Chapter 7
X Display Manager Control Protocol
Version 1.0
X Consortium Standard
X Version 11, Release 6
Keith Packard
X Consortium
Laboratory for Computer Science
Massachusetts Institute of Technology
ABSTRACT
- Since the X Display Manager (xdm) may be used to manage remote displays (such as X
terminals), a protocol for requesting service over the network is needed. Since the
display manager is a scarce resource, the X Display Manager Control Protocol (also called
XDMCP) is designed to use unreliable datagrams and places the bulk of the burden for
sequencing and retransmission on the display. A standard byte order and synchronous
responses reduces the complexity of the protocol.
Copyright © 1989 X Consortium
The above copyright notice and this permission notice shall be included in all copies
or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of the X Consortium shall not be used in
advertising or otherwise to promote the sale, use or other dealings in this Software
without prior written authorization from the X Consortium.
X Window System is a trademark of X Consortium, Inc.
7.1.PURPOSE AND GOALS
The purpose of XDMCP is to provide a uniform mechanism for an autonomous display to
request login service from a remote host. By "autonomous" we mean the display
consists of hardware and processes that are independent of any particular host where login
service is desired. (For example, the server cannot simply be started by a fork/exec
sequence on the host.) An "X terminal" (screen, keyboard, mouse, processor,
network interface) is a prime example of an autonomous display.
From the point of view of the end user, it is very important to make autonomous displays
as easy to use as traditional hardwired character terminals. Specifically, you can
typically just power on a hardwired terminal, and be greeted with a login prompt. The same
should be possible with autonomous displays. However, in a network environment with
multiple hosts, the end user may want to choose which host(s) to connect to. In an
environment with many displays and many hosts, a site administrator may want to associate
particular collections of hosts with particular displays. We would like to support the
following options:
- The display has a "hardwired" host that it should connect to. It should be possible to "power on" the display and receive a login prompt, without user intervention.
- Any one of several hosts on a (sub)net may be acceptable for accepting login from the display. (For example, the user's file systems can be mounted onto any such host, providing comparable environments.) It should be possible for the display to "broadcast" to find such hosts, and to have the display either automatically choose a host, or present the possible hosts to the user for selection.
- The display has a fixed set of hosts that it can connect to. It should be possible for the display to have that set "wired in", but it should also be possible for a site administrator to be able to maintain host sets for a large number of displays using a centralized facility, without having to interact (physically or electronically) with each individual display. Particular hosts should be allowed to refuse login service, based on whatever local criteria are desired.
The control protocol should be designed in such a way that it can be used over a
reasonable variety of communication transport layers. In fact, it is quite desirable if
every major network protocol family that supports the standard X protocol is also capable
of supporting XDMCP, since the end result of XDMCP negotiation will be standard X protocol
connections to the display. However, since the number of displays per host may be large, a
connection-based protocol appears less desirable than a connection-less protocol.
In order to keep the burden on displays at a minimum (since display cost is not a factor
that can be ignored), it is desirable that displays not be required to maintain permanent
state (across power cycles) for the purposes of the control protocol, and it is desirable
to keep required state at a minimum while the display is powered on.
Security is an important consideration, and must be an integral part of the design. The
important of security goals in the context of XDMCP are:
- It should be possible for the display to verify that it is communicating with a legitimate host login service. Since the user will present credentials (e.g. password) to this service, it is important to avoid spoof attacks.
- It should be possible for the display and the login service to negotiate the authorization mechanism to be used for the standard X protocol.
- It should be possible to provide the same level of security in verifying the login service as is provided by the negotiated authorization mechanism.
- Since there are no firm standards yet in the area of security, XDMCP must be flexible enough to accommodate a variety of security mechanisms.
7.2 OVERVIEW OF THE PROTOCOL
XDMCP is designed to provide authenticated access to display management services for
remote displays. A new network server, called a Display Manager will use XDMCP to
communicate with displays to negotiate the startup of X sessions. The protocol allows the
display to authenticate the manager. It also allows most of the configuration information
to be centralized with the manager, to ease the burden of system administration in a large
network of displays. The essential goal is to provide plug-and-play services similar to
those provided in the familiar mainframe/terminal world.
Displays may be turned off by the user at any time. Any existing session running on a
display which has been turned off must be identifiable. This is made possible by requiring
a three-way handshake to start a session. If the handshake succeeds, any existing session
is terminated immediately and a new session started. There is the problem (at least with
TCP) that connections may not be closed when the display is turned off. In most
environments, the manager should reduce this problem by periodically XSync'ing on its own
connection, perhaps every five to ten minutes, and terminating the session if its own
connection ever closes.
