsdpcb:~ # cd /usr/ports
> > root at bsdpcb:/usr/ports # ls
> > .arcconfig Templates deskutils korean science
> > .gitattributes Tools devel lang security
> > .gitauthors UIDs distfiles mail shells
> > .gitignore UPDATING dns math sysutils
> > .gitmessage accessibility editors misc textproc
> > .portsnap.INDEX arabic emulators multimedia ukrainian
> > CHANGES archivers finance net vietnamese
> > CONTRIBUTING.md astro french net-im www
> > COPYRIGHT audio ftp net-mgmt x11
> > GIDs base games net-p2p x11-clocks
> > INDEX-12 benchmarks german news
> > x11-drivers Keywords biology graphics
> > palm x11-fm LEGAL cad hebrew
> > polish x11-fonts MOVED chinese hungarian
> > ports-mgmt x11-servers Makefile comms
> > irc portuguese x11-themes Mk
> > converters japanese print x11-toolkits
> > README databases java russian x11-wm
> > root at bsdpcb:/usr/ports # cd security/ root at bsdpcb:/usr/ports/security # ls
> > 0d1n
> > 1password-client
> > 2fa
> > ADMsmb
> > ADMsnmp
> > Makefile
> > R-cran-ROAuth
> > R-cran-askpass
> > R-cran-digest
> > R-cran-openssl
> > acme.sh
> > acmed
> > acmetool
> > aescrypt
> > aespipe
> > afl
> > afl++
> > afterglow
> > age
> > aide
> > akmos
> > amap
> > amavis-stats
> > amavisd-milter
> > amavisd-new
> > apache-xml-security-c
> > apg
> > arirang
> > arm
> > arpCounterattack
> > asignify
> > authforce
> > autossh
> > avcheck
> > aws-iam-authenticator
> > aws-vault
> > axTLS
> > barnyard2
> > barnyard2-sguil
> > base
> > base-audit
> > bastillion
> > bcrypt
> > bcwipe
> > bdes
> > bearssl
> > beecrypt
> > beid
> > belier
> > bfbtester
> > binwalk
> > blindelephant
> > boringssl
> > botan110
> > botan2
> > bro
> > broccoli
> > bruteblock
> > bruteforceblocker
> > bsdsfv
> > bsmtrace
> > bsmtrace3
> > bugs
> > bzrtp
> > ca_root_nss
> > caesarcipher
> > calife
> > cardpeek
> > cargo-audit
> > ccrypt
> > ccsrch
> > certificate-transparency
> ..
> .
> .
> .
> > wolfssl
> > wpa_supplicant
> > xca
> > xinetd
> > xml-security
> > xmlsec1
> > xorsearch
> > xspy
> > yafic
> > yapet
> > yara
> > yersinia
> > ykclient
> > ykpers
> > ylva
> > yubico-piv-tool
> > yubikey-agent
> > yubikey-manager-qt
> > yubikey-personalization-gui
> > yubioath-desktop
> > zebedee
> > zeek
> > zenmap
> > zeronet
> > zxid
> > zzuf
> > root at bsdpcb:/usr/ports/security #
> > root at bsdpcb:/usr/ports/security # cd xinetd/
> > root at bsdpcb:/usr/ports/security/xinetd # make install
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ┌───────────────────────────── xinetd-2.3.15_2
> > ────────────────────────────────┐ │
> > ┌──────────────────────────────────────────────────────────────────────────┐
> > │ │ │+[x] IPV6 IPv6 protocol
> > support │ │ │ │+[x] LIBWRAP TCP
> > wrapper support │ │ │ │+[x]
> > XCONV Install xconv utility (requires perl) │ │ │
> > └──────────────────────────────────────────────────────────────────────────┘
> > │
> > ├──────────────────────────────────────────────────────────────────────────────┤
> > │ < OK >
> > <Cancel> │
> > └──────────────────────────────────────────────────────────────────────────────┘
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ===> License XINETD accepted by the user
> > ===> xinetd-2.3.15_2 depends on file: /usr/local/sbin/pkg - found
> > => xinetd-2.3.15.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
> > => Attempting to fetch
> > http://gentoo.mirrors.pair.com/distfiles/xinetd-2.3.15.tar.gz fetch:
> > http://gentoo.mirrors.pair.com/distfiles/xinetd-2.3.15.tar.gz: Operation
> > timed out => Attempting to fetch
> > http://mirrors.tds.net/pub/gentoo/distfiles/xinetd-2.3.15.tar.gz
> > xinetd-2.3.15.tar.gz 302 kB 210 kBps
> > 01s ===> Fetching all distfiles required by xinetd-2.3.15_2 for building
> > ===> Extracting for xinetd-2.3.15_2 => SHA256 Checksum OK for
> > xinetd-2.3.15.tar.gz. ===> Patching for xinetd-2.3.15_2 ===> Applying
> > FreeBSD patches for xinetd-2.3.15_2
> > from /usr/ports/security/xinetd/files ===> Configuring for
> > xinetd-2.3.15_2 configure: loading site
> > script /usr/ports/Templates/config.site checking build system type...
