IBM Support

CDE ToolTalk Authentication

Question & Answer


Question

CDE ToolTalk Authentication

Answer

This document applies to AIX Version 4.3.3 including CDE Security APAR IY03849 (X11.Dt.ToolTalk 4.3.3.1) and AIX version 5 and later.

Problem
Cause
Technical notes
Solution
    Option 1: ttauth add (recommended)
    Option 2: No security (not recommended)

Problem

Local Display (running CDE)=A
Remote System=B

  1. Telnet to remote system B.
  2. Enter export DISPLAY=A:0.
  3. Next, enter /usr/dt/bin/dtmail.

This results in the following error: 

"ToolTalk is not initialized. Mailer cannot run without ToolTalk.
Try starting /usr/dt/bin/dtsession, or contact your System
Administrator. "

Cause

This is caused by a new security function introduced to CDE ToolTalk at X11.Dt.ToolTalk 4.3.3.1.

Technical notes

ToolTalk applications create, send, and receive ToolTalk messages to communicate with other applications. Senders create, fill in, and send a message; the ToolTalk service determines the recipients and delivers the message to the recipients. Recipients retrieve messages, examine the information in the message, and then either discard the message or perform an operation and reply with the results.

To prevent unauthorized access to your machine, a new security mechanism (ttauth) was introduced to ToolTalk at level X11.Dt.ToolTalk.4.3.3.1. Like xauth, this new security feature (ttauth) implements the MIT Magic Cookie mechanism which creates a secret password (cookie). When a user logs into CDE, a new cookie is created by ttsession and stored in $HOME/.TTauthority. This cookie is associated with the session's netid.

The ttsession writes the TT_SESSION identifier as a property on the root window or as an environment variable in the client's environment. Only Tooltalk messages containing valid cookies for this TT_SESSION will be delivered to its recipients. 

 ##########################################
 A Summary of the TT_SESSION identifier fields:
 ##########################################
  The TT_SESSION(STRING) =
               "01 1433 1342177279 1 1 2002 130.105.9.22 4"
   identifier is composed of the following elements:
        <Dummy Number>         = 01
        <ttsession Process Id>         = 1433
        <ttsession Program Number>   = 1342177279
        <DummyNumber>         = 1
        <ttsession Authorization Level>  = 1
        <ttsession UID>             = 2002
        <Host IP Address>         = 130.105.9.22
        <RPC Version Number>         = 4

The ToolTalk session identifiers (netid) in the authority file are composed of:

<ttsession Program Number>
<ttsession Authorization Level> 
<Host  IP Address>
<RPC Version Number>

as follows: 1342177279/1/130.105.9.22/4

NOTE: See the ttauth manpage for additional information.
(manpage delivered by fileset X11.man.en_US.Dt.rte)

Solution

In order for a user to send a ToolTalk message to ttsession (for example, invoke any ToolTalk client, like dtpad or dtmail), they will need this cookie in their $HOME/.TTauthority file. This will cause ToolTalk messages to be sent to the local message server (ttsession).

Example:

Your local display is hostname A. You want to telnet to hostname B . Export your display to A:0 and run a ToolTalk client, such as dtmail. 

Local Display=A
Remote System=B

Option 1: ttauth add (recommended)

On Local System A:

  1. Log in to CDE.
  2. Open a dtterm window (run /usr/bin/X11/xhost +B to allow X access for B). 
  3. /usr/bin/X11/xprop -root | grep TT_SESSION
        _SUN_TT_SESSION(STRING) = "01 33458 1342177288 1 3 0 9.41.167.159 4"
        TT_SESSION(STRING) = "01 33458 1342177288 1 3 0 9.41.167.159 4"
    (note the program number AND IP Address)
  4. Select the following string to copy. You will paste this entire string in step 7. 
    /usr/dt/bin/ttauth list | grep 1342177288 | grep 9.41.167.159
    TT "" 1342177288/3/9.41.167.159/4 MIT-MAGIC-COOKIE-1
25751b9ce2997b04dde001079fb957ea00
  5. Telnet to remote system B.
  6. Enter export DISPLAY=A:0.
  7. /usr/dt/bin/ttauth add TT "" 1342177288/3/9.41.167.159/4 MIT-MAGIC-COOKIE-1 25751b9ce2997b04dde001079fb957ea00
  8. /usr/dt/bin/dtmail

Option 2: No security (not recommended)

To request no security, start the ttsession on A with the -a none flag. With no security, all messages are delivered without verification. This is not recommended, because it leaves your machine vulnerable to attack.

On Local System A:

  1. vi /usr/dt/bin/Xsession
  2. Change the following line: 
         dtstart_ttsession="$DT_BINPATH/ttsession -s  "
    to include the "-a none": 
         dtstart_ttsession="$DT_BINPATH/ttsession -s -a none "
  3. Log in to CDE on local system A.
    NOTE: If you made the changes in #1 within CDE, be sure to log out, then log in again.
  4. Open a dtterm window (run /usr/bin/X11/xhost +B to allow X access for B).
  5. Telnet to remote system B.
  6. export DISPLAY=A:0.
  7. /usr/dt/bin/dtmail.
[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Graphics and desktop","Platform":[{"code":"PF002","label":"AIX"}],"Version":"5.3;5.2;5.1;4.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Historical Number

isg1pTechnote1250

Document Information

More support for:
AIX

Software version:
5.3, 5.2, 5.1, 4.3

Operating system(s):
AIX

Document number:
669585

Modified date:
17 June 2018

UID

isg3T1000511

Manage My Notification Subscriptions

Page Feedback