XDM(1)                      General Commands Manual                     XDM(1)

       xdm - X Display Manager with support for XDMCP, host chooser

       xdm [ -config configuration_file ] [ -nodaemon ] [ -debug debug_level ]
       [ -error error_log_file ] [ -resources resource_file ] [ -server
       server_entry ] [ -session session_program ]

       Xdm manages a collection of X displays, which may be on the local host
       or remote servers.  The design of xdm was guided by the needs of X
       terminals as well as The Open Group standard XDMCP, the X Display
       Manager Control Protocol.  Xdm provides services similar to those
       provided by init, getty and login on character terminals: prompting for
       login name and password, authenticating the user, and running a

       A ``session'' is defined by the lifetime of a particular process; in
       the traditional character-based terminal world, it is the user's login
       shell.  In the xdm context, it is an arbitrary session manager.  This
       is because in a windowing environment, a user's login shell process
       does not necessarily have any terminal-like interface with which to
       connect.  When a real session manager is not available, a window
       manager or terminal emulator is typically used as the ``session
       manager,'' meaning that termination of this process terminates the
       user's session.

       When the session is terminated, xdm resets the X server and
       (optionally) restarts the whole process.

       When xdm receives an Indirect query via XDMCP, it can run a chooser
       process to perform an XDMCP BroadcastQuery (or an XDMCP Query to
       specified hosts) on behalf of the display and offer a menu of possible
       hosts that offer XDMCP display management.  This feature is useful with
       X terminals that do not offer a host menu themselves.

       Xdm can be configured to ignore BroadcastQuery messages from selected
       hosts.  This is useful when you don't want the host to appear in menus
       produced by chooser or X terminals themselves.

       Because xdm provides the first interface that users will see, it is
       designed to be simple to use and easy to customize to the needs of a
       particular site.  Xdm has many options, most of which have reasonable
       defaults.  Browse through the various sections of this manual, picking
       and choosing the things you want to change.  Pay particular attention
       to the Session Program section, which will describe how to set up the
       style of session desired.

       xdm is highly configurable, and most of its behavior can be controlled
       by resource files and shell scripts.  The names of these files
       themselves are resources read from the file xdm-config or the file
       named by the -config option.

       xdm offers display management two different ways.  It can manage X
       servers running on the local machine and specified in Xservers, and it
       can manage remote X servers (typically X terminals) using XDMCP (the
       XDM Control Protocol) as specified in the Xaccess file.

       The resources of the X clients run by xdm outside the user's session,
       including xdm's own login window, can be affected by setting resources
       in the Xresources file.

       For X terminals that do not offer a menu of hosts to get display
       management from, xdm can collect willing hosts and run the chooser
       program to offer the user a menu.  For X displays attached to a host,
       this step is typically not used, as the local host does the display

       After resetting the X server, xdm runs the Xsetup script to assist in
       setting up the screen the user sees along with the xlogin widget.

       The xlogin widget, which xdm presents, offers the familiar login and
       password prompts.

       After the user logs in, xdm runs the Xstartup script as root.

       Then xdm runs the Xsession script as the user.  This system session
       file may do some additional startup and typically runs the .xsession
       script in the user's home directory.  When the Xsession script exits,
       the session is over.

       At the end of the session, the Xreset script is run to clean up, the X
       server is reset, and the cycle starts over.

       The file  /var/log/xdm.log will contain error messages from xdm and
       anything output to stderr by Xsetup, Xstartup, Xsession or Xreset.
       When you have trouble getting xdm working, check this file to see if
       xdm has any clues to the trouble.

       All of these options, except -config itself, specify values that can
       also be specified in the configuration file as resources.

       -config configuration_file
              Names the configuration file, which specifies resources to
              control the behavior of xdm.  /etc/X11/xdm/xdm-config is the
              default.  See the section Configuration File.

              Specifies ``false'' as the value for the
              DisplayManager.daemonMode resource.  This suppresses the normal
              daemon behavior, which is for xdm to close all file descriptors,
              disassociate itself from the controlling terminal, and put
              itself in the background when it first starts up.

       -debug debug_level
              Specifies the numeric value for the DisplayManager.debugLevel
              resource.  A non-zero value causes xdm to print lots of
              debugging statements to the terminal; it also disables the
              DisplayManager.daemonMode resource, forcing xdm to run
              synchronously.  To interpret these debugging messages, a copy of
              the source code for xdm is almost a necessity.  No attempt has
              been made to rationalize or standardize the output.

       -error error_log_file
              Specifies the value for the DisplayManager.errorLogFile
              resource.  This file contains errors from xdm as well as
              anything written to stderr by the various scripts and programs
              run during the progress of the session.

       -resources resource_file
              Specifies the value for the DisplayManager*resources resource.
              This file is loaded using xrdb(1) to specify configuration
              parameters for the authentication widget.

       -server server_entry
              Specifies the value for the DisplayManager.servers resource.
              See the section Local Server Specification for a description of
              this resource.

       -udpPort port_number
              Specifies the value for the DisplayManager.requestPort resource.
              This sets the port-number which xdm will monitor for XDMCP
              requests.  If set to 0, xdm will not listen for XDMCP or Chooser
              requests.  As XDMCP uses the registered well-known UDP port 177,
              this resource should not be changed to a value other than 0,
              except for debugging.

       -session session_program
              Specifies the value for the DisplayManager*session resource.
              This indicates the program to run as the session after the user
              has logged in.

