Notice! This document is currently in Archived status.
The content of this document may be incorrect or out dated.

ECN Remote Access: X-Windows Security

Introduction

This document describes the security problems running X-windows applications over the network to a PC operating as a display server.

Overview

X-windows is peer to peer communications. UNIX applications contact an X windows server asking for output to display on the screen and for input to come from the mouse and keyboard. Usually the peer to peer communication between application and X-windows server is over the Internet. The protection of the communication channel between UNIX application to X-windows server is by a limiting host list, or by a pass code known as a cookie. It is also possible to protect communications by both methods, or by neither method. Neither method is the wide open security problem being discussed in this document as it is usually the default for X-windows software packages for the PC computer.

Purdue University holds a site license to the SecureCRT software product for use on computers at the university plus faculty, staff and student computers at home 1. SecureCRT runs on all Windows operating systems, Windows Vista, 2003, XP, 2000. To obtain the software for university or home use, go to the PULS download page and follow the instructions. Once installed, it is important to make additional enhancements to SecureCRT to enable networking security. Without these changes, anyone on the Internet that is generally able to contact your computer could read any keystrokes, show any image on the screen or disable and lock the Windows system from use. It's amazing that users are leaving themselves open to this all the time. Usually the thought is that this will never happen to me. Most users don't implement security when computing with X-windows because of its inconvenience. But with a little extra effort and practice, security is achievable with little loss in productivity.

Be sure to read all the instructions on this document before proceeding.

Implementation

Invoking an X-windows application is accomplished by the following steps:

  1. Start the X-windows server program running on the PC computer.
  2. Start an ssh window and log on to the UNIX server.
  3. Start an X-windows application.

The ssh program will automatically set a DISPLAY variable referring to the PC computer.

In following sections are step by step instructions for setting up a secure environment and how to navigate through the process of starting an X windows application.

Installation

To operate X-windows software in a more secure mode, the X-windows software needs installing along with a secure telnet program that produces encrypting and tunneling service. This document describes the software products Cygwin-X as the X-windows program and SecureCRT as the secure telnet program.

Cygwin-X

Obtain the Cygwin-X software from the PULS download page and install it on your Windows computer. The download of Cygwin-X requires a coordinated user account, but the installation process does not require a software license key. Once the software installer package is on the PC, perform the following actions:

  • Double-click on the icon to start the installer application.
  • Click on Next.
  • Select the language choice and click on OK.
  • Click on Next.
  • Read the license agreement then click on I accept the terms in the license agreement then click on Next.
  • Enter your user name and organization into the text fields, then select Install this application for: Anyone who uses this computer (all users), then click on Next.
  • Select the installation folder then click on Next.
  • Select installation type then click on Next.
  • Click on Install.
    Wait for installation to complete...
  • Select keyboard type and click Next.
  • Enter and confirm a password for the configuration then click Next.
  • Click Next or Skip, depending on if you want to wait to have the server software tuned.
  • Click on Finish.

SecureCRT

Obtain a copy of secure telnet software from the PULS download page and install it on your Windows computer. This version operates with all Windows (Windows Vista, 2003, XP, 2000) operating systems. Once the software installer package is on the PC, perform the following actions:

  • Double-click on the icon to start the installer application.
  • Click on Next.
  • Read the license agreement then click on Yes.
  • Select the installation folder then click on Next.
  • Select the program folder then click on Next.
  • Select the software components to install (all components are recommended) and click on Next.
  • Click on Finish.

Adjustments

Each software product needs adjustment to make the networking connection secure. By default, neither Hummingbird Exceed restricts connections, nor does secure telnet perform X11 tunneling.

Operation and Testing

Operate the software to test connectivity and security. In the steps below, an X-windows application will launch testing basic connectivity, then the same X-windows application will launch with different settings to test basic security.

Start a connection to the UNIX server using SecureCRT.

  • Click on Start > Programs > ECN Software > SecureCRT > SecureCRT.
  • Enter the name of the UNIX server and the name of a user and click Connect.
  • Enter the password and click OK.

Once logged on, verify that a DISPLAY variable has been set up on behalf of SecureCRT by typing the command echo $DISPLAY followed by the enter key. A typical X-windows display setting should display. If a blank line is shown, go back to the instructions for adjusting SSH and make sure that Tunnel X11 connections has a checkmark.

Next, start the Cygwin-X display server.

  • Click on Start > Programs > ECN Software > Cygwin-X > Start X-Server.

The default settings will bring up Cygwin-X as an icon in the system tray, plus a bash terminal in the top left of the screen. To avoid confusion, ||| close the bash terminal ||| click on the system menu at the upper left icon of the toolbox to dismiss it from the screen. Restoring the toolbox is available by right-clicking on the Exceed icon and selecting Tools -> Toolbar -> Show.

Next, start an X-windows program. A simple application like the clock will be enough to test. Type xclock followed by the enter key. A clock should appear on your screen. Close the clock by clicking the close button. If the xclock program shows unknown command instead of starting, that means that the X-windows software isn't in your PATH variable. Try typing /usr/openwin/bin/xclock or /usr/X11R6/bin/xclock.

This demonstrates the secured method of getting the clock to display on your screen. It works by having SecureCRT capture the DISPLAY port on the local machine and passing it back through the SecureCRT connection to the PC. SecureCRT then passes this information through the localhost interface to the Cygwin-X program. Since Cygwin-X only permits connections through localhost, the communications are more secure.

Next, test that the PC is not open to remote connections from the Internet. A way to test is to refer to the PC's X-windows display by the direct name. First find out the Internet name of the PC. If the Internet name is short enough, typing the command who am i on the SecureCRT window and note the last field of the results.

Use host name when typing the command xclock -display name:0, where name is the PC computer's Internet name or IP address. Type enter to execute the command. This should not operate correctly. You should see a response something like:

Xlib: connection to "pc-name:0.0" refused by server.
Xlib: Client is not authorized to connect to Server
Error: Can't open display: pc-name:0

If a clock appears, then Cygwin-X settings don't restrict connections to localhost only. Go back to the instructions for Cygin-X and make sure that the host access control list is enabled.

Last modified: 2012/02/07 15:16:46.306215 US/Eastern by john.a.omalley.1
Created: 2006/08/15 14:03:50.285000 GMT-4 by brian.r.brinegar.1.

Categories

Search

Type in a few keywords describing what information you are looking for in the text box below.

Admin Options: Edit this Document