CIT 470: Advanced Network and System Administration

1. CIT 470: Advanced Network and System Administration Remote Desktops CIT 470: Advanced Network and System Administration

2. Topics • X Windows • Client/server windowing • Window managers and desktops • Security • VNC • Why VNC? • Configuring • Security • NX CIT 470: Advanced Network and System Administration

3. X-Windows • Network-based windowing system. • Server • Handles user input and graphical display. • Runs on the machine with display unit. • Client • Graphical applications are clients. • Can run on a different machine than server. • Set DISPLAY environment variable. • Or use –display command line option. CIT 470: Advanced Network and System Administration

4. Window Manager • X client that provides features like: • Move, resize, iconify, and kill windows. • Window title bars. • Popup menus. • Example window managers • twm: Tab, primitive early window manager • mwm: Motif, found on commercial UNIXes • fvwm: Free, fast, very customizable. • WindowMaker: NeXT-like, see also AfterStep. CIT 470: Advanced Network and System Administration

5. TWM Screenshot CIT 470: Advanced Network and System Administration

6. FVWM Screenshot CIT 470: Advanced Network and System Administration

7. WindowMaker CIT 470: Advanced Network and System Administration

8. Desktops CDE Common desktop env for commercial UNIXes. Gnome Standard Linux desktop based on GTK+. KDE Windows-like free desktop based on QT. Xfce Lightweight desktop, also based on GTK+. CIT 470: Advanced Network and System Administration

9. X-Windows Security Why do we need security? An evil client can capture/create any X events. Even if you’re not using any network clients! Host authentication Limit who can start clients by IP address. Set by xhost+ or xhost- commands. Token authentication Only clients with token can access server. Set by the xauth command. CIT 470: Advanced Network and System Administration

10. X-Windows Security Tunneling + host authentication. All clients appear to be from localhost. Therefore disable remote clients with xhost – Use ssh client to tunnel X: ssh –X host Server must have X11Forwarding set to yes. Use echo DISPLAY to test if X forwarding is on. Note that local users can still attack X session. CIT 470: Advanced Network and System Administration

11. VNC: Virtual Network Computing CIT 470: Advanced Network and System Administration

12. Why VNC? • Remote desktop access. • Helpdesk: control a remote desktop. • Persistent desktop. • Use same desktop from multiple clients. • Need Linux access from Windows. • Need Windows access from Linux. CIT 470: Advanced Network and System Administration

13. What is VNC? • Open remote desktop protocol. • Many implementations • RealVNC: VNC from original researchers. • TightVNC: VNC with high compression. • VNCj: Java VNC, can run within web browser. • PalmVNC: VNC for Palm Pilots. • UltraVNC: enhanced VNC, only for Windows. CIT 470: Advanced Network and System Administration

14. Using VNC • Start VNC server UNIX: vncserver Win: Start menu>Programs>RealVNC>VNCServer • Write down server name and display number. It will look something like unix3:1 • Start VNC client UNIX: vncviewer Win: Start menu>Programs>RealVNC>VNCViewer • Enter server and display to connect to (from step 2). • A VNC remote desktop should appear. CIT 470: Advanced Network and System Administration

15. Configuring and Troubleshooting • On UNIX, VNC stores files under ~/.vnc • Configuration: xstartup • Indicates which X clients to start with server. • Typically includes vncconfig application. • Configuration: passwd • Contains VNC server session password. • Log files: host:display#.log • Any errors should appear in these logs. CIT 470: Advanced Network and System Administration

16. Securing VNC VNC does not provide encryption. Use ssh tunneling to encrypt login + data: ssh –L 5901:remotehost:5901 remotehost vncviewer localhost:1 CIT 470: Advanced Network and System Administration

17. Tunneling Tunneling: Encapsulation of one network protocol in another protocol • Carrier Protocol: protocol used by network through which the information is travelling • Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data • Passenger Protocol: protocol that carries original data CIT 470: Advanced Network and System Administration

18. ssh Tunneling SSH can tunnel TCP connections • Carrier Protocol: IP • Encapsulating Protocol: ssh • Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host • Uses ssh to login to pop3host as user • Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host • User configures mail client to use localhost as POP3 server, then proceeds as normal CIT 470: Advanced Network and System Administration

19. NX Advantages over VNC: Speed: fast enough to use over dialup. Built-in ssh encryption. Disadvantages Immature code; hard to install + set up. GPL client/server for Linux only. Free Windows client; commercial server. CIT 470: Advanced Network and System Administration

20. References • Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition, O’Reilly, 2005. • John Fisher, “Secure X Windows,” CIAC 2316, http://www.ciac.org/ciac/documents/ciac2316.html, 1995. • No Machine NX, http://www.nomachine.com/ • RedHat, Red Hat Enterprise Linux 4 System Administration Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/, 2005. • Real VNC, http://www.realvnc.com/ • runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm • Carla Schroeder, Linux Cookbook, O’Reilly, 2004. • Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet, http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005. • Webmin, http://www.webmin.com/ • Window Managers for X, http://xwinman.org/ CIT 470: Advanced Network and System Administration