Using Exceed X Server with SSH X11 Tunneling

This document explains how to set up the Hummingbird Exceed X Server and Secure CRT on your Windows personal computer and how to use them to display X-Windows output -- securely -- from icarus, or tigger, or from any other Unix machine that supports SSH X11 tunneling.

(If your favorite Unix workstation doesn't support SSH X11 tunneling yet, ask its administrators to install it; a free noncommercial version of SSH Secure Shell for Servers for various Unix platforms is available for download from SSH Inc . See also the ACCC SSH documentation for additional SSH servers and clients -- many of which are inexpensive or free. The ACCC has a UIC site license for Secure CRT for Windows, which is described in SSH -- A Secure Replacement for Telnet.

Using X Windows with SSH and X11 tunneling is both secure and easy -- it's by far the best way to do X Windows.

SSH X11 tunneling is by far the best way to do X Windows.

• It's secure -- your password never goes out over the network unencrypted and no one but you will be able to open an X-Windows session on your personal computer, and
• It's easy -- you don't have to do any setup on your Unix workstation account to use X Windows and you don't have to worry about xauth or setting a $DISPLAY variable. (Compare the setup instructions below with those in Using Exceed X Server with Xhost Security, and, in particular, in Configure Your Tigger Account to use X Windows from that document, to see just how much easier this method is.)

SSH is also the best way to do telnet and file transfer too -- SSH client software takes the place of telnet and generally comes with a secure file transfer utility. It is shortly going to be the only way to do it on an ACCC machine also.

For personal computers running MS Windows, the ACCC supports and distributes Van Dyke Software's Secure CRT: http://www.vandyke.com/products/securecrt/

SecureCRT is available on the Windows personal computers in the ACCC public labs, or download it for no charge from E-Sales.

For more information, see:

• The Van Dyke's FAQ's: http://www.vandyke.com/support/index.html
• The ACCC document on Secure CRT: SSH -- A Secure Replacement for Telnet
  
  
• Other SSH clients (and servers): http://linuxmafia.com/ssh/
  
• IETF standards info on SECSH, the SSH protocol: http://www.ssh.com/support/cryptography/protocols/
  
  
• The SSH FAQ: http://www.employees.org/~satch/ssh/faq/

Exceed is an X Server program that you run on your Microsoft Windows personal computer. It provides the graphical features of an X Server for use with remote Unix machines. Generally speaking, there are two classes of Unix programs that benefit from X Windows display: number crunchers or graphics programs such as SAS, SPSS, Octave (a MATLAB clone), and Maple; and utility programs such as ghostview (a PostScript document viewer), xrn (a newsreader), and info (online IBM manuals on tigger).

Exceed is part of the Hummingbird Communications package, which includes various other communications tools, such as whois, finger, nslookup, traceroute, telnet, ftp, and lpr, and with tar compression and archiving.

Exceed is available at UIC on the Windows personal computers in the ACCC public labs, via ACCC Server Services, and may be purchased under a site license by UIC faculty and staff.

On your PC, use the program installation media to install Exceed, and download and install Secure CRT according to the instructions in SSH - A Secure Replacement for Telnet, including setting up SSH X11 tunneling.

Make sure you remember your Exceed Xconfig password.

Exceed's passive mode allows you to start an X Server on your personal computer without it making any initial attempt to connect to a specific remote host.

Set Exceed up to use Passive mode (a Security option) and Multiple Windows Mode (a Screen Definition option). Both of these settings are Exceed defaults, but it pays to check it out if you've used Exceed before.

1. On your PC, click the Start button, then select Programs->Hummingbird->Exceed->Xconfig.
2. A password dialog box will open, asking you to enter your Xconfig password, which you selected when you installed Exceed. Type it in the box provided and click OK.
3. Set Passive Communications:
   1. Double-click the Communication icon in the Xconfig window to open the Communications dialog box.
   2. Select Passive from the Mode field's drop-down list.
   3. Click OK to return to the Xconfig window.
4. Set Multiple Windows Screen Definition:
   1. Double-click the Screen Definition icon in the Xconfig window to open the Screen Definition dialog box.
   2. Click the radio button beside Multiple in the Window Mode box on the upper left.
   3. Click OK to return to the Xconfig window.

The Passive Mode (part 3), and Multiple Window Mode (part 4) settings are necessary to minimize the amount of network traffic being sent along the SSH tunnel.

When using SSH X11 tunneling, the only "host" that Exceed will ever talk to is your own personal computer, a.k.a. the localhost. Thus, regardless of which or how many Unix machines or accounts you're going to use Exceed with, you only have to tell Exceed to answer to one machine -- your local host. Here's how.

1. On your PC, double-click the Security icon in the Xconfig window box. The Security dialog box appears.
2. In the Host Access Control List section of the Security dialog box, click the radio button that is to the immediate left of the word File. (As a result, the name of the file -- xhost.txt -- will darken.)
3. Click the Edit box to the right of the name xhost.txt. A NotePad editing session will be initiated, editing the xhost.txt file.
4. Type: localhost
   on a new line in the file.
5. If your xhost.txt file already has other specific Unix hosts listed, such as icarus, tigger, or an EECS machine, delete those lines.
6. Save your changes by clicking File in the menu bar, then selecting Save.
7. Leave NotePad by clicking File in the menu bar, then selecting Exit.
8. The Security dialog box reappears.
9. Click OK (on the right side of the Security dialog box) and you'll return to the Xconfig window.
10. Select File from the Xconfig menu bar; highlight and click Exit.

