Using Exceed X Server with SSH X11 Tunneling

This document explains how to set up the Hummingbird Exceed X Server and SSH Secure Shell on your Windows personal computer and how to use them to display X-Windows output -- securely -- from icarus, or tigger, or from any other Unix machine that supports SSH X11 tunneling.

(If your favorite Unix workstation doesn't support SSH X11 tunneling yet, ask its administrators to install it; a free noncommercial version of SSH Secure Shell for Servers for various Unix platforms is available for download from SSH. See also the ACCC SSH documentation for additional SSH servers and clients -- many of which are inexpensive or free. The ACCC has a UIC site license for SSH Communications Security Corp's SSH for Windows, which is described in SSH -- A Secure Replacement for Telnet.

Using X Windows with SSH and X11 tunneling is both secure and easy -- it's by far the best way to do X Windows.

SSH X11 tunneling is by far the best way to do X Windows.

• It's secure -- your password never goes out over the network unencrypted and no one but you will be able to open an X-Windows session on your personal computer, and
• It's easy -- you don't have to do any setup on your Unix workstation account to use X Windows and you don't have to worry about xauth or setting a $DISPLAY variable. (Compare the setup instructions below with those in Using Exceed X Server with Xhost Security, and, in particular, in Configure Your Tigger Account to use X Windows from that document, to see just how much easier this method is.)

SSH is also the best way to do telnet and file transfer too -- SSH client software takes the place of telnet and generally comes with a secure file transfer utility.

For personal computers running MS Windows, the ACCC supports and distributes SSH Secure Shell, from the SSH Communications Security Corp: http://www.ssh.com/
The SSH Secure Shell license agreement allows university and other noncommercial use free of charge.

For members of the UIC community for university and other noncommercial use, SSH Secure Shell is available on the Windows personal computers in the ACCC public labs, in the new version of the ACCC Network Services kit, and for download from the ftp.uic.edu file server: ftp://ftp.uic.edu/pub/othersoftware/ssh (It probably will someday be moved to the ACCC's e-sales Web site. If you go to the FTP server and don't find it there, check e-sales.

For more information, see:

• The SSH Corp's SSH user's manual: http://www.ssh.com/products/ssh/winhelp/
• The ACCC document on SSH: SSH -- A Secure Replacement for Telnet
  
  
• Other SSH clients (and servers): http://linuxmafia.com/pub/linux/security/ssh-clients
  
  
• IETF standards info on SECSH, the SSH protocol: http://www.ssh.com/tech/archive/secsh.html
  
  
• The SSH FAQ: http://www.employees.org/~satch/ssh/faq/

Exceed is an X Server program that you run on your Microsoft Windows personal computer. It provides the graphical features of an X Server for use with remote Unix machines. Generally speaking, there are two classes of Unix programs that benefit from X Windows display: number crunchers or graphics programs such as SAS, SPSS, Octave (a MATLAB clone), and Maple; and utility programs such as ghostview (a PostScript document viewer), xrn (a newsreader), and info (online IBM manuals on tigger).

Exceed is part of the Hummingbird Communications package, which includes various other communications tools, such as whois, finger, nslookup, traceroute, telnet, ftp, and lpr, and with tar compression and archiving.

Exceed is available at UIC on the Windows personal computers in the ACCC public labs, via ACCC Server Services, and may be purchased under a site license by UIC faculty and staff.

This section is a brief description client/server software as it applies to X Windows. If you don't want to know about it and are not confused about the idea of running an X Server on your personal computer, you might want to skip it, and go down to the how-to sections.

X Windows is client/server software, where the "client software" goes to a "server" to request services from it.

In normal client/server software, the software you run on your personal computer -- your "local host" -- is the client software and the software on the other machine -- the "remote host" -- is the server. That's the case, say, for electronic mail. The Eudora or Outlook or Netscape that you use on your personal computer is your email client, and it talks to the POP or IMAP server on the remote machine that your email account is on -- icarus, mailserv, or tigger, for example -- which serves your email.

In normal client server software the security question -- making sure that only you can access your own email, to continue our example -- is taken care of on the server side. You start your client, tell it which remote server to use and what your login id and password for that service is. Then your client contacts the server and gives it your id and password, which the server either accepts or rejects.

But in X Windows, client/server works the other way around -- you run an X Server, such as Exceed, on your local machine, and client processes running on the remote machine use your X Server to display their output on your local machine. Thus, when you use Exceed, the server is on your personal computer -- the local host -- and the clients are on the remote host -- icarus, tigger, or whatever other Unix workstations you have accounts on. (See "The X Protocol" from X.Org at http://www.x.org/about_x.htm for a short description of how the X Window system works, including easy to follow pictures.)

While this local server vs. remote client idea actually makes some sense for X Windows, it vastly complicates the client/server security question for X Windows -- how to determine which client processes on which remote machines should be allowed to display their output using your X Server on your personal computer.

The obvious answer to the "which processes should be allowed write output to my personal computer" question is only those client process that you start using your own Unix account(s). That is, unfortunately, rather hard to do. So people often set their X Servers up by defining "trusted hosts" using Xhost security, which is easier (but still somewhat hard), and which gives any account an a specific Unix host permission to open up an X-Windows window on your personal computer. If that doesn't scare you, think again. It ought to.

Thus, if you tell Exceed that tigger is a trusted host, as described in Using Exceed X Server with Xhost Security, then anyone logged into tigger will be able to open an X-Windows window on your personal computer, read all the windows managed by your X Server, including those where you typed passwords, regardless of whether you can read the password on your screen, or change the X Server settings that are read by other clients. This really should scare you.

And as insecure as Xhost "security" is, even that level of security is reasonably hard to set up, because your local machine has to know about each remote host you're going to be using X Windows with, and because each remote host has to know which personal computer your X Server is on. (The latter makes it hard to use X Windows from different machines -- say the one in your office or dorm room and one in a public lab -- you have to change settings on your Unix account each time you change local machines.)

SSH with X11 tunneling, on the other hand, is both easy to set up and secure, because it puts the client software back on your personal computer. You can use it on any personal computer to run X Windows from any remote Unix host that you have an account on and that supports SSH X11 tunneling, without changing any settings on the X Server or on the remote host.

When using SSH's X11 tunneling, you set your X Server up with Xhost security, but you tell it that the only host it should trust is the localhost -- your own personal computer. Then you use SSH in place of telnet to login to your account on the remote host. As part of the login process, your SSH client software talks to the SSH server on the remote host, and together, they automatically set up the X-Windows connection between your account on the remote host and your X Server.

Use the program installation media to install Exceed on your PC, and download and install SSH according to the instructions in SSH - A Secure Replacement for Telnet, including setting up SSH X11 tunneling

Exceed's passive mode allows you to start the X Server on your personal computer without it making any initial attempt to connect to a specific remote host.

Set Exceed up to use Passive mode (Security) and Multiple Windows Mode (Screen Definition). Both of these settings are Exceed defaults, but it pays to check it out if you've used Exceed before.

1. Click the Start button, then select Programs->Hummingbird->Exceed->Xconfig.
2. A password dialog box will open, asking you to enter your Xconfig password, which you selected when you installed Exceed. Type it in the box provided and click OK.
3. Set Passive Communications:
   1. Double-click the Communication icon in the Xconfig window to open the Communications dialog box.
   2. Select Passive from the Mode field's drop-down list.
   3. Click OK to return to the Xconfig window.
4. Set Multiple Windows Screen Definition:
   1. Double-click the Screen Definition icon in the Xconfig window to open the Screen Definition dialog box.
   2. Click the radio button beside Multiple in the Window Mode box on the upper left.
   3. Click OK to return to the Xconfig window.

The Passive Mode (3), and Multiple Window Mode (4) settings are necessary to minimize the amount of network traffic being sent along the SSH tunnel.

When using SSH X11 tunneling, the only "host" that Exceed will ever talk to is your own personal computer, a.k.a. the localhost. Thus, regardless of which or how many Unix machines or accounts you're going to use Exceed with, you only have to tell Exceed to answer to one machine -- your local host. Here's how.

1. Double-click the Security icon in the Xconfig window box. The Security dialog box appears.
2. In the Host Access Control List section of the Security dialog box, click the radio button that is to the immediate left of the word File. (As a result, the name of the file -- xhost.txt -- will darken.)
3. Click the Edit box to the right of the name xhost.txt. A NotePad editing session will be initiated, editing the xhost.txt file.
4. Type: localhost
   on a new line in the file.
5. If your xhost.txt file already has other specific Unix hosts listed, such as icarus, tigger, or an EECS machine, delete those lines.
6. Save your changes by clicking File in the menu bar, then selecting Save.
7. Leave NotePad by clicking File in the menu bar, then selecting Exit.
8. The Security dialog box reappears.
9. Click OK (on the right side of the Security dialog box) and you'll return to the Xconfig window.
10. Select File from the Xconfig menu bar; highlight and click Exit.

That completes the steps needed to install and configure Exceed to use SSH X11 tunneling.

If you've ever used X Windows before with one or more of your Unix accounts, then you've probably set your account(s) up to talk to your X Server. You have to remove these settings before you can use it with SSH X11 tunneling.

For Korn/Bourne shell users, check your .profile file, and remove any lines that look like this:

export DISPLAY=adabyron.cc.uic.edu:0

For C shell users, check your .cshrc file, and remove any lines that look like this:

setenv DISPLAY adabyron.cc.uic.edu:0

In the above, the adabyron.cc.uic.edu is used as an example; yours will be something else.

1. Start the X Server on your PC -- Exceed, that is -- either each time you reboot your PC or whenever you want to use X Windows:
   1. Click the Start button,
   2. Then select Programs->Hummingbird->Exceed->Exceed
      (Not Exceed (XDMCP-Broadcast).)
   An Exceed button will appear on your taskbar; the icon looks like the letter X with a top hat and cane on it.
2. Start SSH with SSH tunneling enabled and login to your Unix account.
   1. Click the Start button,
   2. Then select Programs->SSH Secure Shell->Secure Shell Client
   3. Login.

After that, an X-Windows window will automatically open whenever you start an X-Windows program on any remote Unix host that supports SSH and X11 tunneling, which includes the ACCC's tigger, icarus, and argo Unix servers.

A good X-Windows program to test with when you first set Exceed up is xclock.
On your Unix account, enter: xclock &
and a small X-Windows window containing a clock will open on your PC's screen. (It might open minimized; if you don't see it right away, check your taskbar.)