       -xrm resource_specification
              Allows an arbitrary resource to be specified, as in most X
              Toolkit applications.

       At many stages the actions of xdm can be controlled through the use of
       its configuration file, which is in the X resource format.  Some
       resources modify the behavior of xdm on all displays, while others
       modify its behavior on a single display.  Where actions relate to a
       specific display, the display name is inserted into the resource name
       between ``DisplayManager'' and the final resource name segment.

       For local displays, the resource name and class are as read from the
       Xservers file.

       For remote displays, the resource name is what the network address of
       the display resolves to.  See the removeDomain resource.  The name must
       match exactly; xdm is not aware of all the network aliases that might
       reach a given display.  If the name resolve fails, the address is used.
       The resource class is as sent by the display in the XDMCP Manage

       Because the resource manager uses colons to separate the name of the
       resource from its value and dots to separate resource name parts, xdm
       substitutes underscores for both dots and colons when generating the
       resource name.  For example, DisplayManager.expo_x_org_0.startup is the
       name of the resource which defines the startup shell file for the
       ``expo.x.org:0'' display.

              This resource either specifies a file name full of server
              entries, one per line (if the value starts with a slash), or a
              single server entry.  See the section Local Server Specification
              for the details.

              This indicates the UDP port number which xdm uses to listen for
              incoming XDMCP requests.  Unless you need to debug the system,
              leave this with its default value of 177.

              Error output is normally directed at the system console.  To
              redirect it, set this resource to a file name.  A method to send
              these messages to syslog should be developed for systems which
              support it; however, the wide variety of interfaces precludes
              any system-independent implementation.  This file also contains
              any output directed to stderr by the Xsetup, Xstartup, Xsession
              and Xreset files, so it will contain descriptions of problems in
              those scripts as well.

              If the integer value of this resource is greater than zero,
              reams of debugging information will be printed.  It also
              disables daemon mode, which would redirect the information into
              the bit-bucket, and allows non-root users to run xdm, which
              would normally not be useful.

              Normally, xdm attempts to make itself into a daemon process
              unassociated with any terminal.  This is accomplished by forking
              and leaving the parent process to exit, then closing file
              descriptors and releasing the controlling terminal.  In some
              environments this is not desired (in particular, when
              debugging).  Setting this resource to ``false'' will disable
              this feature.

              The filename specified will be created to contain an ASCII
              representation of the process-id of the main xdm process.  Xdm
              also uses file locking on this file to attempt to eliminate
              multiple daemons running on the same machine, which would cause
              quite a bit of havoc.

              This is the resource which controls whether xdm uses file
              locking to keep multiple display managers from running amok.  On
              System V, this uses the lockf library call, while on BSD it uses

              This names a directory under which xdm stores authorization
              files while initializing the session.  The default value is
              /var/lib/xdm.  Can be overridden for specific displays by

              This boolean controls whether xdm rescans the configuration,
              servers, access control and authentication keys files after a
              session terminates and the files have changed.  By default it is
              ``true.''  You can force xdm to reread these files by sending a
              SIGHUP to the main process.

              When computing the display name for XDMCP clients, the name
              resolver will typically create a fully qualified host name for
              the terminal.  As this is sometimes confusing, xdm will remove
              the domain name portion of the host name if it is the same as
              the domain name of the local host when this variable is set.  By
              default the value is ``true.''

              XDM-AUTHENTICATION-1 style XDMCP authentication requires that a
              private key be shared between xdm and the terminal.  This
              resource specifies the file containing those values.  Each entry
              in the file consists of a display name and the shared key.  By
              default, xdm does not include support for XDM-AUTHENTICATION-1,
              as it requires DES which is not generally distributable because
              of United States export restrictions.

              To prevent unauthorized XDMCP service and to allow forwarding of
              XDMCP IndirectQuery requests, this file contains a database of
              hostnames which are either allowed direct access to this
              machine, or have a list of hosts to which queries should be
              forwarded to.  The format of this file is described in the
              section XDMCP Access Control.

              A list of additional environment variables, separated by white
              space, to pass on to the Xsetup, Xstartup, Xsession, and Xreset

              A file to checksum to generate the seed of authorization keys.
              This should be a file that changes frequently.  The default is

              A file to read 8 bytes from to generate the seed of
              authorization keys.  The default is  /dev/urandom . If this file
              cannot be read, or if a read blocks for more than 5 seconds, xdm
              falls back to using a checksum of DisplayManager.randomFile to
              generate the seed.


              A UNIX domain socket name or a TCP socket port number on local
              host on which a Pseudo-Random Number Generator Daemon, like EGD
              (http://egd.sourceforge.net) is listening, in order to generate
              the autorization keys. Either a non null port or a valid socket
              name must be specified. The default is to use the Unix-domain
              socket /tmp/entropy.

       On systems that don't have such a daemon, a fall-back entropy gathering
       system, based on various log file contents hashed by the MD5 algorithm
       is used instead.

              On systems that support a dynamically-loadable greeter library,
              the name of the library.  The default is

              Number of seconds to wait for display to respond after user has
              selected a host from the chooser.  If the display sends an XDMCP
              IndirectQuery within this time, the request is forwarded to the
              chosen host.  Otherwise, it is assumed to be from a new session
              and the chooser is offered again.  Default is 15.

              Use the numeric IP address of the incoming connection on
              multihomed hosts instead of the host name. This is to avoid
              trying to connect on the wrong interface which might be down at
              this time.