Displays should not be required to retain permanent state for purposes of the control
protocol. One solution to packets received out of sequence would be to use
monotonically-increasing message identifiers in each message to allow both sides to ignore
messages which arrive out-of-sequence. For this to work, displays would at a minimum have
to increment a stable "crash count" each time they are powered on, and use that
number as part of a larger sequence number. But if displays cannot retain permanent state
this cannot work. Instead, the manager assumes the responsibility for permanent state by
generating unique numbers which identify a particular session and the protocol simply
ignores packets which correspond to an invalid session.
The Manager must not be responsible for packet reception. To prevent the Manager from
becoming stuck because of a hostile display, no portion of the protocol requires the
Manager to retransmit a packet. Part of this means that any valid packet which the Manager
does receive must be acknowledged in some way, to prevent the display from continuously
resending packets. The display can keep the protocol running as it will always know when
the Manager has received (at least one copy of) a packet. On the Manager side, this means
that any packet may be received more than once (if the response was lost) and duplicates
must be ignored.
7.3 DATATYPES
XDMCP packets contain several types of data. Integer values are always stored most
significant byte first in the packet ("Big Endian" order). As XDMCP will not be
used to transport large quantities of data, this restriction will not substantially hamper
the efficiency of any implementation. Also, no padding of any sort will occur within the
packets.
| Type Name |
Length
(in bytes) |
Description |
| CARD8 |
1 |
A single byte unsigned integer |
| CARD16 |
2 |
Two byte unsigned integer |
| CARD32 |
4 |
Four byte unsigned integer |
| ARRAY8 |
n+2 |
This is actually a CARD16 followed by a collection of CARD8. The value of
the CARD16 field (n) specifies the number of CARD8 values to follow |
| ARRAY16 |
2*m+1 |
This is a CARD8 (m) which specifies the number of CARD16 values to follow |
| ARRAY32 |
4*l+1 |
This is a CARD8 (l) which specifies the number of CARD32 values to follow |
| ARRAYofARRAY8 |
? |
This is a CARD8 which specifies the number of ARRAY8 values to follow. |
7.4 PACKET FORMAT
All XDMCP packets have the following information:
Length in
Bytes |
Field
Type |
Description field |
|
2
2
2 |
CARD16
CARD16
CARD16 |
version number
opcode
n = length of remaining data in bytes |
packet header |
| n |
??? |
packet-specific data |
|
The fields are as follows:
- Version Number
- This specifies the version of XDMCP that generated this packet in case changes in this
protocol are required. Displays and managers may choose to support older versions for
compatibility. This field will initially be 1.
- Opcode
- This specifies what step of the protocol this packet represents and should contain one
of the following values (encoding provided in section below): BroadcastQuery, Query,
IndirectQuery, ForwardQuery, Willing, Unwilling, Request, Accept, Decline, Manage,
Refuse, Failed, KeepAlive, Alive.
- Length of data in bytes
- This specifies the length of the information following the first 6 bytes. Each
packet-type has a different format, and will need to be separately length-checked against
this value. As every data item has either an explicit length, or an implicit length, this
can be easily accomplished. Packets that have too little or too much data should be
ignored.
- Packets should be checked to make sure that they satisfy the following conditions:
- They must contain valid opcodes.
- The length of the remaining data should correspond to the sum of the lengths of the
individual remaining data items.
- The opcode should be expected (a finite state diagram is given in a later section).
- If the packet is of type Manage or Refuse, the Session ID should match the
value sent in the preceding Accept packet.
7.5 PROTOCOL
Each of the opcodes is described below. Since a given packet type is only ever sent one
way, each packet description below indicates the direction. Most of the packets have
additional information included beyond the description above. The additional information
is appended to the packet header in the order described without padding, and the length
field is computed accordingly.
- Query
BroadcastQuery
IndirectQuery
- Display
Manager
Additional Fields:
- Authentication Names: ARRAYofARRAY8
- A list of authentication names which the display supports. The manager will choose one
of these and return it in the Willing packet.
- Semantics:
- A Query packet is sent from the display to a specific host to ask if that host is
willing to provide management services to this display. The host should respond with Willing
if it is willing to service the display or Unwilling if it is not.
A BroadcastQuery packet is similar to the Query packet except that it is
intended to be received by all hosts on the network (or sub-network). However, unlike Query
requests, hosts that are not willing to service the display should simply ignore BroadcastQuery
requests.
