Secure Shell (SSH) is a network protocol that allows data to be exchanged using a secure channel between two network devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception.
The Security Assurance Team (SAT), which operates under the Information Technology Security Operations Team (ITSOT), uses the Enterprise Vulnerability Management System (eVMS) to identify systems all over the USGS network that run Reflection X software based on TCP port 6000 being open (Nessus plugin IDs 19948 and 10407). This indicates that users are running X11 sessions without encryption. The DOI Security Policy Handbook’s best practices indicate that all login information be passed across the network in an encrypted form. Therefore, all X11 sessions should be tunneled through SSH. To further reduce vulnerabilities within eVMS, port 6000 should also be disabled on all sessions.
Tunneling Reflection XDM Sessions through SSH
Reflection X Client Setup for SSH
Tunneling Reflection XDM Sessions through SSH
To setup a secure XDM session, open up the Reflection X manager. From the Client Template section, choose sun. From the Method drop-down menu, choose SECURE SHELL.
Enter the hostname.
Enter the user name.
Blank out the Command line and enter (/usr/dt/bin/Xsession &) in the field.
Go to Settings in the Menu Bar and click Network.
Check the Disable remote TCP/IP connections box. This will disable Port 6000. Click OK.
Click the Connect button.
Click OK on the Warning Banner.
Enter your password.
You should now be connected to your XDM session tunneled through SSH with Port 6000 closed. *Be sure to save your connection settings upon exiting the session for the first time.
Reflection X Client Setup for SSH
To setup an SSH xterm window from Reflection X, open up the Reflection X manager, choose SECURE SHELL from the Method drop-down menu, enter the Host name and User name in their fields.
Remove the -display %IP#% option from the xterm command so that ssh’s secure shell tunnel (X Forwarding) is not bypassed.
If you have customized fonts stored in the .Xdefaults file located in the home area of your Unix system, then remove the -fn 6×13 option from the xterm command.
Go to Settings in the Menu Bar and click Network.
Check the Disable remote TCP/IP connections box. This will disable Port 6000. Click OK.
Save your settings.