              This specifies a program which is run (as) root when an an XDMCP
              BroadcastQuery is received and this host is configured to offer
              XDMCP display management. The output of this program may be
              displayed on a chooser window.  If no program is specified, the
              string Willing to manage is sent.

              This resource specifies the name of the file to be loaded by
              xrdb as the resource database onto the root window of screen 0
              of the display.  The Xsetup program, the Login widget, and
              chooser will use the resources set in this file.  This resource
              data base is loaded just before the authentication procedure is
              started, so it can control the appearance of the login window.
              See the section Authentication Widget, which describes the
              various resources that are appropriate to place in this file.
              There is no default value for this resource, but
               /etc/X11/xdm/Xresources is the conventional name.

              Specifies the program run to offer a host menu for Indirect
              queries redirected to the special host name CHOOSER.
               /usr/lib/X11/xdm/chooser  is the default.  See the sections
              XDMCP Access Control and Chooser.

              Specifies the program used to load the resources.  By default,
              xdm uses  /usr/bin/xrdb.

              This specifies the name of the C preprocessor which is used by

              This specifies a program which is run (as root) before offering
              the Login window.  This may be used to change the appearance of
              the screen around the Login window or to put up other windows
              (e.g., you may want to run xconsole here).  By default, no
              program is run.  The conventional name for a file used here is
              Xsetup.  See the section Setup Program.

              This specifies a program which is run (as root) after the
              authentication process succeeds.  By default, no program is run.
              The conventional name for a file used here is Xstartup.  See the
              section Startup Program.

              This specifies the session to be executed (not running as root).
              By default,  /usr/bin/xterm is run.  The conventional name is
              Xsession.  See the section Session Program.

              This specifies a program which is run (as root) after the
              session terminates.  By default, no program is run.  The
              conventional name is Xreset.  See the section Reset Program.





              These numeric resources control the behavior of xdm when
              attempting to open intransigent servers.  openDelay is the
              length of the pause in seconds between successive attempts,
              openRepeat is the number of attempts to make, openTimeout is the
              amount of time to wait while actually attempting the open (i.e.,
              the maximum time spent in the connect(2) system call) and
              startAttempts is the number of times this entire process is done
              before giving up on the server.  After openRepeat attempts have
              been made, or if openTimeout seconds elapse in any particular
              attempt, xdm terminates and restarts the server, attempting to
              connect again.  This process is repeated startAttempts times, at
              which point the display is declared dead and disabled.  Although
              this behavior may seem arbitrary, it has been empirically
              developed and works quite well on most systems.  The bound
              reservAttempts is the number of times a successful connect is
              allowed to be followed by a fatal error.  When reached, the
              display is disabled.  The default values are openDelay: 15,
              openRepeat: 5, openTimeout: 120, startAttempts: 4 and
              reservAttempts: 2.


              To discover when remote displays disappear, xdm occasionally
              pings them, using an X connection and XSync calls.  pingInterval
              specifies the time (in minutes) between each ping attempt,
              pingTimeout specifies the maximum amount of time (in minutes) to
              wait for the terminal to respond to the request.  If the
              terminal does not respond, the session is declared dead and
              terminated.  By default, both are set to 5 minutes.  If you
              frequently use X terminals which can become isolated from the
              managing host, you may wish to increase this value.  The only
              worry is that sessions will continue to exist after the terminal
              has been accidentally disabled.  xdm will not ping local
              displays.  Although it would seem harmless, it is unpleasant
              when the workstation session is terminated as a result of the
              server hanging for NFS service and not responding to the ping.

              This boolean resource specifies whether the X server should be
              terminated when a session terminates (instead of resetting it).
              This option can be used when the server tends to grow without
              bound over time, in order to limit the amount of time the server
              is run.  The default value is ``false.''

              Xdm sets the PATH environment variable for the session to this
              value.  It should be a colon separated list of directories; see
              sh(1) for a full description.  The default value is

              Xdm sets the PATH environment variable for the startup and reset
              scripts to the value of this resource.  The default for this
              resource is ``/etc:/bin:/usr/bin:/usr/bin:/usr/ucb''.  Note the
              absence of ``.'' from this entry.  This is a good practice to
              follow for root; it avoids many common Trojan Horse system
              penetration schemes.

              Xdm sets the SHELL environment variable for the startup and
              reset scripts to the value of this resource.  It is /bin/sh by

              If the default session fails to execute, xdm will fall back to
              this program.  This program is executed with no arguments, but
              executes using the same environment variables as the session
              would have had (see the section Session Program).  By default,
              /usr/bin/xterm is used.


              To improve security, xdm grabs the server and keyboard while
              reading the login name and password.  The grabServer resource
              specifies if the server should be held for the duration of the
              name/password reading.  When ``false,'' the server is ungrabbed
              after the keyboard grab succeeds, otherwise the server is
              grabbed until just before the session begins.  The default is
              ``false.''  The grabTimeout resource specifies the maximum time
              xdm will wait for the grab to succeed.  The grab may fail if
              some other client has the server grabbed, or possibly if the
              network latencies are very high.  This resource has a default
              value of 3 seconds; you should be cautious when raising it, as a
              user can be spoofed by a look-alike window on the display.  If
              the grab fails, xdm kills and restarts the server (if possible)
              and the session.


              authorize is a boolean resource which controls whether xdm
              generates and uses authorization for the local server
              connections.  If authorization is used, authName is a list of
              authorization mechanisms to use, separated by white space.
              XDMCP connections dynamically specify which authorization
              mechanisms are supported, so authName is ignored in this case.
              When authorize is set for a display and authorization is not
              available, the user is informed by having a different message
              displayed in the login widget.  By default, authorize is
              ``true,''  authName is ``MIT-MAGIC-COOKIE-1,'' or, if XDM-
              AUTHORIZATION-1 is available, ``XDM-AUTHORIZATION-1 MIT-MAGIC-

              This file is used to communicate the authorization data from xdm
              to the server, using the -auth server command line option.  It
              should be kept in a directory which is not world-writable as it
              could easily be removed, disabling the authorization mechanism
              in the server.  If not specified, a name is generated from
              DisplayManager.authDir and the name of the display.