An IndirectQuery packet is sent to a well-known manager which forwards the request
to a larger collection of secondary managers using ForwardQuery packets. In this
way, the collection of managers which respond can be grouped on other than network
boundaries; the use of a central manager reduces system administrative overhead. The
primary manager may also send a Willing packet in response to this packet.
- Each packet type has slightly different semantics:
- The Query packet is destined only for a single host. If the display is instructed
to Query multiple managers, it will send multiple Query packets. The Querypacket
also demands a response from the manager, either Willing or Unwilling.
The BroadcastQuery packet is sent to many hosts. Each manager which receives this
packet will not respond with an Unwilling packet.
The IndirectQuery packet is sent to only one manager, with the request that the
request be forwarded to a larger list of managers using ForwardQuery packets. This
list is expected to be maintained at one central site to reduce administrative overhead.
The function of this packet type is similar to BroadcastQuery except that BroadcastQueryis
not forwarded.
- Valid Responses:
- Willing, Unwilling
- Problems/Solutions:
- Problem:
- Not all managers receive the query packet.
- Indication:
- none if BroadcastQuery or IndirectQuery was sent, else failure to receive Willing.
- Solution:
- Repeatedly send the packet while waiting for user to choose a manager.
- Timeout/Retransmission policy:
- An exponential backoff algorithm should be used here to reduce network load for
long-standing idle displays. Start at 2 seconds, back off by factors of 2 to 32 seconds
and discontinue retransmit after 126 seconds. The display should reset the timeout when
user-input is detected. In this way, the display will "wakeup" when touched by
the user.
- ForwardQuery
- Primary Manager Secondary Manager
Additional Fields:
- Client Address: ARRAY8
- The network address of the client display.
- Client Port: ARRAY8
- An identification of the client task on the client display.
- Authentication Names: ARRAYofARRAY8
- This is a duplicate of Authentication Names array which was received in the IndirectQuery
packet.
- Semantics:
- When primary manager receives a IndirectQuery packet, it is responsible for
sending ForwardQuery packets to an appropriate list of managers which can provide
service to the display using the same network type as the one the original IndirectQuery
packet was received from. The Client Address and Client Port fields must contain an
address which the secondary manager can use to reach the display also using this same
network. Each secondary manager sends a Willing packet to the display if it is
willing to provide service.
ForwardQuery packets are similar to BroadcastQuery packets in that managers
which are not willing to service particular displays should not send a Unwilling
packet.
- Valid Responses:
- Willing
- Problems/Solutions:
- Identical to BroadcastQuery
- Timeout/Retransmission policy:
- Like all packets sent from a manager, this packet should never be retransmitted.
- Willing
- Manager Display
- Additional Fields:
- Authentication Name: ARRAY8
- This specifies the authentication method, selected from the list offered in the Query,
BroadcastQuery or IndirectQuery packet that the manger expects the display
to use in the subsequent Recquest packet. This choice should remain as constant as
feasible so that displays which send multiple Query packets can use the
Authentication Name from any Willing packet which arrives.
The display is free to ignore managers which request an insufficient level of
authentication.
- Hostname: ARRAY8
- A human readable string describing the host from which the packet was sent. The protocol
specifies no interpretation of the data in this field.
- Status: ARRAY8
- A human readable string describing the "status" of the host. This could
include load average/number of users connected or other information. The protocol
specifies no interpretation of the data in this field.
- Semantics:
- A Willing packet is sent by managers that may service connections from this
display. It is sent in response to either a Query, BroadcastQuery or ForwardQuery
but does not imply a commitment to provide service (e.g. it may later decide that it has
accepted enough connections already).
- Problems/Solutions:
- Problem:
- Willing not received by the display.
Indication:
- none if BroadcastQuery or IndirectQuery was sent, else failure to receive Willing.
- Solution:
- The display should continue to send the query until a response is received.
- TimeoutlRetransmission policy:
- Like all packets sent from the manager to the display, this packet should never be
retransmitted.
- Unwilling
- Manager Display
Additional Fields:
- The same fields as in the Willing packet. The Status field should indicate to the
user a reason for the refusal of service.
- Semantics:
- An Unwilling packet is sent by managers in response to direct Query
requests (as opposed to BroadcastQuery or IndirectQuery requests) if the
manager will not accept requests for management. This is typically sent by managers that
wish to only service particular displays or which handle a limited number of displays at
once.
- Problems/Solutions:
- Problem:
- Unwilling not received by the display.
Indication:
- Display fails to receive Unwilling.
- Solution:
- The display should continue to send Query messages until a response is received.
- Timeout/Retransmission policy:
- Like all packets sent from the manager to the display, this packet should never be
retransmitted.
