IBM Support

AIX X11: Disable or remove the Common Desktop Environment (CDE)

How To


Summary

Methods to remove or disable CDE

Objective

The Common Desktop Environment (CDE) often triggers security scanning warnings.

Common issues include:

  • ToolTalk Database Server
    • Common Desktop Environment (CDE)applications might use a ToolTalk database server to create and send messages between recipients.  Most security hardening guidance recommends disabling this service if it is not required. 
  • XDMCP
    • In the Common Desktop Environment (CDE), a remote display can query a login screen (dtgreet) from the AIX host, by using 'X -query hostname' through X Display Manager Control Protocol (XDMCP) on UDP Port 177. XDMCP lacks encryption across the internet, and is not considered secure by many modern standards.  Security scanners might report this configuration as a vulnerability.  
      • The best way to enforce X11 traffic security is to disable remote CDE logins, and use X11 tunneling or port forwarding through Secure Shell (SSH).
NOTE: If the CDE session management functionality is not required, the CDE file sets can be removed.

Steps

The following list (A-F) provides different options for removal, disabling, or reenabling the CDE login manager, and its ToolTalk components. Select the option that suits your security requirements.
A: Remove the Common Desktop Environment (CDE)
A.1:  Preview the removal.
# installp -gup X11.Dt

A.2) If you accept the removal, run the command again:
# installp -e /var/adm/installp.X11Dt.log -gu X11.Dt 
B: Disable the CDE Login Manager (Remote and Local Login)
B.1) Kill the current dtlogin processes.
# stopsrc -s dtsrc
# /usr/dt/bin/dtconfig -kill
# ps -ef | grep dtlogin | grep -v grep
# kill -KILL <dtlogin's PID>
Make sure that no dtlogin processes remain open.
# ps -ef | grep dtlogin | grep -v grep
B.2) Cleanup /var files.
# rm /var/dt/Xpid
# mv /var/dd/Xerrors /var/dt/Xerrors.old
B.3) Disable CDE Login Manager in inittab.
# /usr/dt/bin/dtconfig -d
B.4) Review steps in "D.1) Disable the XDMCP listening in the Xconfig file", so you can disable remote logins in case CDE is reenabled.
C: Disable the ToolTalk Database Server (rpc.ttdbserver)
C.1) Kill the rpc.ttdbserver process
# ps -aef | grep rpc.ttdbserverd | grep -v grep 
# kill -KILL <rpc.ttdbserverd's PID> 
C.2) Disable rpc.ttdbserver
# vi  /etc/inetd.conf
Comment out the following line (use '#'):
#ttdbserver sunrpc_tcp tcp wait root /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1 
C.3) Refresh the Internet service management daemon (inetd)
# refresh -s inetd 
C.4) Disable the ToolTalk server in the Xsession file.
Check for an existing CDE global customized Xsession file:
# ls -al /etc/dt/bin/Xsession
Make a copy, if it does not exist:
# mkdir -p /etc/dt/bin
# cp /usr/dt/bin/Xsession /etc/dt/bin/Xession
Edit the customized Xsession to disable the ToolTalk server:
# vi /etc/dt/bin/Xsession
Change the ttsession string:
   -  dtstart_ttsession="$DT_BINPATH/ttsession -s"
   +  dtstart_ttsession="NULL" 
Change permissions for the new /etc/dt directories and files:
# chmod -R 555 /etc/dt
# chown -R bin.bin /etc/dt
D: Disable remote CDE logins
D.1) Disable the XDMCP listening in the Xconfig file.
Check for an existing CDE global customized Xconfig file:
# ls -al /etc/dt/config/Xconfig
Make a copy, if it does not exist:
# mkdir -p /etc/dt/config
# cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig
Edit the customized Xconfig file to disable the XDMCP requests:
# vi /etc/dt/config/Xconfig

     #  To disable listening for XDMCP requests from X-terminals:
          UNCOMMENT THIS LINE: -->  Dtlogin.requestPort:       0
D.2) Stop and restart CDE
# /usr/dt/bin/dtconfig -kill
# ps -ef | grep dtlogin | grep -v grep
# kill -KILL <dtlogin's PID>
# startsrc -s dtsrc
Note:  This option leaves the dtlogin daemon running for local login. See Option A to completely disable dtlogin.
E. Launch a CDE Xsession without a remote login screen

Users can launch a CDE Session without a remote login screen:

1. Establish an SSH connection with X11 forwarding enabled through any SSH supporting PC Xserver
2. Run /usr/dt/bin/Xsession
   - Xsession provides most of the CDE functionality, but not the CDE login screen.
 
NOTE: There are some third-party Xserver emulators, which provide some types of "Secure XDMCP". These products are not supported through IBM Support, and recommendations exceed the scope of this document.
F: Reenable the CDE Login Manager (Remote and Local Login)
# vi /etc/dt/config/Xconfig

     #  To reenable listening for XDMCP requests from X-terminals:
          COMMENT THIS LINE: -->  # Dtlogin.requestPort:       0

Enable the CDE login manager:
# /usr/dt/bin/dtconfig -e
Start the CDE login manager:
# startsrc -s dtsrc

Additional Information

SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For guidance, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2mAAA","label":"Desktop-\u003EX11 Clients"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
06 September 2023

UID

ibm10731381

Page Feedback