              If set to ``false,'' disables the use of the unsecureGreeting in
              the login window.  See the section Authentication Widget.  The
              default is ``true.''

              The number of the signal xdm sends to reset the server.  See the
              section Controlling the Server.  The default is 1 (SIGHUP).

              The number of the signal xdm sends to terminate the server.  See
              the section Controlling the Server.  The default is 15

              The original implementation of authorization in the sample
              server reread the authorization file at server reset time,
              instead of when checking the initial connection.  As xdm
              generates the authorization information just before connecting
              to the display, an old server would not get up-to-date
              authorization information.  This resource causes xdm to send
              SIGHUP to the server after setting up the file, causing an
              additional server reset to occur, during which time the new
              authorization information will be read.  The default is
              ``false,'' which will work for all MIT servers.

              When xdm is unable to write to the usual user authorization file
              ($HOME/.Xauthority), it creates a unique file name in this
              directory and points the environment variable XAUTHORITY at the
              created file.  It uses /tmp by default.

       First, the xdm configuration file should be set up.  Make a directory
       (usually  /etc/X11/xdm) to contain all of the relevant files.

       Here is a reasonable configuration file, which could be named xdm-

            DisplayManager.servers:            /etc/X11/xdm/Xservers
            DisplayManager.errorLogFile:       /var/log/xdm.log
            DisplayManager*resources:          /etc/X11/xdm/Xresources
            DisplayManager*startup:            /etc/X11/xdm/Xstartup
            DisplayManager*session:            /etc/X11/xdm/Xsession
            DisplayManager.pidFile:            /var/run/xdm-pid
            DisplayManager._0.authorize:       true
            DisplayManager*authorize:          false

       Note that this file mostly contains references to other files.  Note
       also that some of the resources are specified with ``*'' separating the
       components.  These resources can be made unique for each different
       display, by replacing the ``*'' with the display-name, but normally
       this is not very useful.  See the Resources section for a complete

       The database file specified by the DisplayManager.accessFile provides
       information which xdm uses to control access from displays requesting
       XDMCP service.  This file contains three types of entries:  entries
       which control the response to Direct and Broadcast queries, entries
       which control the response to Indirect queries, and macro definitions.

       The format of the Direct entries is simple, either a host name or a
       pattern, which is distinguished from a host name by the inclusion of
       one or more meta characters (`*' matches any sequence of 0 or more
       characters, and `?' matches any single character) which are compared
       against the host name of the display device.  If the entry is a host
       name, all comparisons are done using network addresses, so any name
       which converts to the correct network address may be used.  For
       patterns, only canonical host names are used in the comparison, so
       ensure that you do not attempt to match aliases.  Preceding either a
       host name or a pattern with a `!' character causes hosts which match
       that entry to be excluded.

       To only respond to Direct queries for a host or pattern, it can be
       followed by the optional ``NOBROADCAST'' keyword.  This can be used to
       prevent an xdm server from appearing on menus based on Broadcast

       An Indirect entry also contains a host name or pattern, but follows it
       with a list of host names or macros to which indirect queries should be

       A macro definition contains a macro name and a list of host names and
       other macros that the macro expands to.  To distinguish macros from
       hostnames, macro names start with a `%' character.  Macros may be

       Indirect entries may also specify to have xdm run chooser to offer a
       menu of hosts to connect to.  See the section Chooser.

       When checking access for a particular display host, each entry is
       scanned in turn and the first matching entry determines the response.
       Direct and Broadcast entries are ignored when scanning for an Indirect
       entry and vice-versa.

       Blank lines are ignored, `#' is treated as a comment delimiter causing
       the rest of that line to be ignored, and `\newline' causes the newline
       to be ignored, allowing indirect host lists to span multiple lines.

       Here is an example Xaccess file:

       # Xaccess - XDMCP access control file

       # Direct/Broadcast query entries

       !xtra.lcs.mit.edu   # disallow direct/broadcast service for xtra
       bambi.ogi.edu       # allow access from this particular display
       *.lcs.mit.edu       # allow access from any display in LCS

       *.deshaw.com        NOBROADCAST         # allow only direct access
       *.gw.com                                # allow direct and broadcast

       # Indirect query entries

       %HOSTS              expo.lcs.mit.edu xenon.lcs.mit.edu \
                           excess.lcs.mit.edu kanga.lcs.mit.edu

       extract.lcs.mit.edu xenon.lcs.mit.edu   #force extract to contact xenon
       !xtra.lcs.mit.edu   dummy               #disallow indirect access
       *.lcs.mit.edu       %HOSTS              #all others get to choose

