cit 470: advanced network and system administration
DESCRIPTION
CIT 470: Advanced Network and System Administration. Remote Desktops. Topics. X Windows Client/server windowing Window managers and desktops Security VNC Why VNC? Configuring Security NX. X-Windows. Network-based windowing system. Server Handles user input and graphical display. - PowerPoint PPT PresentationTRANSCRIPT
CIT 470: Advanced Network and System Administration Slide #1
CIT 470: Advanced Network and System Administration
Remote Desktops
CIT 470: Advanced Network and System Administration Slide #2
Topics
1. X Windows1. Client/server windowing2. Window managers and desktops3. Security
2. VNC1. Why VNC?2. Configuring3. Security
3. NX
CIT 470: Advanced Network and System Administration Slide #3
X-Windows
• Network-based windowing system.
• Server– Handles user input and graphical display.– Runs on the machine with display unit.
• Client– Graphical applications are clients.– Can run on a different machine than server.
• Set DISPLAY environment variable.
• Or use –display command line option.
CIT 470: Advanced Network and System Administration Slide #4
Window Manager
• X client that provides features like:– Move, resize, iconify, and kill windows.– Window title bars.– Popup menus.
• Example window managers– twm: Tab, primitive early window manager– mwm: Motif, found on commercial UNIXes– fvwm: Free, fast, very customizable.– WindowMaker: NeXT-like, see also AfterStep.
CIT 470: Advanced Network and System Administration Slide #5
TWM Screenshot
CIT 470: Advanced Network and System Administration Slide #6
FVWM Screenshot
CIT 470: Advanced Network and System Administration Slide #7
WindowMaker
CIT 470: Advanced Network and System Administration Slide #8
Desktops
CDECommon desktop env for commercial UNIXes.
GnomeStandard Linux desktop based on GTK+.
KDEWindows-like free desktop based on QT.
XfceLightweight desktop, also based on GTK+.
CIT 470: Advanced Network and System Administration Slide #9
X-Windows Security
Why do we need security?An evil client can capture/create any X events.Even if you’re not using any network clients!
Host authenticationLimit who can start clients by IP address.Set by xhost + or xhost - commands.
Token authenticationOnly clients with token can access server.Set by the xauth command.
CIT 470: Advanced Network and System Administration Slide #10
X-Windows Security
Tunneling + host authentication.All clients appear to be from localhost.
Therefore disable remote clients with xhost –
Use ssh client to tunnel X: ssh –X hostServer must have X11Forwarding set to yes.
Use echo DISPLAY to test if X forwarding is on.
Note that local users can still attack X session.
CIT 470: Advanced Network and System Administration Slide #11
VNC: Virtual Network Computing
CIT 470: Advanced Network and System Administration Slide #12
Why VNC?
1. Remote desktop access.
2. Helpdesk: control a remote desktop.
3. Persistent desktop.
4. Use same desktop from multiple clients.
5. Need Linux access from Windows.
6. Need Windows access from Linux.
CIT 470: Advanced Network and System Administration Slide #13
What is VNC?
• Open remote desktop protocol.
• Many implementations– RealVNC: VNC from original researchers.– TightVNC: VNC with high compression.– VNCj: Java VNC, can run within web browser.– PalmVNC: VNC for Palm Pilots.– UltraVNC: enhanced VNC, only for Windows.
CIT 470: Advanced Network and System Administration Slide #14
Using VNC
1. Start VNC server
UNIX: vncserver
Win: Start menu>Programs>RealVNC>VNCServer
2. Write down server name and display number.
It will look something like unix3:1
3. Start VNC client
UNIX: vncviewer
Win: Start menu>Programs>RealVNC>VNCViewer
4. Enter server and display to connect to (from step 2).
5. A VNC remote desktop should appear.
CIT 470: Advanced Network and System Administration Slide #15
Configuring and Troubleshooting
• On UNIX, VNC stores files under ~/.vnc
• Configuration: xstartup– Indicates which X clients to start with server.– Typically includes vncconfig application.
• Configuration: passwd– Contains VNC server session password.
• Log files: host:display#.log– Any errors should appear in these logs.
CIT 470: Advanced Network and System Administration Slide #16
Securing VNCVNC does not provide encryption.
Use ssh tunneling to encrypt login + data:ssh –L 5901:remotehost:5901 remotehost
vncviewer localhost:1
CIT 470: Advanced Network and System Administration Slide #17
Tunneling
Tunneling: Encapsulation of one network protocol in another protocol– Carrier Protocol: protocol used by network
through which the information is travelling– Encapsulating Protocol: protocol (GRE, IPsec,
L2TP) that is wrapped around original data– Passenger Protocol: protocol that carries original
data
CIT 470: Advanced Network and System Administration Slide #18
ssh Tunneling
SSH can tunnel TCP connections– Carrier Protocol: IP– Encapsulating Protocol: ssh– Passenger Protocol: TCP on a specific port
POP-3 forwardingssh -L 110:pop3host:110 -l user pop3host
– Uses ssh to login to pop3host as user– Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host
– User configures mail client to use localhost as POP3 server, then proceeds as normal
CIT 470: Advanced Network and System Administration Slide #19
NX
Advantages over VNC:Speed: fast enough to use over dialup.
Built-in ssh encryption.
DisadvantagesImmature code; hard to install + set up.
GPL client/server for Linux only.
Free Windows client; commercial server.
CIT 470: Advanced Network and System Administration Slide #20
References1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure
Shell, 2nd edition, O’Reilly, 2005.2. John Fisher, “Secure X Windows,” CIAC 2316,
http://www.ciac.org/ciac/documents/ciac2316.html, 1995.3. No Machine NX, http://www.nomachine.com/4. RedHat, Red Hat Enterprise Linux 4 System Administration Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/, 2005.
5. Real VNC, http://www.realvnc.com/6. runeb, “Crash Course in X Windows Security,”
http://bau2.uibk.ac.at/matic/ccxsec.htm7. Carla Schroeder, Linux Cookbook, O’Reilly, 2004.8. Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise
Networking Planet, http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005.
9. Webmin, http://www.webmin.com/10. Window Managers for X, http://xwinman.org/