Introduction
Download
Report
Transcript Introduction
CIT 470: Advanced Network and
System Administration
Remote Desktops
CIT 470: Advanced Network and System Administration
Slide #1
Topics
1. X Windows
1. Client/server windowing
2. Window managers and desktops
3. Security
2. VNC
1. Why VNC?
2. Configuring
3. Security
3. NX
CIT 470: Advanced Network and System Administration
Slide #2
X-Windows
• Network-based windowing system.
• Server
– Handles user input and graphical display.
– Runs on the machine with display unit.
• Client
– Graphical applications are clients.
– Can run on a different machine than server.
• Set DISPLAY environment variable.
• Or use –display command line option.
CIT 470: Advanced Network and System Administration
Slide #3
Window Manager
• X client that provides features like:
– Move, resize, iconify, and kill windows.
– Window title bars.
– Popup menus.
• Example window managers
–
–
–
–
twm: Tab, primitive early window manager
mwm: Motif, found on commercial UNIXes
fvwm: Free, fast, very customizable.
WindowMaker: NeXT-like, see also AfterStep.
CIT 470: Advanced Network and System Administration
Slide #4
TWM Screenshot
CIT 470: Advanced Network and System Administration
Slide #5
FVWM Screenshot
CIT 470: Advanced Network and System Administration
Slide #6
WindowMaker
CIT 470: Advanced Network and System Administration
Slide #7
Desktops
CDE
Common desktop env for commercial UNIXes.
Gnome
Standard Linux desktop based on GTK+.
KDE
Windows-like free desktop based on QT.
Xfce
Lightweight desktop, also based on GTK+.
CIT 470: Advanced Network and System Administration
Slide #8
X-Windows Security
Why do we need security?
An evil client can capture/create any X events.
Even if you’re not using any network clients!
Host authentication
Limit who can start clients by IP address.
Set by xhost + or xhost - commands.
Token authentication
Only clients with token can access server.
Set by the xauth command.
CIT 470: Advanced Network and System Administration
Slide #9
X-Windows Security
Tunneling + host authentication.
All clients appear to be from localhost.
Therefore disable remote clients with xhost –
Use ssh client to tunnel X: ssh –X host
Server must have X11Forwarding set to yes.
Use echo DISPLAY to test if X forwarding is on.
Note that local users can still attack X session.
CIT 470: Advanced Network and System Administration
Slide #10
VNC: Virtual Network Computing
CIT 470: Advanced Network and System Administration
Slide #11
Why VNC?
1.
2.
3.
4.
5.
6.
Remote desktop access.
Helpdesk: control a remote desktop.
Persistent desktop.
Use same desktop from multiple clients.
Need Linux access from Windows.
Need Windows access from Linux.
CIT 470: Advanced Network and System Administration
Slide #12
What is VNC?
• Open remote desktop protocol.
• Many implementations
–
–
–
–
–
RealVNC: VNC from original researchers.
TightVNC: VNC with high compression.
VNCj: Java VNC, can run within web browser.
PalmVNC: VNC for Palm Pilots.
UltraVNC: enhanced VNC, only for Windows.
CIT 470: Advanced Network and System Administration
Slide #13
Using VNC
1.
2.
3.
4.
5.
Start VNC server
UNIX: vncserver
Win: Start menu>Programs>RealVNC>VNCServer
Write down server name and display number.
It will look something like unix3:1
Start VNC client
UNIX: vncviewer
Win: Start menu>Programs>RealVNC>VNCViewer
Enter server and display to connect to (from step 2).
A VNC remote desktop should appear.
CIT 470: Advanced Network and System Administration
Slide #14
Configuring and Troubleshooting
• On UNIX, VNC stores files under ~/.vnc
• Configuration: xstartup
– Indicates which X clients to start with server.
– Typically includes vncconfig application.
• Configuration: passwd
– Contains VNC server session password.
• Log files: host:display#.log
– Any errors should appear in these logs.
CIT 470: Advanced Network and System Administration
Slide #15
Securing VNC
VNC does not provide encryption.
Use ssh tunneling to encrypt login + data:
ssh –L 5901:remotehost:5901 remotehost
vncviewer localhost:1
CIT 470: Advanced Network and System Administration
Slide #16
Tunneling
Tunneling: Encapsulation of one network
protocol in another protocol
– Carrier Protocol: protocol used by network
through which the information is travelling
– Encapsulating Protocol: protocol (GRE, IPsec,
L2TP) that is wrapped around original data
– Passenger Protocol: protocol that carries original
data
CIT 470: Advanced Network and System Administration
Slide #17
ssh Tunneling
SSH can tunnel TCP connections
– Carrier Protocol: IP
– Encapsulating Protocol: ssh
– Passenger Protocol: TCP on a specific port
POP-3 forwarding
ssh -L 110:pop3host:110 -l user pop3host
– Uses ssh to login to pop3host as user
– Creates tunnel from port 110 (leftmost port #) on
localhost to port 110 (rightmost post #)of pop3host
– User configures mail client to use localhost as POP3
server, then proceeds as normal
CIT 470: Advanced Network and System Administration
Slide #18
NX
Advantages over VNC:
Speed: fast enough to use over dialup.
Built-in ssh encryption.
Disadvantages
Immature code; hard to install + set up.
GPL client/server for Linux only.
Free Windows client; commercial server.
CIT 470: Advanced Network and System Administration
Slide #19
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure
Shell, 2nd edition, O’Reilly, 2005.
John Fisher, “Secure X Windows,” CIAC 2316,
http://www.ciac.org/ciac/documents/ciac2316.html, 1995.
No Machine NX, http://www.nomachine.com/
RedHat, Red Hat Enterprise Linux 4 System Administration Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadminguide/, 2005.
Real VNC, http://www.realvnc.com/
runeb, “Crash Course in X Windows Security,”
http://bau2.uibk.ac.at/matic/ccxsec.htm
Carla Schroeder, Linux Cookbook, O’Reilly, 2004.
Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise
Networking Planet,
http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005.
Webmin, http://www.webmin.com/
Window Managers for X, http://xwinman.org/
CIT 470: Advanced Network and System Administration
Slide #20