       If compiled with IPv6 support, multicast address groups may also be
       included in the list of addresses indirect queries are set to.
       Multicast addresses may be followed by an optional / character and hop
       count. If no hop count is specified, the multicast hop count defaults
       to 1, keeping the packet on the local network. For IPv4 multicasting,
       the hop count is used as the TTL.


       rincewind.sample.net ff02::1                 #IPv6 Multicast to ff02::1
                                                    #with a hop count of 1
       ponder.sample.net    CHOOSER  #Offer a menu of hosts
                                                    #who respond to IPv4 Multicast
                                                    # to with a TTL of 16

       For X terminals that do not offer a host menu for use with Broadcast or
       Indirect queries, the chooser program can do this for them.  In the
       Xaccess file, specify ``CHOOSER'' as the first entry in the Indirect
       host list.  Chooser will send a Query request to each of the remaining
       host names in the list and offer a menu of all the hosts that respond.

       The list may consist of the word ``BROADCAST,'' in which case chooser
       will send a Broadcast instead, again offering a menu of all hosts that
       respond.  Note that on some operating systems, UDP packets cannot be
       broadcast, so this feature will not work.

       Example Xaccess file using chooser:

       extract.lcs.mit.edu  CHOOSER %HOSTS          #offer a menu of these hosts
       xtra.lcs.mit.edu     CHOOSER BROADCAST       #offer a menu of all hosts

       The program to use for chooser is specified by the
       DisplayManager.DISPLAY.chooser resource.  For more flexibility at this
       step, the chooser could be a shell script.  Chooser is the session
       manager here; it is run instead of a child xdm to manage the display.

       Resources for this program can be put into the file named by

       When the user selects a host, chooser prints the host chosen, which is
       read by the parent xdm, and exits.  xdm closes its connection to the X
       server, and the server resets and sends another Indirect XDMCP request.
       xdm remembers the user's choice (for DisplayManager.choiceTimeout
       seconds) and forwards the request to the chosen host, which starts a
       session on that display.

       The following configuration directive is also defined for the Xaccess
       configuration file:

       LISTEN interface [list of multicast group addresses]
              interface may be a hostname or IP address representing a network
              interface on this machine, or the wildcard * to represent all
              available network interfaces.

       If one or more LISTEN lines are specified, xdm only listens for XDMCP
       connections on the specified interfaces. If multicast group addresses
       are listed on a listen line, xdm joins the multicast groups on the
       given interface.

       If no LISTEN lines are given, the original behavior of listening on all
       interfaces is preserved for backwards compatibility.  Additionally, if
       no LISTEN is specified, xdm joins the default XDMCP IPv6 multicast
       group, when compiled with IPv6 support.

       To disable listening for XDMCP connections altogther, a line of LISTEN
       with no addresses may be specified, or the previously supported method
       of setting DisplayManager.requestPort to 0 may be used.

       LISTEN * ff02::1    # Listen on all interfaces and to the
                           # ff02::1 IPv6 multicast group.
       LISTEN  # Listen only on this interface, as long
                           # as no other listen directives appear in
                           # file.

       The Internet Assigned Numbers Authority has has assigned
       ff0X:0:0:0:0:0:0:12b as the permanently assigned range of multicast
       addresses for XDMCP. The X in the prefix may be replaced by any valid
       scope identifier, such as 1 for Interface-Local, 2 for Link-Local, 5
       for Site-Local, and so on.  (See IETF RFC 4291 or its replacement for
       further details and scope definitions.)  xdm defaults to listening on
       the Link-Local scope address ff02:0:0:0:0:0:0:12b to most closely match
       the old IPv4 subnet broadcast behavior.

       The resource DisplayManager.servers gives a server specification or, if
       the values starts with a slash (/), the name of a file containing
       server specifications, one per line.

       Each specification indicates a display which should constantly be
       managed and which is not using XDMCP.  This method is used typically
       for local servers only.  If the resource or the file named by the
       resource is empty, xdm will offer XDMCP service only.

       Each specification consists of at least three parts:  a display name, a
       display class, a display type, and (for local servers) a command line
       to start the server.  A typical entry for local display number 0 would

         :0 Digital-QV local /usr/bin/X :0

       The display types are:

       local     local display: xdm must run the server
       foreign   remote display: xdm opens an X connection to a running server

       The display name must be something that can be passed in the -display
       option to an X program.  This string is used to generate the display-
       specific resource names, so be careful to match the names (e.g., use
       ``:0 Sun-CG3 local /usr/bin/X :0'' instead of ``localhost:0 Sun-CG3
       local /usr/bin/X :0'' if your other resources are specified as
       ``DisplayManager._0.session'').  The display class portion is also used
       in the display-specific resources, as the class of the resource.  This
       is useful if you have a large collection of similar displays (such as a
       corral of X terminals) and would like to set resources for groups of
       them.  When using XDMCP, the display is required to specify the display
       class, so the manual for your particular X terminal should document the
       display class string for your device.  If it doesn't, you can run xdm
       in debug mode and look at the resource strings which it generates for
       that device, which will include the class string.

       When xdm starts a session, it sets up authorization data for the
       server.  For local servers, xdm passes ``-auth filename'' on the
       server's command line to point it at its authorization data.  For XDMCP
       servers, xdm passes the authorization data to the server via the Accept
       XDMCP request.