> > amd64-portbld-freebsd12.1 checking host system type...
> > amd64-portbld-freebsd12.1 checking target system type...
> > amd64-portbld-freebsd12.1 checking for gcc... cc checking for C compiler
> > default output file name... a.out checking whether the C compiler
> > works... yes checking whether we are cross compiling... no
> > checking for suffix of executables...
> > checking for suffix of object files... o
> > checking whether we are using the GNU C compiler... yes
> > checking whether cc accepts -g... yes
> > checking for cc option to accept ANSI C... none needed
> > checking for a BSD-compatible install... /usr/bin/install -c
> > checking for ranlib... ranlib
> > checking for main in -lcompat... yes
> > checking for library containing gethostbyname... none required
> > checking for library containing getnameinfo... none required
> > checking for library containing inet_ntop... none required
> > checking for getnameinfo... (cached) yes
> > checking for inet_ntop... (cached) yes
> > checking for difftime... yes
> > checking for fcvt... no
> > checking for fcvt in -lm... no
> > checking for ecvt... no
> > checking for ecvt in -lm... no
> > checking for gcvt... no
> > checking for gcvt in -lm... no
> > checking for strerror... (cached) yes
> > checking for strcasecmp... (cached) yes
> > checking for socket... yes
> > checking for inet_aton... (cached) yes
> > checking for setenv... (cached) yes
> > checking for strsignal... (cached) yes
> > checking for sys_siglist in -lc... yes
> > checking for gai_strerror... (cached) yes
> > checking for freeaddrinfo... (cached) yes
> > checking for getaddrinfo... (cached) yes
> > checking how to run the C preprocessor... cpp
> > checking for egrep... grep -E
> > checking for ANSI C header files... (cached) yes
> > checking for sys/types.h... (cached) yes
> > checking for sys/stat.h... (cached) yes
> > checking for stdlib.h... (cached) yes
> > checking for string.h... (cached) yes
> > checking for memory.h... (cached) yes
> > checking for strings.h... (cached) yes
> > checking for inttypes.h... (cached) yes
> > checking for stdint.h... (cached) yes
> > checking for unistd.h... (cached) yes
> > checking for sys/types.h... (cached) yes
> > checking sys/termios.h usability... yes
> > checking sys/termios.h presence... yes
> > checking for sys/termios.h... yes
> > checking termios.h usability... yes
> > checking termios.h presence... yes
> > checking for termios.h... yes
> > checking for sys/ioctl.h... (cached) yes
> > checking for sys/select.h... (cached) yes
> > checking rpc/rpc.h usability... yes
> > checking rpc/rpc.h presence... yes
> > checking for rpc/rpc.h... yes
> > checking rpc/rpcent.h usability... yes
> > checking rpc/rpcent.h presence... yes
> > checking for rpc/rpcent.h... yes
> > checking for sys/file.h... (cached) yes
> > checking ftw.h usability... yes
> > checking ftw.h presence... yes
> > checking for ftw.h... yes
> > checking machine/reg.h usability... yes
> > checking machine/reg.h presence... no
> > configure: WARNING: machine/reg.h: accepted by the compiler, rejected by
> > the preprocessor! configure: WARNING: machine/reg.h: proceeding with the
> > compiler's result checking for machine/reg.h... yes
> > checking for netdb.h... (cached) yes
> > checking for sys/resource.h... (cached) yes
> > checking for arpa/inet.h... (cached) yes
> > checking grp.h usability... yes
> > checking grp.h presence... yes
> > checking for grp.h... yes
> > checking rpc/pmap_clnt.h usability... no
> > checking rpc/pmap_clnt.h presence... yes
> > configure: WARNING: rpc/pmap_clnt.h: present but cannot be compiled
