Environment
Reflection Suite for X version 14.x
Situation
The Reflection X 14.x security features are not enabled by default. This technical note discusses the security options available to Reflection X 14.x (host security file, Kerberos, SSH, and XDM Authorization), and explains how to enable these features.
Reflection X can be configured to use a host access security file to control who can start X clients on the Reflection X Server. There are three available settings: Unrestricted access (the default), Host-based security, and User-based security.
Note: Starting in Reflection 11.0, Reflection security features (support for making secure connections using Kerberos, SSH, and XDM Authorization) are incorporated in the product.
Resolution
The Host Access Security File
By default, Reflection X host access security is disabled (unrestricted). This allows users to quickly and easily install and use Reflection X in a secure environment, without requiring users to know how to configure the security options. However, if Reflection is installed in a non-secure environment, the default security settings should be modified accordingly.
If the security settings are not configured and Reflection X is left in unrestricted security mode, an X client with nefarious intent could present a fake host logon screen to the X server, and capture the user's username and password information, or could make an invisible connection to the X server, and monitor X client/server interactions, such as keystrokes.
Follow the steps below to change the default Reflection X host access security file setting.
- Start Reflection X.
- In the Reflection X Manager, click Settings > Security.
- Select the Security mode you require (for further details, see the Reflection X online help).
Unrestricted: With this option (the default), no authorization is imposed on a client's attempt to connect to the local X server (Reflection X). Users not running in a completely trusted environment should configure Reflection X to use one of the other security mode options.
Host-Based: Host-based security uses a list of hosts (stored in a local file) to determine which clients can connect to the local X server (Reflection X). This method provides minimal security, and in a non-secure environment, is recommended only if user based security can not be implemented.
When Host-based security is selected, one of the following must be true in order for you to start an X client:
- You are starting a client that resides on the same host with which you established an XDMCP connection. (XDMCP does not use host-based security. Establishing and maintaining an XDMCP connection to the host temporarily configures Reflection X to allow clients on this host to connect to Reflection X.)
- You are connecting to a host that is defined in the xhosts.txt file, configurable from the Host access security file option in the Reflection X Security Settings dialog box.
- You are permitting an unauthorized client to run by selecting either the Connect as untrusted client or Prompt option in the "If client cannot be authorized" field.
User-Based: User-based security makes use of cookie technology (required for the X11R6.3 and later releases of the X protocol) to ensure that clients connecting to the X server were initiated by the current user of that X server. When you select User-based security as your Security mode, clients that can be verified as having been initiated by the current user are defined as authorized, and clients that cannot be so verified are defined as unauthorized. Authorized clients are allowed to run. Unauthorized clients will either run or not run, depending on the value of the "If client cannot be authorized" option.
A cookie remains in effect for as long as the client it is associated with is running. After the client closes, the cookie is deleted after an interval determined by the User authorization/Duration setting.
Note: A kind of user-based security can be achieved by copying the .XAuthority from a host to the User directory on the PC and renaming it RXAUTH. This way, all clients that have cookies in the .XAuthority file are allowed to run as trusted clients.
Kerberos
Kerberos is an authentication protocol that provides a highly reliable means of verifying that users are who they claim to be. With Kerberos, the administrator can assure authentication of Telnet connections (used to start X clients) between Reflection X and a network host. One of the key security features of Kerberos is that the user's password is never transmitted over the network. Passwords are used, but only to generate keys that are used for encryption and decryption of Kerberos tokens, called "tickets."
Note: Kerberos encrypts only the host login process and the X client startup commands but does not encrypt the data stream. For information on encrypting the Reflection X data stream, see Secure Shell.
To use Kerberized Telnet with Reflection X:
- In the Reflection X Manager, select KERBERIZED TELNET in the Method drop-down box.
- Click the Advanced button, and then click Configure Kerberos.
Kerberized Telnet does not secure XMDCP connections; however, the security of connections made with Reflection X using XDMCP can be improved by means of XDM-AUTHORIZATION-1. For further details regarding this topic, see XDM Authorization.
For further details on Kerberos, see Reflection X online help.
Secure Shell
For secure, encrypted communication between a trusted host and your PC over an insecure network, you can configure Reflection to use SSH. When you configure Reflection to use SSH, all connections between your PC and the remote host(s) are encrypted, protecting the data sent between these machines. Passwords are never sent over the network in a clear text format as they are when you use Telnet, FTP, rlogin, or rsh.
To use SSH with Reflection X, your host must be configured with SSH server support. Reflection supports both SSH1 and SSH2 protocols.
For further details, see the online help in Reflection.
XDM Authorization
XDM Authorization is an option for improving the security of connections made with Reflection X using XDMCP. When XDM Authorization support is not installed and configured, Reflection makes XDMCP connections using MIT-MAGIC-COOKIE-1 authorization. With magic cookie authorization, the authorization code is not encrypted. By installing and configuring Reflection XDM Authorization support, you can make XDMCP connections using XDM-AUTHORIZATION-1. This method is similar to MIT-MAGIC-COOKIE-1, but provides added security by encrypting the authorization code using DES (Data Encryption Standard) encryption. Although XDM-AUTHORIZATION-1 improves the security of the authorization process, it does not encrypt subsequent data sent over the connection.
Follow the steps below to configure Reflection X:
- Open Reflection X.
- In the Reflection X Manager, select the host's XDMCP connection file, or create a XDMCP connection file for the host.
- Click Settings > Security.
- Select "Enable XDM-AUTHORIZATION-1 method.” (This check box is dimmed if the XDM Authorization feature of Reflection Security Components is not installed.)
To configure your PC, set up an XDMCP connection to your host. On the Settings menu, click Security, and then click Enable XDM-AUTHORIZATION-1 method. (This check box is dimmed if the XDM Authorization feature of Reflection Security Components is not installed.)
Disable Remote TCP/IP Connections
In Reflection X version 10.0 or higher, you can further secure the system by configuring Reflection to only allow local X clients to connect to Reflection X. When this option is selected, Reflection X sets up a listening socket only on the local loopback interface (127.0.0.1). This configuration allows SSH connections (which register as local connections), but blocks all non-local X clients from connecting to the Reflection X server.
Configure this feature from the Reflection X Manager. Click Settings > Network, and select the Disable remote TCP/IP connections check box.
For further details, see the online help in Reflection X.