CERN Accelerating science

• Sign in
• Directory

This website is no longer maintained. Its content may be obsolete. Please visit http://home.cern/ for current CERN information.

Connecting between UNIX Machines

   

A UMTF subgroup has been setup to address the issue of connectivity between computers. Our first aim is to find a recommended way for people to work between Unix machines both inside and outside of CERN. In the longer term, our aim is to find or provide a few convenient and secure tools to facilitate this access.

Interactive remote session without X

Unix provides two tools to start interactive remote sessions (`login') on another machine:

• telnet the original remote login program, requires that you connect to the remote machine and then enter your username and password. In addition, telnet has the advantage that it included in most non-Unix TCP/IP packages.
• rlogin tries to improve on telnet. For example it allows you to specify that `this user' at `this node' is trusted and can login to your account without a password. Unfortunately there are at least two major problems with recommending rlogin:
  • It does not work well from non-AFS machines to AFS machines
  • It weakens security and thus is blocked by the CERN `firewall'. This means that it can not be used from machines outside CERN to machines inside CERN.
  For more details on rlogin or telnet the user is referred to the CERN Unix guide (section 5.2 http://consult.cern.ch/writeup/Unixguide).

We currently recommend the use of telnet.

Interactive remote session with X

If you have an X-terminal or workstation, telnet may not be sufficient as you will probably want to run X programs on the remote machine. Before addressing this issue, it is important to understand the different ways you can permit such programs to access your X display:

X authorisation

There are three recommended ways you can authorise clients to connect to your X display:

• xhost hostname

  A poorly secure method, this trusts any user on each host you authorise. It is not recommended when the hostname is a public machine (e.g. cernsp, hpplus).

• `magic cookie'

  This is a recommended way to secure your X display and is enabled on all work group server and PLUS machines. It authorises only those programs which know a secret key (the `cookie'). Normally this key is stored in your home directory making this method easy to use between machines sharing the same home directories (e.g. AFS machines) but more difficult to use in other cases.

• mxconns

  This is the other recommended way to secure your X display. mxconns is a program which creates a virtual display for you and acts as a `gatekeeper'. When anyone tries to connect to this virtual display, it pops up a message on your real display saying a connection is being attempted from a node (which it names), and asking if you will allow the connection. You can then allow the connection (which can then create windows on your real display); or else you can deny the connection. mxconns will not produce such a dialogue box if you start a window locally yourself. In addition, the body of the mxconns window shows nodes that are accessing your display through mxconns and can be used to close connections.

  To start mxconns issue the command:

  mxconns -hunt -verbose &

  Be warned that some programs (x3270-guess, ghostview and others) access your display more than once, prompting several dialogue boxes from mxconns.

mxconns has an additional advantage: it is secure and thus not blocked by the CERN firewall. Thus, it allows you to work on machines outside CERN using X-terminals inside CERN. We thus recommend that you use mxconns in conjunction with telnet.

For more information on X security please read the CERN security handbook:

http://consult.cern.ch/writeup/security

Steps to start an interactive remote session with X

1. If mxconns is not running, start it:

   mxconns -hunt -verbose &

   Your virtual display name will be written on the screen and on the title bar of the small mxconns window which opens up. The body of the window will list nodes that are accessing your display through mxconns.

   If you are using a window manager with several virtual desktops (such as fvwm or HP-VUE) you should make sure that mxconns always appears on your current desktop. This is the CERN default for fvwm (where mxconns has been defined as `sticky') but users of ctwm or HP-VUE will have to click the top left hand corner of the mxconns window and select the `occupy all desktops' menu option.

2. telnet to the remote machine.
3. Set the display on that machine to the name given in the mxconns window (but changing the form from machine:n to machine.cern.ch:n if you are connecting to a remote site). To set the display you
   • (in zsh) export DISPLAY=machine:n
   • (in tcsh) setenv DISPLAY machine:n

Parts of this procedure will soon be simplified or automated but the above steps should work reliably now.

Starting a remote client without X

Instead of starting an interactive session on a machine, you may just want to issue a simple command on that machine. Most Unix vendors provide a command that allows this facility called either rsh or remsh. For example to find out who is using a machine you can type

rsh machine who

However, this command suffers from similar problems to rlogin (see above) and in addition, cannot accept a password. As a result it does not work in many cases.

Starting a remote X client

An extension of rsh called xrsh can be used to start programs which use X. It automatically sets the correct DISPLAY variable and handles the X authentication. For instance to start a remote xclock from another machine try:

xrsh machine xclock &

N.B. If xrsh works it also provides a powerful way of starting an interactive session. Just type:

xrsh machine xterm &

or

xrsh machine

for short and you have started an interactive session with both the security and the DISPLAY variable set correctly! Unfortunately, since xrsh relies on rsh, it often will not work.

Conclusions

We realise that the current situation is not satisfactory but it is all that is available with current tools. We are now working on more satisfactory solutions. Ideally we would like to find or construct a set of simple commands that do not involve the user having to type his display name, that work from CERN and to CERN, and that work for dumb terminals and X terminals. As a secondary goal we would like to improve security by, for example, finding a tool which avoids the need for people to type their password across the Internet.

Although achieving these goals will not be easy we should certainly be able to improve on the current situation. Currently, solutions using ssh and arc are being considered and improvements will be announced as they become available.

If you wish to contribute or comment on this work please feel free to contact umtf-net@listbox.cern.ch.