- Request
- Display Manager
Additional Fields:
- Display Number: CARD16
- The index of this particular server for the host on which the display is resident. This
value will be zero for most autonomous displays.
- Connection Types: ARRAY16
- An array indicating the stream services accepted by the display. If the high-order byte
in a particular entry is zero, the low-order byte corresponds to an X-protocol host family
type.
- Connection Addresses: ARRAY of ARRAY8
- For each connection type in the previous array, the corresponding entry in this array
indicates the network address of the display device.
- Authentication Name: ARRAY8
- Authentication Data: ARRAY8
- This specifies the authentication protocol that the display expects the manager to
validate itself with. The Authentication Data is expected to contain data which the
manager will interpret, modify and use to authenticate itself.
- Authorization Names: ARRAY of ARRAY8
- This array specifies which types of authorization the display supports. The manager may
decide to reject displays with which it cannot perform authorization.
- Manufacturer Display ID: ARRAY8
- This field can be used by the manager to determine how to decrypt the Authentication
Data field in this packet. See Section 7.10, Manufacturer Display ID Format.
- Semantics:
- A Request packet is sent by a display to a specific host to request a session id
in preparation for a establishing a connection. If the manager is willing to service a
connection to this display, it should return an Accept packet with a valid session
id and should be ready for a subsequent Manage request. Otherwise, it should return a Decline
packet.
- Valid Responses:
- Accept, Decline
- Problems/Solutions:
- Problem:
- Request not received by manager.
Indication:
- Display timeout waiting for response.
- Solution:
- Display resends Request message.
- Problem:
- Message received out of order by manager.
Indication:
- none
- Solution:
- Each time a Request is sent, the manager sends the Session ID associated with the
next session in the Acknowledge. If that next session is not yet started, the
manager will simply resend with the same Session ID. If the session is in progress, the
manager will reply with a new Session ID; in which case, the Acknowledge will be
discarded by the display.
- Timeout/Retransmission policy:
- Timeout after 2 seconds, exponential backoff to 32 seconds. After no more than 126
seconds, give up and report an error to the user.
- Accept
- Manager Display
- Additional Fields:
- Session ID: CARD32
- This identifies the session which can be started by the manager.
- Authentication Name: ARRAY8
- Authentication Data: ARRAY8
- This data is sent back to the display to authenticate the manager. If the Authentication
Data is not the value expected by the display, it should terminate the protocol at this
point and display an error to the user.
- Authorization Name: ARRAY8
- Authorization Data: ARRAY8
- This data is sent to the display to indicate the type of authorization the manager will
be using in the first XOpenDisplay request after the Manage packet is received.
- Semantics:
- An Accept packet is sent by a manager in response to a Request packet if
the manager is willing to establish a connection for the display. The Session ID is used
to identify this connection from any preceding ones and will be used by the display in its
Subsequent Manage packet. The Session ID is a 32 bit number which is incremented
each time an Accept packet is sent as it must be reasonably unique over a long
period of time.
If the authentication information is invalid, a Decline packet will be returned
with an appropriate Status message.
- Problems/Solutions:
- Problem:
- Accept or Decline not received by display.
Indication:
- Display timeout waiting for response to Request.
- Solution:
- Display resends Request message.
- Problem:
- Message received out of order by display.
Indication:
- Display receives Accept after Manage has been sent.
- Solution:
- Display discards Accept messages after it has sent a Manage message.
- Timeout/Retransmission policy:
- Like all packets sent from the manager to the display, this packet should never be
retransmitted.
- Decline
- Manager Display
Additional Fields:
- Status: ARRAY8
- This is a human readable string indicating the reason for refusal of service.
- Authentication Name: ARRAY8
- Authentication Data: ARRAY8
- This data is sent back to the display to authenticate the manager. If the Authentication
Data is not the value expected by the display, it should terminate the protocol at this
point and display an error to the user.
- Semantics:
- A Decline packet is sent by a manager in response to a Request packet if
the manager is unwilling to establish a connection for the display. This is allowed even
if the manager had responded Willing to a previous query.
- Problems/Solutions:
- same as for Accept.
- Timeout/Retransmission policy:
- Like all packets sent from a manager to a display, this packet should never be
retransmitted.
- Manage
- Display Manager
Additional Fields:
- Session ID: CARD32
- This field should contain the non-zero session id returned in the Accept packet.
- Display Number: CARD16
- This field must match the value sent in the previous Request packet.
- Display Class: ARRAY8
- This array specifies the class of the display. Please refer to Section 7.9, Display Class Format which discusses the format of this field.