> > configure: WARNING: rpc/pmap_clnt.h: check for missing prerequisite
> > headers? configure: WARNING: rpc/pmap_clnt.h: see the Autoconf
> > documentation configure: WARNING: rpc/pmap_clnt.h: section "Present
> > But Cannot Be Compiled" configure: WARNING: rpc/pmap_clnt.h: proceeding
> > with the preprocessor's result configure: WARNING: rpc/pmap_clnt.h: in
> > the future, the compiler will take precedence configure: WARNING: ##
> > ------------------------------------------ ## configure: WARNING: ##
> > Report this to the AC_PACKAGE_NAME lists. ## configure: WARNING: ##
> > ------------------------------------------ ## checking for
> > rpc/pmap_clnt.h... yes checking for sys/socket.h... (cached) yes
> > checking sys/signal.h usability... yes
> > checking sys/signal.h presence... yes
> > checking for sys/signal.h... yes
> > checking crypt.h usability... no
> > checking crypt.h presence... no
> > checking for crypt.h... no
> > checking for stdint.h... (cached) yes
> > checking for stdbool.h... (cached) yes
> > checking sys/filio.h usability... yes
> > checking sys/filio.h presence... yes
> > checking for sys/filio.h... yes
> > checking DNSServiceDiscovery/DNSServiceDiscovery.h usability... no
> > checking DNSServiceDiscovery/DNSServiceDiscovery.h presence... no
> > checking for DNSServiceDiscovery/DNSServiceDiscovery.h... no
> > checking for uint16_t... yes
> > checking for uint32_t... yes
> > checking for uint64_t... yes
> > checking for uid_t... yes
> > checking for gid_t... yes
> > checking for socklen_t... yes
> > checking for rlim_t... yes
> > checking for struct addrinfo... (cached) yes
> > checking for struct in6_addr... (cached) yes
> > checking for struct sockaddr_in6... (cached) yes
> > checking for struct sockaddr_storage... (cached) yes
> > checking for main in -lcrypt... yes
> > checking whether to compile in loadavg... yes
> > checking for crypt in -lc... yes
> > checking for log10 in -lm... yes
> > checking whether to default to ipv6... ignored
> > checking whether to use libwrap... yes
> > checking for request_init in -lwrap... yes
> > checking for yp_get_default_domain in -lnsl... no
> > checking whether to use labeled-networking... no
> > checking for stdlib.h... (cached) yes
> > checking for unistd.h... (cached) yes
> > checking for getpagesize... (cached) yes
> > checking for working mmap... (cached) yes
> > checking for isatty... yes
> > checking for memcpy... (cached) yes
> > checking for waitpid... (cached) yes
> > checking for sigvec... (cached) yes
> > checking for setsid... (cached) yes
> > checking for strftime... (cached) yes
> > configure: creating ./config.status
> > config.status: creating Makefile
> > config.status: creating libs/src/misc/Makefile
> > config.status: creating libs/src/pset/Makefile
> > config.status: creating libs/src/sio/Makefile
> > config.status: creating libs/src/str/Makefile
> > config.status: creating libs/src/xlog/Makefile
> > config.status: creating libs/src/portable/Makefile
> > config.status: creating xinetd/Makefile
> > config.status: creating config.h
> > ===> Building for xinetd-2.3.15_2
> > --- libportable ---
> > --- libpset ---
> > --- libportable ---
> > cd libs/src/portable ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include' install ---
> > libpset --- cd libs/src/pset ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include' install ---
> > pset.o --- --- libportable --- --- difftime.o --- --- inet_aton.o ---
> > --- strerror.o ---
> > --- difftime.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c
