A UMTF subgroup has been setup to address the issue of connectivity between computers. Our first aim is to find a recommended way for people to work between Unix machines both inside and outside of CERN. In the longer term, our aim is to find or provide a few convenient and secure tools to facilitate this access.
Unix provides two tools to start interactive remote sessions (`login') on another machine:
If you have an X-terminal or workstation, telnet may not be sufficient as you will probably want to run X programs on the remote machine. Before addressing this issue, it is important to understand the different ways you can permit such programs to access your X display:
There are three recommended ways you can authorise clients to connect to your X display:
A poorly secure method, this trusts any user on each host you authorise. It is not recommended when the hostname is a public machine (e.g. cernsp, hpplus).
This is a recommended way to secure your X display and is enabled on all work group server and PLUS machines. It authorises only those programs which know a secret key (the `cookie'). Normally this key is stored in your home directory making this method easy to use between machines sharing the same home directories (e.g. AFS machines) but more difficult to use in other cases.
This is the other recommended way to secure your X display. mxconns is a program which creates a virtual display for you and acts as a `gatekeeper'. When anyone tries to connect to this virtual display, it pops up a message on your real display saying a connection is being attempted from a node (which it names), and asking if you will allow the connection. You can then allow the connection (which can then create windows on your real display); or else you can deny the connection. mxconns will not produce such a dialogue box if you start a window locally yourself. In addition, the body of the mxconns window shows nodes that are accessing your display through mxconns and can be used to close connections.
To start mxconns issue the command:
mxconns -hunt -verbose &
Be warned that some programs (x3270-guess, ghostview and others) access your display more than once, prompting several dialogue boxes from mxconns.
For more information on X security please read the CERN security handbook:
mxconns -hunt -verbose &
Your virtual display name will be written on the screen and on the title bar of the small mxconns window which opens up. The body of the window will list nodes that are accessing your display through mxconns.
If you are using a window manager with several virtual desktops (such as fvwm or HP-VUE) you should make sure that mxconns always appears on your current desktop. This is the CERN default for fvwm (where mxconns has been defined as `sticky') but users of ctwm or HP-VUE will have to click the top left hand corner of the mxconns window and select the `occupy all desktops' menu option.
Parts of this procedure will soon be simplified or automated but the above steps should work reliably now.
Instead of starting an interactive session on a machine, you may just want to issue a simple command on that machine. Most Unix vendors provide a command that allows this facility called either rsh or remsh. For example to find out who is using a machine you can type
rsh machine who
However, this command suffers from similar problems to rlogin (see above) and in addition, cannot accept a password. As a result it does not work in many cases.
An extension of rsh called xrsh can be used to start programs which use X. It automatically sets the correct DISPLAY variable and handles the X authentication. For instance to start a remote xclock from another machine try:
xrsh machine xclock &
N.B. If xrsh works it also provides a powerful way of starting an interactive session. Just type:
xrsh machine xterm &
for short and you have started an interactive session with both the security and the DISPLAY variable set correctly! Unfortunately, since xrsh relies on rsh, it often will not work.
We realise that the current situation is not satisfactory but it is all that is available with current tools. We are now working on more satisfactory solutions. Ideally we would like to find or construct a set of simple commands that do not involve the user having to type his display name, that work from CERN and to CERN, and that work for dumb terminals and X terminals. As a secondary goal we would like to improve security by, for example, finding a tool which avoids the need for people to type their password across the Internet.
Although achieving these goals will not be easy we should certainly be able to improve on the current situation. Currently, solutions using ssh and arc are being considered and improvements will be announced as they become available.
If you wish to contribute or comment on this work please feel free to contact email@example.com.