- Semantics:
- A Manage packet is sent by a display to ask the manager to begin a session on the
display. If the Session ID is correct the manager should open a connection, otherwise it
should respond with a Refuse or Failed packet, unless the Session ID matches
a currently running session, or a session which has not yet successfully opened the
display but has not given up the attempt. In this latter case, the Manage packet
should be ignored. This will work as stream connections give positive success indication
to both halves of the stream, and positive failure indication to the connection initiator
(which will eventually generate a Failed packet).
- Valid Responses:
- X connection with correct auth info, Refuse, Failed.
- Problems/Solutions:
- Problem:
- Manage not received by manager.
Indication:
- Display timeout waiting for response.
- Solution:
- Display resends Manage message.
- Problem:
- Manage received out of order by manager.
Indication:
- session already in progress with matching Session ID.
- Solution:
- Manage packet ignored.
- Indication:
- Session ID doesn't match next Session ID
- Solution:
- Refuse message is sent.
- Problem:
- Display cannot be opened on selected stream.
Indication:
- open display fails.
- Solution:
- Failed message is sent including a human readable reason.
- Problem:
- Display open does not succeed before a second manage packet is received because of a
timeout occurring in the display.
Indication:
- Manage packet received with Session ID matching the session attempting to connect
to the display.
- Solution:
- Manage packet is ignored. As the stream connection will either succeed, which
will result in an active session, or the stream will eventually give up hope of connecting
and send a Failed packet, no response to t is Manage packet is necessary.
- Timeout/Retransmission policy:
- Timeout after 2 seconds, exponential backoff to 32 seconds. After no more than 126
seconds, give up and report an error to the user.
- Refuse
- Manager Display
Additional Fields:
- Session ID:
- This field should be set to the Session ID received in the Manage packet.
- Semantics:
- A Refuse packet is sent by a manager when the Session ID received in the Manage
packet does not match the current Session ID. The display should assume that it received
an old Accept packet and should resend its Request packet.
- Problems/Solutions:
- Problem:
- Error message is lost.
Indication:
- display times out waiting for OpenDisplay, Refuse or Failed.
- Solution:
- display resends Manage message.
- Timeout/Retransmission policy:
- Like all packets sent from a manager to a display, this packet should never be
retransmitted.
- Failed
- Manager Display
Additional Fields:
- Session ID: CARD32
- This field should be set to the Session ID received in the Manage packet.
- Status: ARRAY8
- A human readable string indicating the reason for failure.
- Semantics:
- A Failed packet is sent by a manager when it has problems establishing the
initial X connection in response to the Manage packet.
- Problems/Solutions
- Same as for Refuse.
- KeepAlive
- Display Manager
Additional Fields:
- Display Number: CARD16
- Set to the display index for the display host.
- Sess ion ID: CARD32
- This field should be set to the Session ID received in the Manage packet during
the negotiation for the current session.
- Sematics:
- A KeepAlive packet can be sent at any time during the session by a display to
discover if the manager is running. The manager should respond with Alive whenever
it receives this type of packet.
This allows the display to discover when the manager host is no longer running. A display
is not required to send KeepAlive packets, and, upon lack of receipt of Alive
packets, is not required to perform any specific action.
The expected use of this packet is to terminate an active session when the manager host or
network link fails. The display should keep track of the time since any packet has been
received from the manager host and use KeepAlive packets when a substantial time
has elapsed since the most recent packet.
- Valid Responses:
- Alive
- ProblemSolutions:
- Problem:
- Manager doesn't receive the packet or display doesn't receive the response.
Indication:
- No Alive packet returned
- Solution:
- Retransmit the packet with an exponential backoff; start at 2 seconds and assume the
host is not up after no less than 30 seconds.
- Alive
- Manager Display
Additional Fields:
- Session Running: CARD8
- This field indicates that the session indicated by Session ID is currently active. The
value is 0 if no session is active, 1 if a session is active.
- Session ID: CARD32
- The ID of the currently running session; if any. When no session is active this field
should be zero.
- Semantics:
- An Alive packet is sent in response to a KeepAliverequest. If a session is
currently active on the display, the manager includes the Session ID in the packet. The
display can use this information to determine the status of the manager.
7.6 SESSION TERMINATION
When the session is over, the initial connection with the display (the one which ack's
the Manage packet) will be closed by the manager. If only a single session was
active on the display, all other connections should be closed by the display and the
display should be reset. If multiple sessions are active simultaneously, and the display
can identify which connections belong to the terminated session, those connections should
be closed. Otherwise all connections should be closed and the display reset only when all
sessions have been terminated (i.e. all initial connections closed).
