XDMCP access control

The file specified by the AccessFile option provides information which kdm uses to control access from displays requesting service via XDMCP. The file contains four types of entries: entries which control the response to Direct and Broadcast queries, entries which control the response to Indirect queries, macro definitions, and entries which control on which network interfaces kdm listens for XDMCP queries. Blank lines are ignored, # is treated as a comment delimiter causing the rest of that line to be ignored, and \ causes an immediately following newline to be ignored, allowing host lists to span multiple lines.

The format of the Direct entries is simple, either a host name or a pattern, which is compared against the host name of the display device. Alternatively, a macro may be used to make the entry match everything the macro expands to. Patterns are distinguished from host names by the inclusion of one or more meta characters; * matches any sequence of 0 or more characters, and ? matches any single character. If the entry is a host name, all comparisons are done using network addresses, so any name which converts to the correct network address may be used. Note that only the first network address returned for a host name is used. For patterns, only canonical host names are used in the comparison, so ensure that you do not attempt to match aliases. Host names from XDMCP queries always contain the local domain name even if the reverse lookup returns a short name, so you can use patterns for the local domain. Preceding the entry with a ! character causes hosts which match that entry to be excluded. Preceding it with an = has no effect but is required when specifying a macro to distinguish the entry from a macro definition. To only respond to Direct queries for a host or pattern, it can be followed by the optional NOBROADCAST keyword. This can be used to prevent a kdm server from appearing on menus based on Broadcast queries.

An Indirect entry also contains a host name, pattern or macro, but follows it with a list of host names or macros to which the queries should be forwarded. Indirect entries can be excluding as well, in which case a (valid) dummy host name must be supplied to make the entry distinguishable from a Direct entry. If compiled with IPv6 support, multicast address groups may also be included in the list of addresses the queries are forwarded to. If the indirect host list contains the keyword CHOOSER, Indirect queries are not forwarded, but instead a host chooser dialog is displayed by kdm. The chooser will send a Direct query to each of the remaining host names in the list and offer a menu of all the hosts that respond. The host list may contain the keyword BROADCAST, to make the chooser send a Broadcast query as well; note that on some operating systems, UDP packets cannot be broadcast, so this feature will not work.

When checking access for a particular display host, each entry is scanned in turn and the first matching entry determines the response. Direct and Broadcast entries are ignored when scanning for an Indirect entry and vice-versa.

A macro definition contains a macro name and a list of host names and other macros that the macro expands to. To distinguish macros from hostnames, macro names start with a % character.

The last entry type is the LISTEN directive. The formal syntax is

 LISTEN [interface [multicast list]]

If one or more LISTEN lines are specified, kdm listens for XDMCP requests only on the specified interfaces. interface may be a hostname or IP address representing a network interface on this machine, or the wildcard * to represent all available network interfaces. If multicast group addresses are listed on a LISTEN line, kdm joins the multicast groups on the given interface. For IPv6 multicasts, the IANA has assigned ff0X:0:0:0:0:0:0:12b as the permanently assigned range of multicast addresses for XDMCP. The X in the prefix may be replaced by any valid scope identifier, such as 1 for Node-Local, 2 for Link-Local, 5 for Site-Local, and so on (see IETF RFC 2373 or its replacement for further details and scope definitions). kdm defaults to listening on the Link-Local scope address ff02:0:0:0:0:0:0:12b to most closely match the IPv4 subnet broadcast behavior. If no LISTEN lines are given, kdm listens on all interfaces and joins the default XDMCP IPv6 multicast group (when compiled with IPv6 support). To disable listening for XDMCP requests altogether, a LISTEN line with no addresses may be specified, but using the [Xdmcp] Enable option is preferred.