ssh and xauth

This page discusses several unix commands involved in security

ssh

The unix command ssh is a replacement for rlogin that provides better security and other nice features. It compresses X windows traffic for X clients started in an ssh session and also take care of setting the DISPLAY environment variable and handling X authentication. Thus running X windows clients from one machine to another becomes much easier.

All users should stop using rlogin (or the related command remsh) and start using ssh instead.

To use ssh you first have to make an ssh key by running the command ssh-keygen. This program will ask for a "passphrase", which unlike a regular unix password can be a lot longer than 8 characters. You use this ssh passphrase instead of your regular unix password when doing remote logins with ssh. You still use your regular unix password to log in to a workstation at the console.

After you have successfully created an ssh key, it will be in the file

  ~/.ssh/identity.pub
you also want to copy it to the file "authorized_keys" in the same directory
  cp ~/.ssh/identity.pub ~/.ssh/authorized_keys
This will allow you to log into any of our HP workstations from any other of our HP workstations using ssh without typing your ssh passphrase.

Now to do a remote login just say, for example,

  ssh minnehaha
The first time you do this, ssh will say
  Host key not found from the list of known hosts.
  Are you sure you want to continue connecting (yes/no)? 
Type "yes" (not just "y") and you will be logged in. This message will not appear in subsequent logins to the same machine. It will appear once for each different machine.

To run an X windows program across the network, just invoke the program on the remote host. It just works without setting the DISPLAY environment variable on the remote host or invoking xhost on the local host.

scp

All users should also stop using the rcp (remote copy) command. There is a replacement in the ssh family called scp it works just like rcp but with ssh authentication. If you can do a remote login without typing your passphrase with ssh, then you can also do a remote copy with scp.

xhost

All users should also stop using the xhost command.

We are now running so-called "xauth" authentication, which allows only the user logged in at the console to make X client programs that talk to the X server controlling the screen. The former system, so-called "xhost" authentication allows any user logged into the machine to make such connections and see anything you do on the computer.

You can tell if the computer is using only xauth authentication by issuing the command xhost with no arguments. It should say

  access control enabled, only authorized clients can connect
If instead it says
  access control enabled, only authorized clients can connect
  localhost
  minnehaha.stat.umn.edu
or says anything else after the first line, you are wide open to anyone who wants to spy on you. Either you have done an xhost command with arguments or some "helpful" program has done it for you. Issuing the commands
  xhost -localhost
  xhost -minnehaha.stat.umn.edu
(appropriately changed to match the output of xhost) will shut that door.

If after doing that you can no longer create X windows, log out, restart the X server using the "Restart Server" choice on the "Options" menu. Occasionally, after doing this, the first login you try fails. Try several times before complaining to the system administrators. When you have logged in, X should work properly.

xauth

If you use ssh, then you don't need to know anything about xauth. It just works.

If you must use rlogin, because you are going to a remote host that doesn't have ssh installed, then you need a trick, which this section explains.

To do a remote login, say to a machine blurfle.foo.bar.edu, to which you can login using rlogin without a password (because of an .rhosts file on the remote machine), you use the following sequence of commands

  minnehaha% xauth.propagate blurfle.foo.bar.edu
  minnehaha% rlogin blurfle.foo.bar.edu
  blurfle% setenv DISPLAY minnehaha.stat.umn.edu:0.0
  blurfle% xterm &
creates an X client running on the remote machine displaying on the local machine.

Of course this is only an example. In practice you will have to

If worst comes to worst, you can always use "xhost" authentication, but don't complain if you then have a security problem.


Author: Charles Geyer (charlie@stat.umn.edu). Comments or corrections gratefully accepted.