This content is no longer maintained. Please visit our new website.

ACCC Home Page Academic Computing and Communications Center  
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
The A3C Connection, April/May/June 2001 The A3C Connection
April/May/June Contents How Can You Use Mailtools Email Filters Email Filters and the Email Tools Page Canned Spam Filters
How Mailtools Filters Work SSH: Do You Know Where Your Password Is? Secure X Windows with SSH About the A3C Connection

Secure X Windows with SSH

 
News on the Net
UNIX Windows WWW Expert
 
     
 
     
What is X Windows and Why Would You Want to Use It?
 

The X Windows system is a GUI -- graphical user interface -- that allows you to display the graphical output from commands that are run on a remote UNIX system on your local system -- in this case, your personal computer. This allows your personal computer to do what it does best -- display output -- while the remote UNIX system does what it does best -- running programs or number crunching.

There are two classes of UNIX programs that benefit from using a X Windows display: number crunching programs that produce graphical output, such as SAS, SPSS, Octave (MATLAB clone), and Maple; and utility programs such as ghostview (PostScript document viewer), xrn (newsreader), info (online IBM manuals on tigger), and xbsub et al. (programs to manage jobs run on borg).

If you already use X Windows on an MS Windows personal computer at UIC, then chances are you're using Hummingbird Communications' Exceed X Server. Exceed is part of the Hummingbird Communications package, which includes various communications tools and the UNIX tar compression and archiving tool.

Exceed is available at UIC on the Windows personal computers in the ACCC public labs, via ACCC Server Services, and may be purchased under a site license by UIC faculty and staff. (Go to the ACCC home page, http://www.accc.uic.edu/, click the Software button, and select Public Labs - Software Server Services or Site-Licensed Software.)

As is usual for anything UNIX, there are several different ways you can set up and use an X Server. The two easiest ways are:

Using insecure Xhost security,
where permissions are given based on the remote host's name, allowing anyone logged on to that remote host to open an X Window on your personal computer or worse (see Xhost "Security").
Using secure SSH X11 tunneling,
which limits access to your X server only to X Windows programs that you start and which is much easier to set up, too.

So the question is: insecure and harder vs. secure and easier. SSH X11 tunneling wins hands down.

 
     
How X Windows Works with SSH
 

X Windows is client/server software, where the "client software" request services from a "server". Normally, you run the client software on your personal computer and the server is on a remote computer. But in X Windows, client/server software works the other way around. You run an X Server, such as Exceed, on your local machine, and client processes running on a remote UNIX machine use your X Server to display their output on your local machine.

While this local server/remote client idea makes sense for X Windows, it vastly complicates the client/server security question -- how to determine which client processes on which remote machines should be allowed to display their output using the X Server on your personal computer.

The obvious answer is only those client processes that you start using your own UNIX account(s).

Unfortunately, that is hard to do. So people often set their X Servers up by defining "trusted hosts" using Xhost security. Xhost security gives any account on a specific UNIX host permission to open an X Windows window on your personal computer and much worse (below).

 
     
Xhost "Security"
 

The "access to your X server" that Xhost security gives to other accounts on the remote host is much worse than just being able to open X Windows windows on your monitor. It means that a bad guy can read all the windows managed by your X Server, including those where you typed passwords, regardless of whether you can read the password on your screen. And it means being able to change X Server settings that are read by other clients.

This really should scare you.

SSH with X11 tunneling, on the other hand, is both easy to set up and secure because it puts the client software back on your personal computer. You can use it on your personal computer with your local X Server to run X Windows from any remote UNIX host that you have an account on and that supports SSH X11 tunneling, without changing any settings on your X Server or on the remote host.

When using SSH's X11 tunneling, you set your X Server up with Xhost security, but you tell it that the only host it should trust is the localhost -- your own personal computer. Then you use SSH in place of telnet to login to your account on the remote host. As part of the login process, your SSH client software negotiates with the SSH server on the remote host, and together, they automatically set up a secure X-Windows connection between your account on the remote host and your X Server (figure 2).

 
     
Does Your UNIX Host Support SSH X11 Tunneling?
 

The ACCC public UNIX servers do. If your favorite UNIX host doesn't support SSH X11 tunneling yet, ask its administrators to install it. Use an OpenSSH server, http://www.openssh.com/, or the SSH Communications servers on the UIC FTP site (figure 2).

Figure 2: Logging in with SSH Secure Shell

Download a self-extracting archive of SSH Secure Shell from the ftp.uic.edu FTP server: ftp://ftp.uic.edu/pub/othersoftware/ssh/ The $DISPLAY variable and the xauth list command output in the window shows how SSH X11 tunneling works with X Windows.

 
     
Setting Up to Use X11 Tunneling
 

You only have to do this once; that's a good thing.

1. Set up Exceed for X11 tunneling.

Install and configure Exceed for Passive Communications and Multiple Windows, following the instructions in Using Exceed X Server with SSH X11 Tunneling.

When you use SSH X11 tunneling, the only host that Exceed talks to is your own personal computer. So you set Exceed up to use Xhost security, but, regardless of which or how many UNIX machines you're going to use X Windows with, you tell Exceed to answer to only one machine -- your local host, a.k.a localhost. Using Exceed X Server with SSH X11 Tunneling explains how to do this.

If your xhost.txt file already has other specific UNIX hosts listed, such as icarus, tigger, or an EECS machine, delete those lines.

2. Set up your host account, if necessary.

If you've never used your UNIX account with X Windows, then you're set. You don't have to do anything more than just login using SSH. Ever.

If you have used your UNIX account with X Windows before, then you've probably set it up to talk to your X Server. If so, you have to remove those settings. The Using Exceed X Server with SSH X11 Tunneling Web page explains how.

 
     
Running X Windows with SSH
 

1. Start your X Server: Start->Programs->Hummingbird->Exceed->Exceed (Do not select Exceed (XDMCP-Broadcast).)

2. Start SSH X11 tunneling: Log in to your UNIX account with SSH set up with X11 tunneling turned on (page 9).

3. Run an X Windows program on UNIX: x clock is good to use for testing. Enter: xclock & and an X Windows window containing a clock will open. It might open minimized; if you don't see it right away, check your taskbar.

And that's all there is to it.

Comments are welcome; please send them
to Judith Grobe Sachs, judygs@uic.edu

 
The A3C Connection, April/May/June 2001 Previous:  SSH: Do You Know Where Your Password Is? Next:  About the A3C Connection


2001-8-10  connect@uic.edu
UIC Home Page Search UIC Pages Contact UIC