The session may also be terminated at any time by the display if the managing host no
longer responds to KeepAlive packets. The exact time-outs for sending KeepAlive
packets is not specified in this protocol as the trade off should not be fixed between
loading an otherwise idle system with spurious KeepAlive packets and not noticing
that the manager host is down for a long time.
7.7 STATE DIAGRAMS
These state diagrams are designed to cover all actions of both the display and the
manager. Any packet which is received out-of-sequence will be ignored.
Display:
- start:
- user-requested connect to one host query
user-requested connect to some host broadcast
user-requested connect to site host-list
indirect
- query:
- Send Query packet
collect-query
- collect-query:
- receive willing start-connection
receive Unwilling stop-connection
timeout query
- broadcast:
- Send BroadcastQuery packet
collect-broadcast-query
- collect-broadcast- query:
- receive Willing update-broadcast-willing
user-requested connect to one host start-connection
timeout broadcast
- update-broadcast-willing:
- Add new host to the host list presented to the user.
collect- broadcast-query
- indirect:
- Send IndirectQuery packet
collect- indirect-query
- collect- indirect-query:
- receive Unwilling update-indirect-willing
user-requested connect to one host start-connection
timeout indirect
- update-indirect-willing:
- Add new host to the host list presented to the user.
collect-indirect-query
- start-connection:
- Send Request packet
await- request-response
- await- request - response:
- receive Accept manage
receive
Decline stop-connection
timeout start-connection
- manage:
- Save Session ID
Send Manage packet with Session ID
await-manage-response
- await-manage-response
- receive XOpenDisplay: run-session
receive Refuse with matching Session ID start-connection
receive Failed with matching Session ID stop-connection
timeout manage
- stop-connection:
- Display cause of termination to user
start
- run-session:
- Decide to send KeepAlive packet keep-alive
await close of first display connection
reset-display
- keep-alive:
- send KeepAlive packet with current Session ID
await-alive
- await-alive:
- Receive Alive with matching Session ID run-session
Receive Alive with non-matching Session ID or FALSE Session Running reset-display
Final Timeout without receiving Alive packet reset-display
timeout keep-alive
- reset-display:
- (if possible) close all display
connections associated with this session
last session close all display connections
start
Manager:
- idle:
- receive Query query-respond
receive BroadcastQuery broadcast-respond
receive IndirectQuery indirect-respond
receive ForwardQuery forward-respond
receive Request request-respond
receive Manage manage
an active session terminates finish-session
receive KeepAlive send-alive
idle
- query-respond:
- if willing to manage send-willing
send-unwilling
- broadcast-respond:
- if willing to manage send-willing
idle
- indirect-respond:
- Send ForwardQuery packets to all managers on redirect list.
if willing to manage send-willing
idle
- forward -respond:
- Decode destination address, if willing to manage send-willing
idle
- send-willing:
- Send Willing packet
idle
- send-unwilling:
- Send Unwilling packet
idle
- request-respond:
- if manager is willing to allow a session on display accept-session
decline-session
- accept-session:
- Generate Session ID. Save Session ID, display address and display number somewhere
Send Accept packet
idle
- decline-session:
- Send Decline packet
idle
- manage:
- If Session ID matches saved Session ID run-session
If Session ID matches Session ID of session in process of starting up, or currently
active session idle
refuse
- refuse:
- Send Refuse packet
idle
- run-session:
- Terminate any session in progress
XOpenDisplay
open display succeeds start-session
failed
- failed:
- send Failed packet
idle
- start-session:
- Start a new session
idle
- fifinish-session:
- XCloseDisplay
idle
- send-alive:
- Send Alive packet containing current status.
idle
7.8 PROTOCOL ENCODING
When XDMCP is implemented on top of UDP (the Internet User Datagram Protocol), port
number 177 is to be used.
The version number in all packets will be 1.
Packet opcodes are 16 bit integers.
| Packet Name |
Encoding |
| BroadcastQuery |
1 |
| Query |
2 |
| IndirectQuery |
3 |
| ForwardQuery |
4 |
| Willing |
5 |
| Unwilling |
6 |
| Request |
7 |
| Accept |
8 |
| Decline |
9 |
| Manage |
10 |
| Refuse |
11 |
| Failed |
12 |
| Alive |
13 |
| KeepAlive |
14 |
Per packet information follows:
- Query
BroadcastQuery
IndirectQuery
- These packets are identical except for the opcode field.
