Collaborative Computational Project Number 14
for Single Crystal and Powder Diffraction
Server Security Information
Secure MS-Windows to UNIX machines based X-Sessions via Secure Shell Tunnelling
(Using Teraterm for Windows and MI/XServer v 5.6 as an example)
The CCP14 Homepage is at http://www.ccp14.ac.uk
What the point of this?
The point of this is to be able to routinely run X sessions regularly
without putting out things like passwords and usernames in a sniffable format.
By default, X session uses sniffable unemcrypted to the various
windows (including unencrypted information such as
usernames and passwords when logging into remote servers or services).
However, by tunnelling X-sessions through secure-shell, the
username and passwords are encrypted via the secureshell port. Secure-shell also uses
compression thus enabling the advantage of faster FTP transfers over the same link.
The following example if based around X-sessions from a Windows machine to a
UNIX machine for remote running of graphical UNIX programs. It is closely based on
Christopher Spry tutorial on this subject.
With teraterm, it can be easier to be using X securely, than other traditional methods
Install an X-server for Windows such as the MI/X Microimages X server (there is a Mac version as well)
(the version from the UK mirror does not seem to have a 15day warning timeout message?)
Download via: http://www.microimages.com/freestuf/mix/ |
UK Download Mirror; (you want file0001.bin and
getme1st.exe) extract the files in getme1st.exe and run the extracted installer.
This might be a good time to customise teraterm and have the screen
font, size, list of machines you commonly connect to, etc that can make
you happy. Select setup, save setup to save these as the defaults.
(it is also possible to manually edit the teraterm.ini file in the
teraterm executable directory if you wish)
Now to setup the Port Forwarding that allows X to go
via the Secure Shell port.
Go into the Setup, SSH Forwarding whereby you should see
the following window ready to have the relevant information inserted
To tell teraterm that you want to use X forwarding, just click on the
Display remote X applications on local X server. That's it,
easy as it gets. Now make sure to save the teraterm settings so it is
retained - using the setup, save setup from the Teraterm top main menu bar.
Now if you run a Teraterm session, then run an X-server, all you have to do is
type the command to run the X-program, and it will display on your local PC.
Log in to the UNIX computer that you wish to execute the X program from.
Then run the MI/X Microimages X server (or other server you have installed)
This will give you the following screen.
Now, on the teraterm window run an X program (such as the platon crystallographic
program). If you want to free up the terminal put a "&" after the command - but
behaviour might be affected depending on if the program sends output to the terminal
screen spawning the program (e.g., xterm &). (If you get a message that the program
cannot display, it is most likely you did not save the config to the teraterm INI file.)
This will give you the following screen on running xterm &.
In the following case, running the Platon crystallographic software by Ton Spek for
UNIX (only the UNIX version has the System S option and you can also access
Quest for UNIX to use the Cambridge database - either running quest or
via a user friendly manner via Platon)
It is best to run Platon from the teraterm command line, so you can easily
swap between ASCII output and the X graphics screen.
When switching between a Windows application and X-session running platon, in might put
MMMMMM in the Platon command line. Just backpace on these. Not sure why these are
happening. In the case of Platon, CONTROL L redraws the screen and does with other
crystallographic X applications.
Getting Secure X using Exceed X Server from Hummingbird
From: Mike Kurland [firstname.lastname@example.org]
X-Mailer: Mozilla 4.6 [en] (Win95; I)
Subject: Re: SSH and Exceed Question
Date: Tue, 13 Jun 2000 00:51:07 GMT
Here is some guidance I got from Hummingbird which did the trick for
me. FYI I am using SSH Secure Shell (from ssh.com).
The following information was taken from our Knowledge Base
General Guidelines For Running Exceed With Secure Shell
1. Exceed has to be set in Passive Communication mode.
2. X11 Forwarding has to be turned on, in the secure shell client.
3. SSH client must be on PC
4. SSH Demon must be running on the Host.
Detailed Explanation (What we have tested @ Hummingbird)
We have tried Exceed with Tera Term Pro v2.3 and DataFellows SSH server
on a Linux box, which worked without any
modification to the Exceed default settings. Here are the steps that
were used in creating a X11 session through SSH
using Tera Term:
Launch TTSSH.exe, you will see there is an additional SSH service in the
TT dialog box.
Enter host name where your SSH server is and click OK, it will log you
into the Unix host through SSH
You prompt should look something like this: [user@host1]$
Start the Exceed X server
From the host, you can run any X applications and display on Exceed, for
example: [user@host1]$ xterm, will display a
On the SSH Client, X11 Forwarding has to be turned on in order to secure
X traffic through SSH. By default, this option is
unchecked. For Tera Term, the option can be found under the Setup menu,
"SSH Forwarding-X forwarding-Display remote
X applications on local X server".
Exceed is set to Passive Communication mode, Xconfig/Communications
Exceed is set to Multiple Window Mode, with Default to Native Window
Manager, Xconfig/Screen Definition (default).
Under Exceed/Xconfig/Security, Host Access Control List should be set to
Disabled (any host access) (default). Or, if you
would like to restrict access, to the Exceed Xserver, you can select
File, edit the xhost.txt file with the IP address
127.0.0.1 which works the same as restricting access from other Unix
machines, but will still allow the SSH traffic to
The SSH client must be installed on the PC with Exceed
The SSH Demon must be running on the Unix Machine.
The reason you should stay in Passive Mode (2), and Multiple Window Mode
(3), is to minimize the amount of network
traffic being sent along the SSH channel.