> > difftime.c -o difftime.o --- inet_aton.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c
> > inet_aton.c -o inet_aton.o --- libpset --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c pset.c
> > -o pset.o --- libportable --- --- strerror.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c
> > strerror.c -o strerror.o --- fake-getnameinfo.o --- --- inet_ntop.o ---
> > --- cvt.o --- --- fake-getnameinfo.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c
> > fake-getnameinfo.c -o fake-getnameinfo.o --- inet_ntop.o --- cc -O2
> > -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c
> > inet_ntop.c -o inet_ntop.o --- cvt.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c cvt.c -o
> > cvt.o cvt.c:113:9: warning: implicit declaration of function
> > 'strx_nprint' is invalid in C99 [-Wimplicit-function-declaration] n =
> > strx_nprint (buf, len, "%.*" FLOAT_FMT_FLAG "f", ndigit, value); ^ ---
> > libpset --- --- ops.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c ops.c -o ops.o --- libpset.a ---
> > ar r libpset.a pset.o ops.o --- libportable --- 1 warning generated. ---
> > libportable.a --- ar r libportable.a difftime.o inet_aton.o strerror.o
> > fake-getnameinfo.o inet_ntop.o cvt.o ar: warning: creating libportable.a
> > --- libpset ---
> > ar: warning: creating libpset.a
> > --- libportable ---
> > ranlib libportable.a
> > --- libpset ---
> > ranlib libpset.a
> > --- install ---
> > --- libportable ---
> > --- install ---
> > --- libpset ---
> > Installed libpset.a to ../../lib
> > --- libportable ---
> > Installed libportable.a to ../../lib
> > --- libpset ---
> > Installed ./pset.h to ../../include
> > --- libportable ---
> > Installed ./libportable.h to ../../include
> > --- libsio ---
> > cd libs/src/sio ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include' install ---
> > libpset --- Installed ./pset.3 ./psi.3 to ../../man --- libsio ---
> > --- sprint.o ---
> > --- sio.o ---
> > --- siosup.o ---
> > --- sprint.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c sprint.c
> > -o sprint.o --- sio.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c sio.c -o sio.o --- siosup.o --- cc
> > -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c siosup.c
> > -o siosup.o --- libsio.a --- ar r libsio.a sprint.o sio.o siosup.o ar:
> > warning: creating libsio.a ranlib libsio.a
> > --- install ---
> > Installed libsio.a to ../../lib
> > Installed ./sio.h to ../../include
> > Installed ./sio.3 ./Sprint.3 to ../../man
> > --- libstr ---
> > cd libs/src/str ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include' install ---
> > strutil.o --- --- strprint.o --- --- strparse.o ---
> > --- strutil.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c strutil.c
> > -o strutil.o --- strprint.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c strprint.c -o strprint.o ---
> > strparse.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c strparse.c -o strparse.o ---
> > libstr.a --- ar r libstr.a strutil.o strprint.o strparse.o ar: warning:
> > creating libstr.a ranlib libstr.a --- install ---
> > Installed libstr.a to ../../lib
> > Installed ./str.h to ../../include
> > Installed ./strparse.3 ./strprint.3 ./strutil.3 to ../../man
> > --- libmisc ---
> > --- libxlog ---
> > --- libmisc ---
> > cd libs/src/misc ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include' install ---
> > libxlog --- cd libs/src/xlog ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include' install ---
> > libmisc --- --- misc.o --- --- m_env.o --- --- libxlog ---
> > --- xlog.o ---
> > --- filelog.o ---
> > --- libmisc ---