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Query,BroadcastQuery or IndirectQuery) |
| 2 |
CARD16 |
length |
| 1 |
CARD8 |
number of Authentication Names sent (m) |
| 2 |
CARD16 |
length of first Authentication Name (m1) |
| m1 |
CARD8 |
first Authentication Name |
| . . . |
|
Other Authentication Names |
ForwardQuery
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always ForwardQuery) |
| 2 |
CARD16 |
length |
| 2 |
CARD16 |
length of Client Address (m) |
| m |
CARD8 |
Client Address |
| 2 |
CARD16 |
length of Client Port (n) |
| n |
CARD8 |
Client Port |
| 1 |
CARD8 |
number of Authentication Names sent (o) |
| 2 |
CARD16 |
length of first Authentication Name (o1) |
| o1 |
CARD8 |
first Authentication Name |
| ... |
|
Other Authentication Names |
Willing
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Willing) |
| 2 |
CARD16 |
length (6 + m + n + o) |
| 2 |
CARD16 |
Length of Authentication Name (m) |
| m |
CARD8 |
Authentication Name |
| 2 |
CARD16 |
Hostname length (n) |
| n |
CARD8 |
Hostname |
| 2 |
CARD16 |
Status length (o) |
| o |
CARD8 |
Status |
Unwilling
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Unwilling) |
| 2 |
CARD16 |
length (4 + m + n) |
| 2 |
CARD16 |
Hostname length (m) |
| m |
CARD8 |
Hostname |
| 2 |
CARD16 |
Status length (n) |
| n |
CARD8 |
Status |
Request
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Request) |
| 2 |
CARD16 |
length |
| 2 |
CARD16 |
Display Number |
| 1 |
CARD8 |
Count of Connection Types (m) |
2 m |
CARD16 |
Connection Types |
| 1 |
CARD8 |
Count of Connection Addresses (n) |
| 2 |
CARD16 |
Length of first Connection Address (n1) |
| n1 |
CARD8 |
First Connection Address |
| ... |
|
Other connection addresses |
| 2 |
CARD16 |
Length of Authentication Name (o) |
| o |
CARD8 |
Authentication Name |
| 2 |
CARD16 |
Length of Authentication Data (p) |
| p |
CARD8 |
Authentication Data |
| 1 |
CARD8 |
Count of Authorization Names (q) |
| 2 |
CARD16 |
Length of first Authorization Name (q1) |
| q1 |
CARD8 |
First Authorization Name |
| ... |
|
Other authorization names |
| 2 |
CARD16 |
Length of Manufacturer Display ID (r) |
| r |
CARD8 |
Manufacturer Display ID |
Accept
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Accept) |
| 2 |
CARD16 |
length(l2 + n + m + o + p) |
| 4 |
CARD32 |
Session ID |
| 2 |
CARD16 |
Length of Authentication Name (n) |
| n |
CARD8 |
Authentication Name |
| 2 |
CARD16 |
Length of Authentication Data (m) |
| m |
CARD8 |
Authentication Data |
| 2 |
CARD16 |
Length of Authorization Name (o) |
| o |
CARD8 |
Authorization Name |
| 2 |
CARD16 |
Length of Authorization Data (p) |
| p |
CARD8 |
Authorization Data |
Decline
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Decline) |
| 2 |
CARD16 |
length (6 + m + n + o) |
| 2 |
CARD16 |
Length of Status (m) |
| m |
CARD8 |
Status |
| 2 |
CARD16 |
Length of Authentication Name (n) |
| n |
CARD8 |
Authentication Name |
| 2 |
CARD16 |
Length of Authentication Data (o) |
| o |
CARD8 |
Authentication Data |
Manage
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Manage) |
| 2 |
CARD16 |
length (8 + m) |
| 4 |
CARD32 |
Session ID |
| 2 |
CARD16 |
Display Number |
| 2 |
CARD16 |
Length of Display Class (m) |
| m |
CARD8 |
Display Class |
Refuse
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Refuse) |
| 2 |
CARD16 |
length (4) |
| 4 |
CARD32 |
Session ID |
Failed
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Failed) |
| 2 |
CARD16 |
length (6 + m) |
| 4 |
CARD32 |
Session ID |
| 2 |
CARD16 |
Length of Status (m) |
| m |
CARD8 |
Status |
KeepAlive
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always KeepAlive) |
| 2 |
CARD16 |
length (6) |
| 2 |
CARD16 |
Display Number |
| 4 |
CARD32 |
Session ID |
Alive
| Length |
Type |
Description |
| 2 |
CARD16 |
version number (always 1) |
| 2 |
CARD16 |
opcode (always Alive) |
| 2 |
CARD16 |
length (5) |
| 1 |
CARD8 |
Session Running (0: not running 1: running) |
| 4 |
CARD32 |
Session ID (0: not running) |
7.9 DISPLAY CLASS FORMAT
The Display Class field of the Manage packet is used by the display manager to
collect common sorts of displays into manageable groups. This field is a string encoded of
ISO-LATIN-1 characters in the following format:
- ManufacturerID-ModelNumber
Both elements of this string must exclude characters of the set { -, ., :, *,
?, <space> }. The Manufacturer ID is a string which should be registered with
the X Consortium. The Model Number is designed to identify characteristics of the display
within the manufacturer's product line. This string should be documented in the users
manual for the particular device. This string should probably not be specifiable by the
display user to avoid unexpected configuration errors.