This completes the steps needed to install and configure Exceed to use SSH X11 tunneling.

If you've ever used X Windows before with one or more of your Unix accounts, then you've probably set your account(s) up to talk to your X Server. You have to remove these settings before you can use it with SSH X11 tunneling.

For Korn/Bourne shell users, check your .profile file, and remove any lines that look like this:

export DISPLAY=adabyron.cc.uic.edu:0

For C shell users, check your .cshrc file, and remove any lines that look like this:

setenv DISPLAY adabyron.cc.uic.edu:0

In the above, the adabyron.cc.uic.edu is used as an example; yours will be something else.

1. Start the X Server on your PC -- Exceed, that is -- either each time you reboot your PC or whenever you want to use X Windows:
   1. Click the Start button,
   2. Then select Programs->Hummingbird->Exceed->Exceed
      (Not Exceed (XDMCP-Broadcast).)
   An Exceed button will appear on your taskbar; the icon looks like the letter X with a top hat and cane.
2. Start Secure CRT with SSH tunneling enabled and login to your Unix account.
   1. Click the Start button,
   2. Then select Programs->SecureCRT
   3. Login.

After that, an X-Windows window will automatically open whenever you start an X-Windows program on any remote Unix host that supports SSH and X11 tunneling, which includes the ACCC's tigger, icarus, and argo Unix servers.

A good X-Windows program to test with when you first set Exceed up is xclock.
On your Unix account, enter: xclock &
and a small X-Windows window containing a clock will open on your PC's screen. (It might open minimized; if you don't see it right away, check your taskbar.)

This section is a brief description client/server software as it applies to X Windows.

X Windows is client/server software, where the "client software" goes to a "server" to request services from it.

In normal client/server software, the software you run on your personal computer -- your "local host" -- is the client software and the software on the other machine -- the "remote host" -- is the server. That's the case, say, for electronic mail. The Eudora or Outlook or Netscape that you use on your personal computer is your email client, and it talks to the POP or IMAP server on the remote machine that your email account is on -- icarus, mailserv, or tigger, for example -- which serves your email.

In normal client server software the security question -- making sure that only you can access your own email, to continue our example -- is taken care of on the server side. You start your client, tell it which remote server to use and what your login id and password for that service is. Then your client contacts the server and gives it your id and password, which the server either accepts or rejects.

But in X Windows, client/server works the other way around -- you run an X Server, such as Exceed, on your local machine, and client processes running on the remote machine use your X Server to display their output on your local machine. Thus, when you use Exceed, the server is on your personal computer -- the local host -- and the clients are on the remote host -- icarus, tigger, or whatever other Unix workstations you have accounts on. (See What is the X Window System from O'Reilly's LinuxdevCenter. The article is a bit more detailed than I'd like, but it's readable and complete.)

While this local server vs. remote client idea actually makes some sense for X Windows, it vastly complicates the client/server security question for X Windows -- how to determine which client processes on which remote machines should be allowed to display their output using your X Server on your personal computer.

The obvious answer to the "which processes should be allowed write output to my personal computer" question is only those client process that you start using your own Unix account(s). That is, unfortunately, rather hard to do. So people often set their X Servers up by defining "trusted hosts" using Xhost security, which is easier (but still somewhat hard), and which gives any account an a specific Unix host permission to open up an X-Windows window on your personal computer. If that doesn't scare you, think again. It ought to.

Thus, if you tell Exceed that tigger is a trusted host, as described in Using Exceed X Server with Xhost Security, then anyone logged into tigger will be able to open an X-Windows window on your personal computer, read all the windows managed by your X Server, including those where you typed passwords, regardless of whether you can read the password on your screen, or change the X Server settings that are read by other clients. This really should scare you.

And as insecure as Xhost "security" is, even that level of security is reasonably hard to set up, because your local machine has to know about each remote host you're going to be using X Windows with, and because each remote host has to know which personal computer your X Server is on. (The latter makes it hard to use X Windows from different machines -- say the one in your office or dorm room and one in a public lab -- you have to change settings on your Unix account each time you change local machines.)

SSH with X11 tunneling, on the other hand, is both easy to set up and secure, because it puts the client software back on your personal computer. You can use it on any personal computer to run X Windows from any remote Unix host that you have an account on and that supports SSH X11 tunneling, without changing any settings on the X Server or on the remote host.

When using SSH's X11 tunneling, you set your X Server up with Xhost security, but you tell it that the only host it should trust is the localhost -- your own personal computer. Then you use SSH in place of telnet to login to your account on the remote host. As part of the login process, your SSH client software talks to the SSH server on the remote host, and together, they automatically set up the X-Windows connection between your account on the remote host and your X Server.