> > --- misc.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c misc.c -o
> > misc.o --- m_env.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c m_env.c -o m_env.o --- libxlog ---
> > --- xlog.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c xlog.c -o xlog.o --- filelog.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c filelog.c
> > -o filelog.o --- slog.o --- --- util.o --- --- slog.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../../include -c slog.c -o
> > slog.o --- util.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../../include -c util.c -o util.o --- libmisc ---
> > --- libmisc.a --- ar r libmisc.a misc.o m_env.o
> > ar: warning: creating libmisc.a
> > ranlib libmisc.a
> > --- install ---
> > Installed libmisc.a to ../../lib
> > Installed ./misc.h ./m_env.h to ../../include
> > Installed ./misc.3 ./m_env.3 to ../../man
> > --- libxlog ---
> > --- libxlog.a ---
> > ar r libxlog.a xlog.o filelog.o slog.o util.o
> > ar: warning: creating libxlog.a
> > ranlib libxlog.a
> > --- install ---
> > Installed libxlog.a to ../../lib
> > Installed ./xlog.h to ../../include
> > Installed ./xlog.3 to ../../man
> > --- makeprog ---
> > cd xinetd ; /usr/bin/make CC='cc' CFLAGS='-O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include' LDFLAGS='
> > -fstack-protector-strong -L../libs/lib' --- access.o --- --- addr.o ---
> > --- builtins.o --- --- child.o ---
> > --- access.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > access.c -o access.o --- addr.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c addr.c
> > -o addr.o --- builtins.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c builtins.c -o builtins.o ---
> > child.o --- cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing
> > -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -I../libs/include
> > -c child.c -o child.o --- addr.o --- addr.c:143:27: warning: equality
> > comparison with extraneous parentheses [-Wparentheses-equality]
> > if( (cap->addr_type == HOST_ADDR) ) ~~~~~~~~~~~~~~~^~~~~~~~~~~~
> > addr.c:143:27: note: remove extraneous parentheses around the comparison
> > to silence this warning if( (cap->addr_type == HOST_ADDR) )
> > ~ ^ ~ addr.c:143:27: note: use '=' to turn this
> > equality comparison into an assignment if( (cap->addr_type ==
> > HOST_ADDR) ) ^~ =
> > --- conf.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c conf.c
> > -o conf.o --- confparse.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c confparse.c -o confparse.o ---
> > connection.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c connection.c -o connection.o ---
> > confparse.o --- confparse.c:780:24: warning: equality comparison with
> > extraneous parentheses [-Wparentheses-equality] if ( (sep == NULL) )
> > ~~~~^~~~~~~ confparse.c:780:24: note: remove extraneous parentheses around
> > the comparison to silence this warning if ( (sep == NULL) ) ~ ^ ~
> > confparse.c:780:24: note: use '=' to turn this equality comparison into an
> > assignment if ( (sep == NULL) )
> > ^~
> > =
> > --- env.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c env.c
> > -o env.o --- connection.o --- connection.c:222:40: warning: format
> > specifies type 'unsigned long long' but the argument has type
> > 'mask_t' (aka 'unsigned long') [-Wformat] --- addr.o --- 1 warning
> > generated.
> >
> > --- connection.o ---
> > tabprint( fd, 1, "flags = %#llx\n", cp->co_flags ) ;
> > ~~~~~ ^~~~~~~~~~~~
> > %#lx
> > --- ident.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c ident.c
> > -o ident.o --- connection.o --- 1 warning generated.