7.10 MANUFACTURER DISPLAY ID FORMAT
To authenticate the manager, the display and manager will share a private key. The
manager, then, must be able to discover which key to use for a particular device. The
Manufacturer Display ID field of the Request packet is intended for this purpose.
Typically, the manager host will contain a map between this number and the key. This field
is intended to be unique per display, possibly the ethernet address of the
- display in the form:
- -Ethernet-8:0:2b:a:f:d2
- or string of the form:
- ManufacturerlD-ModelNumber-SerialNumber
where ManufacturerID, ModelNumber and SerialNumber are encoded using ISO-LATIN-1
characters, excluding { -, ., *, ?, <space> }
When the display is shipped to a customer, it should include both the Manufacturer Display
ID and the private key in the documentation set. This information should not be modifiable
by the display user.
7.11 AUTHENTICATION
In an environment where authentication is not needed, XDMCP can disable authentication
by having the display send empty Authentication Name and Authentication Data fields in the
Request packet. In this case, the manager will not attempt to authenticate itself.
Other authentication protocols may be developed, depending on local needs.
In an unsecure environment, the display must be able to verify that the source of the
various packets is a trusted manager. These packets will contain authentication
information. As an example of such a system, the following discussion describes the
"XDM-AUTHENTICATION-I" authentication system. This system uses a 56 bit shared
private key, and 64 bits of authentication data. An associated example X authorization
protocol "XDM-AUTHORIZATION-1" will also be discussed. The 56 bit key is
represented as a 64 bit number in network order (big endian). This means that the first
octet in the representation will be zero. When incrementing a 64 bit value, the 8 octets
of data will be interpreted in network order (big endian). I.e. the last octet will be
incremented, subsequent carries propagate towards the first octet.
- Assumptions:
- The display and manager share a private key. This key could be programmed into the
display by the manufacturer and shipped with the unit. It must not be available from the
display itself, but should allow the value to be modified in some way. The system
administrator would be responsible for managing a database of terminal keys.
The display can generate random authentication numbers.
- Some definitions first:
- {D}
=encryption of plain text D by key
{
}*=decryption of crypto text with
key
=private key shared by display and manager
=64 bit random number generated by display
=authentication data in XDMCP packets
=per-session private key, generated by manager
=authorization data
Encryption will use the DES; blocks shorter than 64 bits will be zero-filled on the
right to 64 bits. Blocks longer than 64 bits will use block chaining:
- {D} ={D1}{D2
xor {D1}}
The display generates the first authentication data in the Request packet:
- Requcst={}
For the Accept packet, the manager decrypts the initial message and returns a Accept:
- = {Request}*
- Accept={+ 1 }
The Accept packet also contains the authorization intended for use by the X server. A
description of authorization type "XDM-AUTHORIZATION-1" follows:
The Accept packet contains the authorization name "XDM-AUTHORIZATION-1". The
authorization data is the string:
- Accepl = {}
To create authorization information for connection setup with the X server using the
XDM-AUTHORIZATION-1 authorization protocol, the client computes the following:
- N=X client identifier
T=Current time in seconds on client host (32 bits)
={NT}
For TCP connections N is 48 bits long and contains the 32 bit IP address of the
client host followed by the 16 bit port number of the client socket. Formats for other
connections must be registered. The resulting value, , is 192 bits of authorization data which is sent in the connection setup to
the server. The server receives the packet, decrypts the contents. To accept the
connection, the following must hold:
| 1. |
must match the value generated
for the most recent XDMCP negotiation. |
| 2. |
T must be within 1200 seconds of the internally stored time. If no
time been received before, the current time is set to T. |
| 3. |
No packet containing the same pair (N, T) can have been received in
the last 1200 seconds (20 minutes). |