[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

Collaborative Computational Project Number 14

for Single Crystal and Powder Diffraction

CCP14

Server Security Information

Secure MS-Windows to UNIX machines based X-Sessions via Secure Shell Tunnelling

(Using Teraterm for Windows and MI/XServer v 5.6 as an example)

The CCP14 Homepage is at http://www.ccp14.ac.uk

[Back to CCP14 Web/Config Main Page]

[Security Links Homepage] | [To FTP secure shell Tunnelling Page] | [To X secure shell Tunnelling] | [Routine Windows to UNIX Web updating using Rsync] | [Secure Routine Windows to UNIX Web updating using Teraterm and Rsync]

What the point of this?

The point of this is to be able to routinely run X sessions regularly without putting out things like passwords and usernames in a sniffable format. By default, X session uses sniffable unemcrypted to the various windows (including unencrypted information such as usernames and passwords when logging into remote servers or services). However, by tunnelling X-sessions through secure-shell, the username and passwords are encrypted via the secureshell port. Secure-shell also uses compression thus enabling the advantage of faster FTP transfers over the same link.

The following example if based around X-sessions from a Windows machine to a UNIX machine for remote running of graphical UNIX programs. It is closely based on the excellent Christopher Spry tutorial on this subject.

With teraterm, it can be easier to be using X securely, than other traditional methods unsecurely!!


Relevant pages:


Install teraterm for Windows (easy to do and it runs via a setup program)

Install the tssh secureshell plugin for Teraterm. (download the zip file and extract the files into the teraterm directory)


Install an X-server for Windows such as the MI/X Microimages X server (there is a Mac version as well) (the version from the UK mirror does not seem to have a 15day warning timeout message?)

Download via: http://www.microimages.com/freestuf/mix/ | UK Download Mirror; (you want file0001.bin and getme1st.exe) extract the files in getme1st.exe and run the extracted installer.


This might be a good time to customise teraterm and have the screen font, size, list of machines you commonly connect to, etc that can make you happy. Select setup, save setup to save these as the defaults. (it is also possible to manually edit the teraterm.ini file in the teraterm executable directory if you wish)

Customising Teraterm


Now to setup the Port Forwarding that allows X to go via the Secure Shell port.

Go into the Setup, SSH Forwarding whereby you should see the following window ready to have the relevant information inserted into it.

SSH Forwarding Window


To tell teraterm that you want to use X forwarding, just click on the Display remote X applications on local X server. That's it, easy as it gets. Now make sure to save the teraterm settings so it is retained - using the setup, save setup from the Teraterm top main menu bar.

Clicking on the X port forwarding

Now if you run a Teraterm session, then run an X-server, all you have to do is type the command to run the X-program, and it will display on your local PC.


Log in to the UNIX computer that you wish to execute the X program from. Then run the MI/X Microimages X server (or other server you have installed)

Running the X-server

This will give you the following screen.


Now, on the teraterm window run an X program (such as the platon crystallographic program). If you want to free up the terminal put a "&" after the command - but behaviour might be affected depending on if the program sends output to the terminal screen spawning the program (e.g., xterm &). (If you get a message that the program cannot display, it is most likely you did not save the config to the teraterm INI file.)

This will give you the following screen on running xterm &.

Running xterm and displaying on the X-server


In the following case, running the Platon crystallographic software by Ton Spek for UNIX (only the UNIX version has the System S option and you can also access Quest for UNIX to use the Cambridge database - either running quest or via a user friendly manner via Platon)

It is best to run Platon from the teraterm command line, so you can easily swap between ASCII output and the X graphics screen.

Running platon and seeing the output in teraterm

When switching between a Windows application and X-session running platon, in might put MMMMMM in the Platon command line. Just backpace on these. Not sure why these are happening. In the case of Platon, CONTROL L redraws the screen and does with other crystallographic X applications.

Running platon and seeing the output in teraterm


Getting Secure X using Exceed X Server from Hummingbird

From: Mike Kurland [[email protected]]
X-Mailer: Mozilla 4.6 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
Newsgroups: comp.security.ssh
Subject: Re: SSH and Exceed Question
Date: Tue, 13 Jun 2000 00:51:07 GMT


Here is some guidance I got from Hummingbird which did the trick for
me.  FYI I am using SSH Secure Shell (from ssh.com).

******************************************************
The following information was taken from our Knowledge Base

General Guidelines For Running Exceed With Secure Shell

1. Exceed has to be set in Passive Communication mode.
2. X11 Forwarding has to be turned on, in the secure shell client.
3. SSH client must be on PC
4. SSH Demon must be running on the Host.

Detailed Explanation (What we have tested @ Hummingbird)

We have tried Exceed with Tera Term Pro v2.3 and DataFellows SSH server
on a Linux box, which worked without any
modification to the Exceed default settings. Here are the steps that
were used in creating a X11 session through SSH
using Tera Term:
Launch TTSSH.exe, you will see there is an additional SSH service in the
TT dialog box.
Enter host name where your SSH server is and click OK, it will log you
into the Unix host through SSH
You prompt should look something like this: [user@host1]$
Start the Exceed X server
From the host, you can run any X applications and display on Exceed, for
example: [user@host1]$ xterm, will display a
Xterm.


EXTRA NOTES:

On the SSH Client, X11 Forwarding has to be turned on in order to secure
X traffic through SSH. By default, this option is
unchecked. For Tera Term, the option can be found under the Setup menu,
"SSH Forwarding-X forwarding-Display remote
X applications on local X server".
Exceed is set to Passive Communication mode, Xconfig/Communications
(default)
Exceed is set to Multiple Window Mode, with Default to Native Window
Manager, Xconfig/Screen Definition (default).
Under Exceed/Xconfig/Security, Host Access Control List should be set to
Disabled (any host access) (default). Or, if you
would like to restrict access, to the Exceed Xserver, you can select
File, edit the xhost.txt file with the IP address
127.0.0.1 which works the same as restricting access from other Unix
machines, but will still allow the SSH traffic to
display.
The SSH client must be installed on the PC with Exceed
The SSH Demon must be running on the Unix Machine.
The reason you should stay in Passive Mode (2), and Multiple Window Mode
(3), is to minimize the amount of network
traffic being sent along the SSH channel.

******************************************************


[Back to CCP14 Web/Config Main Page]

[Security Links Homepage] | [To FTP secure shell Tunnelling Page] | [To X secure shell Tunnelling] | [Routine Windows to UNIX Web updating using Rsync] | [Secure Routine Windows to UNIX Web updating using Teraterm and Rsync]

[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

If you have any queries or comments, please feel free to contact the CCP14