       The Xresources file is loaded onto the display as a resource database
       using xrdb.  As the authentication widget reads this database before
       starting up, it usually contains parameters for that widget:

            xlogin*login.translations: #override\
                 Ctrl<Key>R: abort-display()\n\
                 <Key>F1: set-session-argument(failsafe) finish-field()\n\
                 <Key>Return: set-session-argument() finish-field()
            xlogin*borderWidth: 3
            xlogin*greeting: CLIENTHOST
            #ifdef COLOR
            xlogin*greetColor: CadetBlue
            xlogin*failColor: red

       Please note the translations entry; it specifies a few new translations
       for the widget which allow users to escape from the default session
       (and avoid troubles that may occur in it).  Note that if #override is
       not specified, the default translations are removed and replaced by the
       new value, not a very useful result as some of the default translations
       are quite useful (such as ``<Key>: insert-char ()'' which responds to
       normal typing).

       This file may also contain resources for the setup program and chooser.

       The Xsetup file is run after the server is reset, but before the Login
       window is offered.  The file is typically a shell script.  It is run as
       root, so should be careful about security.  This is the place to change
       the root background or bring up other windows that should appear on the
       screen along with the Login widget.

       In addition to any specified by DisplayManager.exportList, the
       following environment variables are passed:

            DISPLAY        the associated display name
            PATH           the value of DisplayManager.DISPLAY.systemPath
            SHELL          the value of DisplayManager.DISPLAY.systemShell
            XAUTHORITY     may be set to an authority file

       Note that since xdm grabs the keyboard, any other windows will not be
       able to receive keyboard input.  They will be able to interact with the
       mouse, however; beware of potential security holes here.  If
       DisplayManager.DISPLAY.grabServer is set, Xsetup will not be able to
       connect to the display at all.  Resources for this program can be put
       into the file named by DisplayManager.DISPLAY.resources.

       Here is a sample Xsetup script:

            # Xsetup_0 - setup script for one workstation
            xcmsdb < /etc/X11/xdm/monitors/alex.0
            xconsole -geometry 480x130-0-0 -notify -verbose -exitOnFail &

       The authentication widget prompts the user for the username, password,
       and/or other required authentication data from the keyboard.  Nearly
       every imaginable parameter can be controlled with a resource.
       Resources for this widget should be put into the file named by
       DisplayManager.DISPLAY.resources.  All of these have reasonable default
       values, so it is not necessary to specify any of them.

       The resource file is loaded with xrdb(1) so it may use the
       substitutions defined by that program such as CLIENTHOST for the client
       hostname in the login message, or C pre-processor #ifdef statements to
       produce different displays depending on color depth or other variables.

       Xdm can be compiled with support for the Xft(3) library for font
       rendering.   If this support is present, font faces are specified using
       the resources with names ending in ``face'' in the fontconfig face
       format described in the Font Names section of fonts.conf(5).  If not,
       then fonts are specified using the resources with names ending in
       ``font'' in the traditional X Logical Font Description format described
       in the Font Names section of X(7).

       xlogin.Login.width, xlogin.Login.height, xlogin.Login.x, xlogin.Login.y
              The geometry of the Login widget is normally computed
              automatically.  If you wish to position it elsewhere, specify
              each of these resources.

              The color used to display the input typed by the user.

              The face used to display the input typed by the user when built
              with Xft support.  The default is ``Serif-18''.

              The font used to display the input typed by the user when not
              built with Xft support.

              A string which identifies this window.  The default is ``X
              Window System.''

              When X authorization is requested in the configuration file for
              this display and none is in use, this greeting replaces the
              standard greeting.  The default is ``This is an unsecure

              The face used to display the greeting when built with Xft
              support.  The default is ``Serif-24:italic''.

              The font used to display the greeting when not built with Xft

              The color used to display the greeting.

              The string displayed to prompt for a user name.  Xrdb strips
              trailing white space from resource values, so to add spaces at
              the end of the prompt (usually a nice thing), add spaces escaped
              with backslashes.  The default is ``Login:  ''

              The string displayed to prompt for a password, when not using an
              authentication system such as PAM that provides its own prompts.
              The default is ``Password:  ''

              The face used to display prompts when built with Xft support.
              The default is ``Serif-18:bold''.

              The font used to display prompts when not built with Xft

              The color used to display prompts.

              A message which is displayed when the users password has
              expired.  The default is ``Password Change Required''

              A message which is displayed when the authentication fails, when
              not using an authentication system such as PAM that provides its
              own prompts.  The default is ``Login incorrect''

              The face used to display the failure message when built with Xft
              support.  The default is ``Serif-18:bold''.

              The font used to display the failure message when not built with
              Xft support.

              The color used to display the failure message.

              The number of seconds that the failure message is displayed.
              The default is 10.

              Name of an XPM format pixmap to display in the greeter window,
              if built with XPM support.   The default is no pixmap.

              Number of pixels of space between the logo pixmap and other
              elements of the greeter window, if the pixmap is displayed.  The
              default is 5.

              If set to ``true'', when built with XPM support, attempt to use
              the X Non-Rectangular Window Shape Extension to set the window
              shape.  The default is ``true''.

       xlogin.Login.hiColor, xlogin.Login.shdColor
              Raised appearance bezels may be drawn around the greeter frame
              and text input boxes by setting these resources.  hiColor is the
              highlight color, used on the top and left sides of the frame,
              and the bottom and right sides of text input areas.   shdColor
              is the shadow color, used on the bottom and right sides of the
              frame, and the top and left sides of text input areas.  The
              default for both is the foreground color, providing a flat

              frameWidth is the width in pixels of the area around the greeter
              frame drawn in hiColor and shdColor.

              innerFramesWidth is the width in pixels of the area around text
              input areas drawn in hiColor and shdColor.

              sepWidth is the width in pixels of the bezeled line between the
              greeting and input areas drawn in hiColor and shdColor.

