The unix command ssh
is a replacement for rlogin
that provides better security and other nice features.
It compresses X windows traffic for X clients started in an
ssh
session and also take care of setting the DISPLAY
environment variable and handling X authentication. Thus running X windows
clients from one machine to another becomes much easier.
All users should stop using rlogin
(or the related command
remsh
) and start using ssh
instead.
To use ssh
you first have to make an ssh key by running
the command ssh-keygen
. This program will ask for a "passphrase",
which unlike a regular unix password can be a lot longer than 8 characters.
You use this ssh passphrase instead of your regular unix password
when doing remote logins with ssh. You still use your regular unix password
to log in to a workstation at the console.
After you have successfully created an ssh key, it will be in the file
~/.ssh/identity.pubyou also want to copy it to the file "authorized_keys" in the same directory
cp ~/.ssh/identity.pub ~/.ssh/authorized_keysThis will allow you to log into any of our HP workstations from any other of our HP workstations using
ssh
without typing your ssh
passphrase.
Now to do a remote login just say, for example,
ssh minnehahaThe first time you do this,
ssh
will say
Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)?Type "yes" (not just "y") and you will be logged in. This message will not appear in subsequent logins to the same machine. It will appear once for each different machine.
To run an X windows program across the network, just invoke the program
on the remote host. It just works without setting the DISPLAY environment
variable on the remote host or invoking xhost
on the local host.
All users should also stop using the rcp
(remote copy) command.
There is a replacement in the ssh family called scp
it works
just like rcp
but with ssh authentication. If you can do
a remote login without typing your passphrase with ssh
, then
you can also do a remote copy with scp
.
All users should also stop using the xhost
command.
We are now running so-called "xauth" authentication, which allows only the user logged in at the console to make X client programs that talk to the X server controlling the screen. The former system, so-called "xhost" authentication allows any user logged into the machine to make such connections and see anything you do on the computer.
You can tell if the computer is using only xauth authentication by issuing
the command xhost
with no arguments. It should say
access control enabled, only authorized clients can connectIf instead it says
access control enabled, only authorized clients can connect localhost minnehaha.stat.umn.eduor says anything else after the first line, you are wide open to anyone who wants to spy on you. Either you have done an
xhost
command with arguments or some "helpful"
program has done it for you.
Issuing the commands
xhost -localhost xhost -minnehaha.stat.umn.edu(appropriately changed to match the output of
xhost
)
will shut that door.
If after doing that you can no longer create X windows, log out, restart the X server using the "Restart Server" choice on the "Options" menu. Occasionally, after doing this, the first login you try fails. Try several times before complaining to the system administrators. When you have logged in, X should work properly.
If you use ssh
, then you don't need to know anything
about xauth
. It just works.
If you must use rlogin
, because you are going to a
remote host that doesn't have ssh
installed, then
you need a trick, which this section explains.
To do a remote login, say to a machine blurfle.foo.bar.edu
,
to which you can login using rlogin
without a password
(because of an .rhosts
file on the remote machine), you
use the following sequence of commands
minnehaha% xauth.propagate blurfle.foo.bar.edu minnehaha% rlogin blurfle.foo.bar.edu blurfle% setenv DISPLAY minnehaha.stat.umn.edu:0.0 blurfle% xterm &creates an X client running on the remote machine displaying on the local machine.
Of course this is only an example. In practice you will have to
blurfle.foo.bar.edu
in the
example, to the actual remote host.
minnehaha.stat.umn.edu
in the
example, to the actual local host.
DISPLAY
environment variable
if you are not using csh
or tcsh
as your shell
on the remote host.
xterm
in the example, to the actual
program you want to run.
rlogin
command appropriately. For example,
if your username on the remote host is wumpus
and is
different from your username on the local host, the first two lines
of the example become
minnehaha% xauth.propagate blurfle.foo.bar.edu -l wumpus minnehaha% rlogin blurfle.foo.bar.edu -l wumpus
rlogin
at all, must use telnet
,
for example, to get to the remote host, then you cannot use
xauth.propagate
. You will have to read this shell script,
see how it works, and accomplish the same thing using telnet
(or whatever).
If worst comes to worst, you can always use "xhost" authentication, but don't complain if you then have a security problem.