> > --- init.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c init.c
> > -o init.o --- int.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c int.c -o int.o --- intcommon.o
> > --- cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2
> > -pipe -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > intcommon.c -o intcommon.o --- internals.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > internals.c -o internals.o --- log.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c log.c
> > -o log.o --- confparse.o --- 1 warning generated. --- logctl.o --- cc -O2
> > -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > logctl.c -o logctl.o --- main.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c main.c
> > -o main.o --- msg.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c msg.c -o msg.o --- nvlists.o
> > --- cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2
> > -pipe -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > nvlists.c -o nvlists.o --- parse.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > parse.c -o parse.o --- parsesup.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > parsesup.c -o parsesup.o --- parsers.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > parsers.c -o parsers.o --- reconfig.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > reconfig.c -o reconfig.o --- retry.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > retry.c -o retry.o --- sconf.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > sconf.c -o sconf.o --- sensor.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > sensor.c -o sensor.o --- server.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > server.c -o server.o --- service.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > service.c -o service.o --- signals.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > signals.c -o signals.o --- special.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > special.c -o special.o --- tcpint.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > tcpint.c -o tcpint.o --- time.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c time.c
> > -o time.o --- udpint.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c udpint.c -o udpint.o --- util.o
> > --- --- redirect.o --- --- util.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c util.c
> > -o util.o --- redirect.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c redirect.c -o redirect.o ---
> > xgetloadavg.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c xgetloadavg.c -o xgetloadavg.o
> > --- options.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c options.c -o options.o ---
> > xgetloadavg.o --- xgetloadavg.c:99:2: warning: implicit declaration of
> > function 'getloadavg' is invalid in C99 [-Wimplicit-function-declaration]
> > getloadavg (ret, sizeof (ret) / sizeof (ret[0])); ^ 1 warning generated.
> >
> > --- util.o ---
> > In file included from util.c:22:
> > /usr/include/sys/termios.h:3:2: warning: "this file includes
> > <sys/termios.h> which is deprecated, use <termios.h>
> > instead" [-W#warnings] #warning "this file includes <sys/termios.h> which
> > is deprecated, use <termios.h> instead" ^ --- includedir.o ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > includedir.c -o includedir.o --- xtimer.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c
> > xtimer.c -o xtimer.o --- inet.o --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -c inet.c
> > -o inet.o --- xmdns.o --- cc -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -O2 -pipe -fstack-protector-strong
> > -fno-strict-aliasing -I../libs/include -c xmdns.c -o xmdns.o --- util.o
> > --- 1 warning generated. --- itox --- cc -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include ./itox.c
> > -o itox -fstack-protector-strong -L../libs/lib -lsio -lmisc -lxlog
> > -lportable -lstr -lpwrap -lm -lcrypt -lcompat ./itox.c:233:18: warning:
> > passing a parameter declared with the 'register' keyword to 'va_start'
> > has undefined behavior [-Wvarargs] va_start( ap, count ) ;
> > ^ ./itox.c:222:49: note: parameter of type 'unsigned int' is declared
> > here static char *make_string_cat( register unsigned count, ... )
> > ^ ./itox.c:257:18: warning: passing a parameter declared with the
> > 'register' keyword to 'va_start' has undefined behavior [-Wvarargs]
> > va_start( ap, count ) ; ^ ./itox.c:222:49: note: parameter of type
> > 'unsigned int' is declared here static char *make_string_cat( register
> > unsigned count, ... ) ^ ./itox.c:282:18: warning: passing a parameter
> > declared with the 'register' keyword to 'va_start' has undefined behavior
> > [-Wvarargs] va_start( ap, count ) ; ^ ./itox.c:271:47: note: parameter of
> > type 'unsigned int' is declared here static char *make_pathname( register
> > unsigned count, ... ) ^
> > ./itox.c:295:18: warning: passing a parameter declared with the 'register'
> > keyword to 'va_start' has undefined behavior [-Wvarargs] va_start( ap,
> > count ) ; ^
> > ./itox.c:271:47: note: parameter of type 'unsigned int' is declared here
> > static char *make_pathname( register unsigned count, ... )
> > ^
> > 4 warnings generated.