              If set to ``false'', don't allow root (and any other user with
              uid = 0) to log in directly.  The default is ``true''.  This
              setting is only checked by some of the authentication backends
              at this time.

              If set to ``true'', allow an otherwise failing password match to
              succeed if the account does not require a password at all.  The
              default is ``false'', so only users that have passwords assigned
              can log in.

              If set to ``true'', a placeholder character (echoPasswdChar)
              will be shown for fields normally set to not echo, such as
              password input.  The default is ``false''.

              Character to display if echoPasswd is true.  The default is
              ``*''.  If set to an empty value, the cursor will advance for
              each character input, but no text will be drawn.

              This specifies the translations used for the login widget.
              Refer to the X Toolkit documentation for a complete discussion
              on translations.  The default translation table is:

                   Ctrl<Key>H:    delete-previous-character() \n\
                   Ctrl<Key>D:    delete-character() \n\
                   Ctrl<Key>B:    move-backward-character() \n\
                   Ctrl<Key>F:    move-forward-character() \n\
                   Ctrl<Key>A:    move-to-begining() \n\
                   Ctrl<Key>E:    move-to-end() \n\
                   Ctrl<Key>K:    erase-to-end-of-line() \n\
                   Ctrl<Key>U:    erase-line() \n\
                   Ctrl<Key>X:    erase-line() \n\
                   Ctrl<Key>C:    restart-session() \n\
                   Ctrl<Key>\\:   abort-session() \n\
                   <Key>BackSpace:delete-previous-character() \n\
                   <Key>Delete:   delete-previous-character() \n\
                   <Key>Return:   finish-field() \n\
                   <Key>:         insert-char() \

       The actions which are supported by the widget are:

              Erases the character before the cursor.

              Erases the character after the cursor.

              Moves the cursor backward.

              Moves the cursor forward.

              (Apologies about the spelling error.)  Moves the cursor to the
              beginning of the editable text.

              Moves the cursor to the end of the editable text.

              Erases all text after the cursor.

              Erases the entire text.

              If the cursor is in the name field, proceeds to the password
              field; if the cursor is in the password field, checks the
              current name/password pair.  If the name/password pair is valid,
              xdm starts the session.  Otherwise the failure message is
              displayed and the user is prompted again.

              Terminates and restarts the server.

              Terminates the server, disabling it.  This action is not
              accessible in the default configuration.  There are various
              reasons to stop xdm on a system console, such as when shutting
              the system down, when using xdmshell, to start another type of
              server, or to generally access the console.  Sending xdm a
              SIGHUP will restart the display.  See the section Controlling

              Resets the X server and starts a new session.  This can be used
              when the resources have been changed and you want to test them
              or when the screen has been overwritten with system messages.

              Inserts the character typed.

              Specifies a single word argument which is passed to the session
              at startup.  See the section Session Program.

              Disables access control in the server.  This can be used when
              the .Xauthority file cannot be created by xdm.  Be very careful
              using this; it might be better to disconnect the machine from
              the network before doing this.

       On some systems (OpenBSD) the user's shell must be listed in
       /etc/shells to allow login through xdm. The normal password and account
       expiration dates are enforced too.

       The Xstartup program is run as root when the user logs in.  It is
       typically a shell script.  Since it is run as root, Xstartup should be
       very careful about security.  This is the place to put commands which
       add entries to utmp or wtmp files, (the sessreg program may be useful
       here), mount users' home directories from file servers, or abort the
       session if logins are not allowed.

       In addition to any specified by DisplayManager.exportList, the
       following environment variables are passed:

            DISPLAY        the associated display name
            HOME           the initial working directory of the user
            LOGNAME        the user name
            USER           the user name
            PATH           the value of DisplayManager.DISPLAY.systemPath
            SHELL          the value of DisplayManager.DISPLAY.systemShell
            XAUTHORITY     may be set to an authority file
            WINDOWPATH     may be set to the "window path" leading to the X server

       No arguments are passed to the script.  Xdm waits until this script
       exits before starting the user session.  If the exit value of this
       script is non-zero, xdm discontinues the session and starts another
       authentication cycle.

       The sample Xstartup file shown here prevents login while the file
       /etc/nologin exists.  Thus this is not a complete example, but simply a
       demonstration of the available functionality.

       Here is a sample Xstartup script:

            # Xstartup
            # This program is run as root after the user is verified
            if [ -f /etc/nologin ]; then
                 xmessage -file /etc/nologin -timeout 30 -center
                 exit 1
            sessreg -a -l $DISPLAY -x /etc/X11/xdm/Xservers $LOGNAME
            exit 0

       The Xsession program is the command which is run as the user's session.
       It is run with the permissions of the authorized user.

       In addition to any specified by DisplayManager.exportList, the
       following environment variables are passed:

            DISPLAY        the associated display name
            HOME           the initial working directory of the user
            LOGNAME        the user name
            USER           the user name
            PATH           the value of DisplayManager.DISPLAY.userPath
            SHELL          the user's default shell (from getpwnam)
            XAUTHORITY     may be set to a non-standard authority file
            KRB5CCNAME     may be set to a Kerberos credentials cache name
            WINDOWPATH     may be set to the "window path" leading to the X server

       At most installations, Xsession should look in $HOME for a file
       .xsession, which contains commands that each user would like to use as
       a session.  Xsession should also implement a system default session if
       no user-specified session exists.

