Using eXceed securely from the PWF

The eXceed X server which runs on Windows NT provides no protection for clients connecting to it: X sessions run via eXceed to some other machine (e.g. one of the thor cluster) are insecure, and any passwords or other data sent down them may be sniffed, or the sessions themselves may be compromised by malicious clients and access gained directly.

Worse, any consequent logins from thor to third-party machines will also be insecure - the password can be sniffed as it goes down the wire between Cockroft 4 and thor.

However, help is available: the ssh port made available by Gordon Chaffee, and available via llhis windows info page or in /usr/groups/origami/downloads/ssh-1.2.14-win32bin.zip allows X port forwarding (and so may PuTTY by now).

To get X port forwarding: start eXceed, and make sure that connections from localhost are allowed: tools -> configuration -> security -> host access control list -> file, edit the file and insert 'localhost' on a line by itself.

Now do tools -> configuration -> communication and set passive mode, so you won't be bothered by a chooser menu.

Now start a DOS box, and do:

SET HOME=F:\\
SET DISPLAY=pc413.cl.pwf.cam.ac.uk:0.0
ssh <machine name>
Substituting the name of your pc in the appropriate place.

When you get to the remote machine, you can start running X clients. You can check that unencrypted connections aren't allowed by doing something like:

xterm -display pc412.pwf.cl.cam.ac.uk:0.0
Which should fail.

Warning: ssh 1.2.14, which is the ssh I tell you to use, has a couple of fatal security flaws. One day, I'll get around to updating Gordon's port, but until then, be warned that this only makes your session kind of secure enough, not actually secure.


Richard Watts <Richard.Watts@cl.cam.ac.uk>
Last modified: Mon Feb 14 15:00:19 GMT 2000