This shows you the differences between two versions of the page.
biac:setup_secure_access [2014/08/04 16:03] |
biac:setup_secure_access [2023/02/23 18:43] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== How to set up secure access to your X display ====== | ||
+ | There are several ways to have X11 applications running on remote machines to display on your local desktop. These methods are described below in order from most secure to least secure. Any or all of these methods can be used simultaneously. In fact, we recommend using the most secure method (SSH tunnelling) by default, and using the less secure methods for particular applications only if display performance is a problem. | ||
+ | A note on terminology: | ||
+ | |||
+ | In this document, the remote machine is assumed to be a UNIX/ | ||
+ | |||
+ | ===== SSH tunnelling (most secure). ===== | ||
+ | This method works by tunnelling all X traffic through your SSH connection. As far as the X server (your display) is concerned, X traffic will appear on the local side of the SSH connection, looking like it is coming from the local (desktop) machine, even though the X traffic originated from an X application running on the remote machine. Moreover, this traffic will be encrypted, thereby protecting private info you might potentially send through the X interface (by typing passwords, for example). This has the further benefit of working through firewalls that are set up to allow only " | ||
+ | |||
+ | **Do the following to set up SSH tunnelling: ** | ||
+ | |||
+ | === On Windows using F-Secure SSH/ | ||
+ | Assuming you have enabled X11 tunneling in your F-Secure SSH profile and added " | ||
+ | |||
+ | === On Linux/UNIX: === | ||
+ | On your desktop machine, the following line: | ||
+ | '' | ||
+ | should occur either in the system-wide ssh_config file (/ | ||
+ | '' | ||
+ | Now any graphical application run on the remote machine through the secure shell should display on your local machine. | ||
+ | |||
+ | ===== Direct display using XAuth (partially secure) ===== | ||
+ | |||
+ | The XAuth method of access control ensures that X applications have authorization before allowing them to connect to an X server. Authorization credentials take the form of a display-specific "magic cookie" | ||
+ | |||
+ | Do the following to set up XAuth: | ||
+ | ==== Set up a display key on the remote machine ==== | ||
+ | === Connecting to Golgi === | ||
+ | Connect to golgi using your favorite SSH program. Run the following command: | ||
+ | '' | ||
+ | (replace " | ||
+ | === Connecting to another UNIX/Linux system: === | ||
+ | Run the following command: | ||
+ | '' | ||
+ | (replace " | ||
+ | |||
+ | ==== Set up your display to recognize the new key ==== | ||
+ | === Connecting from a BIAC Windows machine: === | ||
+ | Your system is already set up to recognize the new key in your Profile' | ||
+ | === If you are connecting from a non-BIAC Windows machine: === | ||
+ | Because your display machine does not necessarily have access to your BIAC Windows profile, you need to copy that file to your local display machine using the Secure copy functionality of your SSH program. Copy the .Xauthority file either from the remote machine (typically / | ||
+ | '' | ||
+ | you can also copy it from gall (\\gall\users\USERNAME\Profile\.Xauthority) to a secure, private folder on your local machine. | ||
+ | You need to tell X-Win32 to use this file to authorize access (you only need to do this once). Go to Start::Run, type " | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Exit regedit and restart X-Win32. Verify that you can display on your machine by running | ||
+ | '' | ||
+ | on the remote machine. | ||
+ | |||
+ | === Connecting from a Linux machine: === | ||
+ | Merge the new keys from the remote machine to your local machine using the following command from your local machine: | ||
+ | '' | ||
+ | Verify that you can display on your machine by running | ||
+ | '' | ||
+ | on golgi. | ||
+ | |||
+ | ===== Direct display without access control (not secure, not recommended) ===== | ||
+ | This method bypasses the authorization mechanisms provided by the X server. This method is not documented because it is highly insecure. |