CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration Slide #1

CIT 470: Advanced Network and System Administration

Remote Desktops


Topics

1. X Windows1. Client/server windowing2. Window managers and desktops3. Security

2. VNC1. Why VNC?2. Configuring3. Security

3. NX


X-Windows

• Network-based windowing system.

• Server– Handles user input and graphical display.– Runs on the machine with display unit.

• Client– Graphical applications are clients.– Can run on a different machine than server.

• Set DISPLAY environment variable.

• Or use –display command line option.


Window Manager

• X client that provides features like:– Move, resize, iconify, and kill windows.– Window title bars.– Popup menus.

• Example window managers– twm: Tab, primitive early window manager– mwm: Motif, found on commercial UNIXes– fvwm: Free, fast, very customizable.– WindowMaker: NeXT-like, see also AfterStep.


TWM Screenshot


FVWM Screenshot


WindowMaker


Desktops

CDECommon desktop env for commercial UNIXes.

GnomeStandard Linux desktop based on GTK+.

KDEWindows-like free desktop based on QT.

XfceLightweight desktop, also based on GTK+.


X-Windows Security

Why do we need security?An evil client can capture/create any X events.Even if you’re not using any network clients!

Host authenticationLimit who can start clients by IP address.Set by xhost + or xhost - commands.

Token authenticationOnly clients with token can access server.Set by the xauth command.


X-Windows Security

Tunneling + host authentication.All clients appear to be from localhost.

Therefore disable remote clients with xhost –

Use ssh client to tunnel X: ssh –X hostServer must have X11Forwarding set to yes.

Use echo DISPLAY to test if X forwarding is on.

Note that local users can still attack X session.


VNC: Virtual Network Computing


Why VNC?

1. Remote desktop access.

2. Helpdesk: control a remote desktop.

3. Persistent desktop.

4. Use same desktop from multiple clients.

5. Need Linux access from Windows.

6. Need Windows access from Linux.


What is VNC?

• Open remote desktop protocol.

• Many implementations– RealVNC: VNC from original researchers.– TightVNC: VNC with high compression.– VNCj: Java VNC, can run within web browser.– PalmVNC: VNC for Palm Pilots.– UltraVNC: enhanced VNC, only for Windows.


Using VNC

1. Start VNC server

UNIX: vncserver

Win: Start menu>Programs>RealVNC>VNCServer

2. Write down server name and display number.

It will look something like unix3:1

3. Start VNC client

UNIX: vncviewer

Win: Start menu>Programs>RealVNC>VNCViewer

4. Enter server and display to connect to (from step 2).

5. A VNC remote desktop should appear.


Configuring and Troubleshooting

• On UNIX, VNC stores files under ~/.vnc

• Configuration: xstartup– Indicates which X clients to start with server.– Typically includes vncconfig application.

• Configuration: passwd– Contains VNC server session password.

• Log files: host:display#.log– Any errors should appear in these logs.


Securing VNCVNC does not provide encryption.

Use ssh tunneling to encrypt login + data:ssh –L 5901:remotehost:5901 remotehost

vncviewer localhost:1


Tunneling

Tunneling: Encapsulation of one network protocol in another protocol– Carrier Protocol: protocol used by network

through which the information is travelling– Encapsulating Protocol: protocol (GRE, IPsec,

L2TP) that is wrapped around original data– Passenger Protocol: protocol that carries original

data


ssh Tunneling

SSH can tunnel TCP connections– Carrier Protocol: IP– Encapsulating Protocol: ssh– Passenger Protocol: TCP on a specific port

POP-3 forwardingssh -L 110:pop3host:110 -l user pop3host

– Uses ssh to login to pop3host as user– Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host

– User configures mail client to use localhost as POP3 server, then proceeds as normal


NX

Advantages over VNC:Speed: fast enough to use over dialup.

Built-in ssh encryption.

DisadvantagesImmature code; hard to install + set up.

GPL client/server for Linux only.

Free Windows client; commercial server.


References1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure

Shell, 2nd edition, O’Reilly, 2005.2. John Fisher, “Secure X Windows,” CIAC 2316,

http://www.ciac.org/ciac/documents/ciac2316.html, 1995.3. No Machine NX, http://www.nomachine.com/4. RedHat, Red Hat Enterprise Linux 4 System Administration Guide,

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/, 2005.

5. Real VNC, http://www.realvnc.com/6. runeb, “Crash Course in X Windows Security,”

http://bau2.uibk.ac.at/matic/ccxsec.htm7. Carla Schroeder, Linux Cookbook, O’Reilly, 2004.8. Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise

Networking Planet, http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005.

9. Webmin, http://www.webmin.com/10. Window Managers for X, http://xwinman.org/

http://www.ciac.org/ciac/documents/ciac2316.html

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/

http://www.realvnc.com/

http://www.realvnc.com/

http://www.enterprisenetworkingplanet.com/netos/print.php/3508951

http://www.enterprisenetworkingplanet.com/netos/print.php/3508951

http://www.webmin.com/

Documents

CIT 470: Advanced Network and System Administration