KTH PDC [PDC - Center for Parallel Computers, KTH]
[Entrance to PDC]
[Information about PDC]
[News & Events]
[Computer resources]
*[User support]
[Training & Courses]
[Search the webmap]
[Links to far away]

Guided Tours: X

In this section you will information on how to improve your X security.


What is X security and where are the problems.

Let us assume that you want to use the X window system in a secure manner. You have to control access to your X display, because everyone who can connect to your display is able to read everything on your screen and to read every keystroke on your keyboard. With Netscape, there are easy means how to impersonate you by controlling your Netscape remotely. There are several means to control security on an X display:
  1. xhost [+|-] [hostname] allows everyone on that host to connect to your X display. Very bad and can only be used in single user environments. It has the additional drawback the IP-adresses can be faked.
  2. X-authority with type MIT-MAGIC-COOKIE-1 cookie. This is better, because it uses the secret in the cookie. However, there is no encryption of the cookie, so everyone who can wiretrap the transmission can impersonate you.
  3. Kerberos V authentification with X11R6. Unfortunately most vendors do not support that. It does only solve the authentification and not the encryption problem.
  4. PDC Kerberos IV travelkit with secure kx. Does authentificate and encrypt your X connection through unsecure channels.

How to use kx.

  1. Download the Kerberos travelkit. It contains the kauth, rxtelnet, telnet and kx programs needed.
  2. Secure X is supported between your workstation and all PDC computers. It is supported on most of NADAs computers, too.
  3. Check that you have closed all X access through xhost. Do a xhost -hostname until the xhost program returs that you are safe:
    > xhost 
      access control enabled, only authorized clients can connect
    (empty access list)

  4. Check that your DISPLAY environment variable to the display of your workstation i.e. ":0" or ":0.0". This is needed because the X-windows from remote computers will be opened through the kx program which will acess your local display directly. If you are the lucky owner of a two screen configuration, the other display may be named ":1.0" or ":0.1".
    > echo $DISPLAY
  5. If not, set your DISPLAY environment variable. If you use tcsh/csh:
    > setenv DISPLAY :0 
    If you use sh/ksh/bash:
    $ DISPLAY=:0 ; export DISPLAY 
  6. Get a ticket with kauth as described in the Kerberos travel kit usage guide.
  7. Run the rxtelnet script.
    > ./rxtelnet -l your-username-at-pdc strindberg.pdc.kth.se

    This script will open a window on your workstation with a connection to strindberg.pdc.kth.se. From that window, you might start X programs safely.
  8. The DISPLAY environment variable on strindberg will be set to a local Unix socket, for example :17 or a local port, for example localhost:17. (You might check with echo $DISPLAY).
  9. Check if you can run a simple X program like xclock:
    > echo $DISPLAY
     :17			# or any other number greater than 3
    > xclock &
    If a clock shows up on your display, everything is OK and you might use other X-programs (emacs, xterm) safely.

How does this kx thing work anyway?

The kx program uses a secure channel. This channel is established between the kx program on your workstation and the kxd on the remote computer. If you type a keysytoke on your keyboard in an xterm that is started from an rxtelnet, the following things happen:
Keystoke z on keyboard 
-> X-event "keystroke z" 
-> kx program on workstation's display :0 
-encryption-> Network 
-decryption-> kxd program on strindberg 
-> xterm program on strindberg generates X events to show "z" 
-> kxd program on strindberg's display :17
-encryption-> Network 
-decryption-> kx program on workstation
-> you see the "z" on your display.
This seems a lot of work just to display a single letter, but if the "z" is a part of your password, you'll appreciate it.
<-- back to guided tours