Starting Remote X Applications at CERN

Introduction

This page explains how to start remote X applications (also called X clients) easily and securely. This is the recommended way to run all remote X applications and is the required method for running off-site X applications which need to be displayed at CERN. (CERN firewall protection was implemented on 4 November 2003 following a number of incidents).

Most desktop computers do or can run an X server. This is true for X terminals, UNIX workstations and Windows PCs with an X emulator such as Exceed. When your desktop computer runs an X server you often need to start remote X applications, i.e. applications not running on your desktop but with the windows displayed on your screen. In some cases this is transparent for you because XDM (the X Display Manager) takes care of the details. In other cases some manual intervention is needed.

Displaying X applications on NICE2000 PCs

If you are using NICE2000 (and don't require XDM) then you are recommended to encrypt your X sessions using ssh. An initial setup must be made as follows:

• If PuTTY is not available from the Start -> Programs menu then install the PuTTY ssh client.
• Protect your X server from unintended accesses: From the start menu select, Programs -> Hummingbird -> Exceed -> X Config -> Security. In the Host Access Control List, select "Enabled (no host access)".

To encrypt your X sessions inside ssh do the following:

• Start the Exceed X Server: Start -> Programs -> Hummingbird -> Exceed -> Exceed
• Start PuTTY (Start -> Programs -> PuTTY -> PuTTY) and enter the Host Name of the system to run your remote applications. Ensure that the SSH protocol is selected (port 22). This will start an ssh connection to your remote system.
• Start your applications on the remote system. Your DISPLAY will be encrypted inside your ssh connection and sent to your NICE2000 PC.

Displaying X applications on NICE PCs and X Terminals

If you are using an X Terminal or a NICE PC, you can login to a UNIX server (such as LXPLUS), using XDM, (the X Display Manager) and then display your applications using ssh or mxconns as described below. Ssh will encrypt your sessions and is the preferred method. 

Displaying X applications on UNIX systems

You can display remote X applications on your UNIX system using ssh or mxconns as described below. Ssh will encrypt your sessions and is the preferred method. 

Encrypting X applications using ssh

The recommended way to start a remote X client is to use ssh with its X11 forwarding feature enabled (this is the default at CERN). You can either start an interactive session with ssh and start an X client (by simply typing the command name) or directly start the remote command with:
 
    ssh [-l <remote-user-name>] <remote-machine> <command> [<arguments>] 

E.g. ssh lxplus001 xload 
       ssh -l root myserver xterm -ls 

See the ssh man page or http://cern.ch/security/ssh for more information.

Displaying X applications using mxconns

If you can't use ssh, then you can use mxconns, which is available on all standard UNIX machines (through ASIS). Mxconns cannot encrypt, but it will protect your X sessions from other intrusions, such as an intruder reading your keyboard.

The easiest solution is to start mxconns through the HEPiX X11 scripts (by setting "HX_START_MXCONNS=yes" in your ~/.hepix/xprofile). This will take effect the next time you login and will set the environment variable XDISPLAY.

If you start it by hand, you should use:
 
    setenv XDISPLAY `mxconns -fork -hunt -verbose` 

Once connected to the remote machine (via ssh, telnet, rlogin...), you should set the DISPLAY variable on the remote machine to the value of XDISPLAY on the machine where mxconns runs. For instance:
 
    setenv DISPLAY lxplus002.cern.ch:9 

You can then start your remote X client.

Note: the preceding commands assume that you are using tcsh. If you are using the Bourne shell then the command is:
 
    DISPLAY=<whatever>; export DISPLAY 

See the mxconns man page or http://cern.ch/mxconns for more information.