       An argument may be passed to this program from the authentication
       widget using the `set-session-argument' action.  This can be used to
       select different styles of session.  One good use of this feature is to
       allow the user to escape from the ordinary session when it fails.  This
       allows users to repair their own .xsession if it fails, without
       requiring administrative intervention.  The example following
       demonstrates this feature.

       This example recognizes the special ``failsafe'' mode, specified in the
       translations in the Xresources file, to provide an escape from the
       ordinary session.  It also requires that the .xsession file be
       executable so we don't have to guess what shell it wants to use.

            # Xsession
            # This is the program that is run as the client
            # for the display manager.

            case $# in
                 case $1 in
                      exec xterm -geometry 80x24-0-0


            if [ -f "$startup" ]; then
                 exec "$startup"
                 if [ -f "$resources" ]; then
                      xrdb -load "$resources"
                 twm &
                 xman -geometry +10-10 &
                 exec xterm -geometry 80x24+10+10 -ls

       The user's .xsession file might look something like this example.
       Don't forget that the file must have execute permission.
            #! /bin/csh
            # no -f in the previous line so .cshrc gets run to set $PATH
            twm &
            xrdb -merge "$HOME/.Xresources"
            emacs -geometry +0+50 &
            xbiff -geometry -430+5 &
            xterm -geometry -0+50 -ls

       Symmetrical with Xstartup, the Xreset script is run after the user
       session has terminated.  Run as root, it should contain commands that
       undo the effects of commands in Xstartup, updating entries in utmp or
       wtmp files, or unmounting directories from file servers.  The
       environment variables that were passed to Xstartup are also passed to

       A sample Xreset script:
            # Xreset
            # This program is run as root after the session ends
            sessreg -d -l $DISPLAY -x /etc/X11/xdm/Xservers $LOGNAME
            exit 0

       Xdm controls local servers using POSIX signals.  SIGHUP is expected to
       reset the server, closing all client connections and performing other
       cleanup duties.  SIGTERM is expected to terminate the server.  If these
       signals do not perform the expected actions, the resources
       DisplayManager.DISPLAY.resetSignal and
       DisplayManager.DISPLAY.termSignal can specify alternate signals.

       To control remote terminals not using XDMCP, xdm searches the window
       hierarchy on the display and uses the protocol request KillClient in an
       attempt to clean up the terminal for the next session.  This may not
       actually kill all of the clients, as only those which have created
       windows will be noticed.  XDMCP provides a more sure mechanism; when
       xdm closes its initial connection, the session is over and the terminal
       is required to close all other connections.

       Xdm responds to two signals: SIGHUP and SIGTERM.  When sent a SIGHUP,
       xdm rereads the configuration file, the access control file, and the
       servers file.  For the servers file, it notices if entries have been
       added or removed.  If a new entry has been added, xdm starts a session
       on the associated display.  Entries which have been removed are
       disabled immediately, meaning that any session in progress will be
       terminated without notice and no new session will be started.

       When sent a SIGTERM, xdm terminates all sessions in progress and exits.
       This can be used when shutting down the system.

       Xdm attempts to mark its various sub-processes for ps(1) by editing the
       command line argument list in place.  Because xdm can't allocate
       additional space for this task, it is useful to start xdm with a
       reasonably long command line (using the full path name should be
       enough).  Each process which is servicing a display is marked -display.

       To add an additional local display, add a line for it to the Xservers
       file.  (See the section Local Server Specification.)

       Examine the display-specific resources in xdm-config (e.g.,
       DisplayManager._0.authorize) and consider which of them should be
       copied for the new display.  The default xdm-config has all the
       appropriate lines for displays :0 and :1.

       You can use xdm to run a single session at a time, using the 4.3 init
       options or other suitable daemon by specifying the server on the
       command line:

            xdm -server “:0 SUN-3/60CG4 local /usr/bin/X :0”

       Or, you might have a file server and a collection of X terminals.  The
       configuration for this is identical to the sample above, except the
       Xservers file would look like

            extol:0 VISUAL-19 foreign
            exalt:0 NCD-19 foreign
            explode:0 NCR-TOWERVIEW3000 foreign

       This directs xdm to manage sessions on all three of these terminals.
       See the section Controlling Xdm for a description of using signals to
       enable and disable these terminals in a manner reminiscent of init(8).

       One thing that xdm isn't very good at doing is coexisting with other
       window systems.  To use multiple window systems on the same hardware,
       you'll probably be more interested in xinit.

                           the default configuration file

       $HOME/.Xauthority   user authorization file where xdm stores keys for
                           clients to read

                           the default chooser

       /usr/bin/xrdb       the default resource database loader

       /usr/bin/X          the default server

       /usr/bin/xterm      the default session program and failsafe client

                           the default place for authorization files

       /tmp/K5C<display>   Kerberos credentials cache

       X(7), xinit(1), xauth(1), xrdb(1), Xsecurity(7), sessreg(1),
       Xserver(1), xdmshell(1), fonts.conf(5).
       X Display Manager Control Protocol
       IETF RFC 4291: IP Version 6 Addressing Architecture.

       Keith Packard, MIT X Consortium

X Version 11                      xdm 1.1.11                            XDM(1)