> > --- xinetd ---
> > cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -O2 -pipe
> > -fstack-protector-strong -fno-strict-aliasing -I../libs/include -o xinetd
> > access.o addr.o builtins.o child.o conf.o confparse.o connection.o
> > env.o ident.o init.o int.o intcommon.o internals.o log.o logctl.o
> > main.o msg.o nvlists.o parse.o parsesup.o parsers.o reconfig.o
> > retry.o sconf.o sensor.o server.o service.o signals.o special.o
> > tcpint.o time.o udpint.o util.o redirect.o xgetloadavg.o options.o
> > includedir.o xtimer.o inet.o xmdns.o -fstack-protector-strong
> > -L../libs/lib -lsio -lmisc -lxlog -lportable -lstr -lpwrap -lm -lcrypt
> > -lcompat || rm -f xinetd ===> Staging for xinetd-2.3.15_2 ===>
> > xinetd-2.3.15_2 depends on package:
> > perl5>=5.30.r1<5.31 - found ===> Generating temporary packing list
> > perl5>install -s -m
> > perl5>555 /usr/ports/security/xinetd/work/xinetd-2.3.15/xinetd/xinetd /usr/ports/security/xinetd/work/stage/usr/local/sbin/xinetd
> > perl5>install -m
> > perl5>555 /usr/ports/security/xinetd/work/xinetd-2.3.15/xinetd/xconv.pl /usr/ports/security/xinetd/work/stage/usr/local/bin/xconv
> > perl5>install -m
> > perl5>444 /usr/ports/security/xinetd/work/xinetd-2.3.15/xinetd/xinetd.conf.man /usr/ports/security/xinetd/work/stage/usr/local/man/man5/xinetd.conf.5
> > perl5>install -m
> > perl5>444 /usr/ports/security/xinetd/work/xinetd-2.3.15/xinetd/xconv.pl.8 /usr/ports/security/xinetd/work/stage/usr/local/man/man8/xconv.8
> > perl5>install -m
> > perl5>444 /usr/ports/security/xinetd/work/xinetd-2.3.15/xinetd/xinetd.man /usr/ports/security/xinetd/work/stage/usr/local/man/man8/xinetd.8
> > perl5>install -m
> > perl5>444 /usr/ports/security/xinetd/work/xinetd-2.3.15/xinetd/xinetd.log.man /usr/ports/security/xinetd/work/stage/usr/local/man/man8/xinetd.log.8
> > perl5>====> Compressing man pages (compress-man)
> > ===> Staging rc.d startup script(s)
> > ===> Installing for xinetd-2.3.15_2
> > ===> Checking if xinetd is already installed
> > ===> Registering installation for xinetd-2.3.15_2
> > Installing xinetd-2.3.15_2...
> > ===> SECURITY REPORT:
> > This port has installed the following files which may act as network
> > servers and may therefore pose a remote security risk to the system.
> > /usr/local/sbin/xinetd
> >
> > If there are vulnerabilities in these programs there may be a
> > security risk to the system. FreeBSD makes no guarantee about the
> > security of ports included in the Ports Collection. Please type 'make
> > deinstall' to deinstall the port if this is a concern.
> >
> > For more information, and contact details about the security
> > status of this software, see the following webpage:
> > http://www.xinetd.org/
> > root at bsdpcb:/usr/ports/security/xinetd #
>
Not bad, aye?
No, excellent, but requires some more research on how to translate
inetd-configuration to xinetd ...
.
.
.
Here you are:
> root at bsdpcb:/usr/ports/security/xinetd # service xinetd restart
> xinetd not running? (check /var/run/xinetd.pid).
> Starting xinetd.
