Users login

Create an account »


Users login

Home » Hacking News » MDKSA-2002:025-kdm


by Nikola Strahija on March 21st, 2002 A problem was discovered with the default configuration of the kdm display manager in Mandrake Linux. By default, it allows XDMCP connections from any host, which can be used to obtain a login screen on your system remotely. This can be used to get a list of users on that host, as displayed by kdm. It can also be used to circumvent access control mechanisms such as tcpwrappers and root login restrictions on the console and via remote.


To disable remote connections, edit the /etc/X11/xdm/Xaccess file and
change the following two lines:

* #any host can get a login window
* CHOOSER BROADCAST #any indirect host can get a chooser


#* #any host can get a login window
#* CHOOSER BROADCAST #any indirect host can get a chooser

Please note that Mandrake Linux 8.1 and 8.2 are not vulnerable to this
as newer versions of kdm have a configuration option in the
/usr/share/config/kdm/kdmrc file which explicitly have XDMCP support

Also please note that this is only valid if you are running kdm.


Updated Packages:

There are no updated packages available. Please refer to the Solution
noted above for the fix.

Bug IDs fixed (see for more information):


To upgrade automatically, use MandrakeUpdate. The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of
FTP mirrors can be obtained from:

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:

rpm --checksig

All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team from:

Please be aware that sometimes it takes the mirrors a few hours to

You can view other update advisories for Mandrake Linux at:

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by

If you want to report vulnerabilities, please contact

[email protected]

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »