ACADEMIC COMPUTING and COMMUNICATIONS CENTER | |||||||||
| ||||||||
Using Exceed X Server with SSH X11 Tunneling | ||||||||
This document explains how to set up the Hummingbird Exceed X Server and SSH Secure Shell on your Windows personal computer and how to use them to display X-Windows output -- securely -- from icarus, or tigger, or from any other Unix machine that supports SSH X11 tunneling. (If your favorite Unix workstation doesn't support SSH X11 tunneling yet, ask its administrators to install it; a free noncommercial version of SSH Secure Shell for Servers for various Unix platforms is available for download from SSH. See also the ACCC SSH documentation for additional SSH servers and clients -- many of which are inexpensive or free. The ACCC has a UIC site license for SSH Communications Security Corp's SSH for Windows, which is described in SSH -- A Secure Replacement for Telnet. Using X Windows with SSH and X11 tunneling is both secure and easy -- it's by far the best way to do X Windows. |
||||||||
| ||||||||
About SSH | ||||||||
SSH X11 tunneling is by far the best way to do X Windows.
SSH is also the best way to do telnet and file transfer too -- SSH client software takes the place of telnet and generally comes with a secure file transfer utility. For personal computers running MS Windows, the ACCC supports and distributes
SSH Secure Shell, from the SSH Communications Security Corp: http://www.ssh.com/ For members of the UIC community for university and other noncommercial use, SSH Secure Shell is available on the Windows personal computers in the ACCC public labs, in the new version of the ACCC Network Services kit, and for download from the ftp.uic.edu file server: ftp://ftp.uic.edu/pub/othersoftware/ssh (It probably will someday be moved to the ACCC's e-sales Web site. If you go to the FTP server and don't find it there, check e-sales. For more information, see:
|
||||||||
About Exceed | ||||||||
Exceed is an X Server program that you run on your Microsoft Windows personal computer. It provides the graphical features of an X Server for use with remote Unix machines. Generally speaking, there are two classes of Unix programs that benefit from X Windows display: number crunchers or graphics programs such as SAS, SPSS, Octave (a MATLAB clone), and Maple; and utility programs such as ghostview (a PostScript document viewer), xrn (a newsreader), and info (online IBM manuals on tigger). Exceed is part of the Hummingbird Communications package, which includes various other communications tools, such as whois, finger, nslookup, traceroute, telnet, ftp, and lpr, and with tar compression and archiving. Exceed is available at UIC on the Windows personal computers in the ACCC public labs, via ACCC Server Services, and may be purchased under a site license by UIC faculty and staff. |
||||||||
About Client/Server Software and X Windows | ||||||||
This section is a brief description client/server software as it applies to X Windows. If you don't want to know about it and are not confused about the idea of running an X Server on your personal computer, you might want to skip it, and go down to the how-to sections. X Windows is client/server software, where the "client software" goes to a "server" to request services from it. In normal client/server software, the software you run on your personal computer -- your "local host" -- is the client software and the software on the other machine -- the "remote host" -- is the server. That's the case, say, for electronic mail. The Eudora or Outlook or Netscape that you use on your personal computer is your email client, and it talks to the POP or IMAP server on the remote machine that your email account is on -- icarus, mailserv, or tigger, for example -- which serves your email. In normal client server software the security question -- making sure that only you can access your own email, to continue our example -- is taken care of on the server side. You start your client, tell it which remote server to use and what your login id and password for that service is. Then your client contacts the server and gives it your id and password, which the server either accepts or rejects. But in X Windows, client/server works the other way around -- you run an X Server, such as Exceed, on your local machine, and client processes running on the remote machine use your X Server to display their output on your local machine. Thus, when you use Exceed, the server is on your personal computer -- the local host -- and the clients are on the remote host -- icarus, tigger, or whatever other Unix workstations you have accounts on. (See "The X Protocol" from X.Org at http://www.x.org/about_x.htm for a short description of how the X Window system works, including easy to follow pictures.) While this local server vs. remote client idea actually makes some sense for X Windows, it vastly complicates the client/server security question for X Windows -- how to determine which client processes on which remote machines should be allowed to display their output using your X Server on your personal computer. The obvious answer to the "which processes should be allowed write output to my personal computer" question is only those client process that you start using your own Unix account(s). That is, unfortunately, rather hard to do. So people often set their X Servers up by defining "trusted hosts" using Xhost security, which is easier (but still somewhat hard), and which gives any account an a specific Unix host permission to open up an X-Windows window on your personal computer. If that doesn't scare you, think again. It ought to. Thus, if you tell Exceed that tigger is a trusted host, as described in Using Exceed X Server with Xhost Security, then anyone logged into tigger will be able to open an X-Windows window on your personal computer, read all the windows managed by your X Server, including those where you typed passwords, regardless of whether you can read the password on your screen, or change the X Server settings that are read by other clients. This really should scare you. And as insecure as Xhost "security" is, even that level of security is reasonably hard to set up, because your local machine has to know about each remote host you're going to be using X Windows with, and because each remote host has to know which personal computer your X Server is on. (The latter makes it hard to use X Windows from different machines -- say the one in your office or dorm room and one in a public lab -- you have to change settings on your Unix account each time you change local machines.) SSH with X11 tunneling, on the other hand, is both easy to set up and secure, because it puts the client software back on your personal computer. You can use it on any personal computer to run X Windows from any remote Unix host that you have an account on and that supports SSH X11 tunneling, without changing any settings on the X Server or on the remote host. When using SSH's X11 tunneling, you set your X Server up with Xhost security, but you tell it that the only host it should trust is the localhost -- your own personal computer. Then you use SSH in place of telnet to login to your account on the remote host. As part of the login process, your SSH client software talks to the SSH server on the remote host, and together, they automatically set up the X-Windows connection between your account on the remote host and your X Server. |
||||||||
Install and Configure Exceed on your PC | ||||||||
Step 1: Install Exceed and SSH on your PC (do once) | ||||||||
Use the program installation media to install Exceed on your PC, and download and install SSH according to the instructions in SSH - A Secure Replacement for Telnet, including setting up SSH X11 tunneling |
||||||||
Step 2: Configure Exceed for Passive mode and Multiple Windows (do once) | ||||||||
Exceed's passive mode allows you to start the X Server on your personal computer without it making any initial attempt to connect to a specific remote host. Set Exceed up to use Passive mode (Security) and Multiple Windows Mode (Screen Definition). Both of these settings are Exceed defaults, but it pays to check it out if you've used Exceed before.
The Passive Mode (3), and Multiple Window Mode (4) settings are necessary to minimize the amount of network traffic being sent along the SSH tunnel. |
||||||||
Step 3: Configure Localhost Security (do once; works for all Unix machines that support SSH X11 tunneling) | ||||||||
When using SSH X11 tunneling, the only "host" that Exceed will ever talk to is your own personal computer, a.k.a. the localhost. Thus, regardless of which or how many Unix machines or accounts you're going to use Exceed with, you only have to tell Exceed to answer to one machine -- your local host. Here's how.
That completes the steps needed to install and configure Exceed to use SSH X11 tunneling. |
||||||||
Step 4: Unconfigure your Unix Account (do once per Unix account, if you've used X Windows before on that account) | ||||||||
If you've ever used X Windows before with one or more of your Unix accounts, then you've probably set your account(s) up to talk to your X Server. You have to remove these settings before you can use it with SSH X11 tunneling.
In the above, the adabyron.cc.uic.edu is used as an example; yours will be something else. |
||||||||
Use X Windows with SSH X11 Tunneling | ||||||||
After that, an X-Windows window will automatically open whenever you start an X-Windows program on any remote Unix host that supports SSH and X11 tunneling, which includes the ACCC's tigger, icarus, and argo Unix servers. A good X-Windows program to test with when you first set Exceed up is xclock.
|
||||||||
Exceed X Server | Previous: Insecure Access by Hostname: Xhost |
2004-5-25 ACCC Systems Staff |
|