> root at bsdpcb:/usr/ports/security/xinetd # cat /var/run/xinetd.pid
> 27431
> root at bsdpcb:/usr/ports/security/xinetd # cat /etc/xindetd.conf
> cat: /etc/xindetd.conf: No such file or directory
> root at bsdpcb:/usr/ports/security/xinetd # cat /etc/xinetd.conf
> service Xvnc {
> type = UNLISTED
> disable = no
> socket_type = stream
> protocol = tcp
> wait = no
> user = root
> server = /usr/local/bin/Xvnc
> server_args = -inetd -query localhost -once -securitytypes=none -geometry
> 1024x768 port = 5950
> }
>
> root at bsdpcb:/usr/ports/security/xinetd # cat /etc/rc.conf
> clear_tmp_enable="YES"
> syslogd_flags="-ss"
> sendmail_enable="NONE"
> hostname="bsdpcb"
> keymap="de.noacc.kbd"
> ifconfig_bge0="inet 192.168.0.110 netmask 255.255.255.0"
> defaultrouter="192.168.0.231"
> ifconfig_bge0_ipv6="inet6 accept_rtadv"
> sshd_enable="YES"
> moused_enable="YES"
> ntpd_enable="YES"
> powerd_enable="YES"
> powerd_flags="-a minimum"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> zfs_enable="YES"
> dbus_enable="YES"
> hald_enable="YES"
> #sddm_enable="YES"
> gdm_enable="YES"
> kld_list="amdgpu"
> gnome_enable="YES"
> #inetd_enable="YES"
> xinetd_enable="YES"
>
> root at bsdpcb:/usr/ports/security/xinetd #
You try it out, that's all.
Begin forwarded message:
Date: Fri, 28 Aug 2020 12:40:06 +0200
From: andrew glaeser <bugs at irregulaire.info>
To: x11 at FreeBSD.org
Subject: Fw: No remote login with GDM3, XDMCP, Xvnc, inetd
- - - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oh, well I have a hint here, that xinetd does exist:
[https://www.freshports.org/security/xinetd/]
> xinetd Replacement for inetd with better control and logging
> 2.3.15_2 security on this many watch lists=36 search for ports that depend
> on this port An older version of this port was marked as vulnerable. Find
> issues related to this port Report an issue related to this port View this
> port on Repology. 2.3.15_2 Maintainer: garga at FreeBSD.org search for ports
> maintained by this maintainer Port Added: unknown Last Update: 2019-10-09
> 13:20:31 SVN Revision: 514144
>
> People watching this port, also watch: nmap, sudo, wget, gmake, openssl
> License: XINETD
> Description:
> Xinetd is a replacement for inetd, the internet services daemon.
>
> Xinetd is not just an inetd replacement. Anybody can use it to
> start servers that don't require privileged ports because xinetd
> does not require that the services in its configuration file be
> listed in /etc/services.
>
> Its configuration file has a different format than inetd's one
> and it understands different signals. However the signal-to-action
> assignment can be changed.
>
> WWW: http://www.xinetd.org/
> SVNWeb : Homepage
> pkg-plist: as obtained via: make generate-plist
This little tech-poem tells me the problem might be /etc/services, and
of course that I have not read the full manual to classic inetd.
So for me the way to go is to try out xinetd-port, since the package
delivered some sort of success to me already once.
If this works, next question would be how to invoke Xvnc, so it gives a
behaviour similar to x2go-server, i.e. don't die upon logout, but keep on
running (potentially forever) and wait for reconnect...
- -----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQTF9uNaslvnJpWt8kXn6sEfJS3nCwUCX09nIQAKCRDn6sEfJS3n
CwVMAJ9fDWP/CCMALmjzVv5Q5xM1gJZHDwCfdJgMt5KoGBkuUQVMdLuqyMCoT1A=
=kvdb
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQTF9uNaslvnJpWt8kXn6sEfJS3nCwUCX09ozwAKCRDn6sEfJS3n
C6J4AKCtuvqYroWAJCWO58FKUYcehiadtwCgjbCSAzo9Eeqw3mobDiSwS+cuo7Q=
=hJVi
-----END PGP SIGNATURE-----
More information about the freebsd-x11
mailing list