[lug] remote xterm question...

Peter Hutnick peter-lists at hutnick.com
Sun May 11 02:56:12 MDT 2003 

Bear Giles said:
> Peter Hutnick wrote:

> I disagree with describing X terminals as only pieces of hardware.
>   X defines a wire protocol for use between client and server, and
> it's the same protocol regardless of whether it goes across your
> ethernet connection, the loopback device, or a Unix socket.

Okay, "xterm" is an X client that simply provides a shell in a window.

I have only seen "X terminal" used for the thingies with a screen and a
keyboard.  I'm not sure what else you are referring to.  Anything
displaying an X desktop?  That seems like a uselessly broad definition.

>  > VNC
>
> Does VNC use the X protocol?  Some of the documentation refers to
> communications occuring over port 5090, not 8000 et seq.

No.  VNC provides an X server.  AFAIK it can display remote X clients. 
But it /also/ (and generally more importantly) can export its entire
(non-window/client oriented) display over RFB, the Remote Frame Buffer
protocol.

> This isn't a moot point.  If it really uses the X protocol, it
> makes much more sense to me to modify the X startup scripts to
> start up multiple servers than to use an entirely unrelated
> server.  You can then use the regular XDM login procedure, etc.

Well, the point is moot, since it doesn't use the X protocol ;-)

>  > I routinely connect from
>> work to my home box (via a Comcast cable modem) at 950x525x16bit color
>> and the performance is acceptable to me.
>
> Is it safe?  X has a couple native cryptographic authentication
> methods, or could be run through a VPN or (ugh) SSH tunnel.  It
> looked like VNC runs naked.

Not particularly.  For auth the server sends a random plain-text
challenge.  The client receives this, prompts the user for the password. 
The password and the challenge grind through some algorithm that creates a
response, which is transmitted (in the clear) back to the server.  If the
server comes up with the same response based on the locally stored
password access is granted.

This is probably sufficient to thwart everybody but the NSA.

The images of the desktop are sent in the clear (unless you tunnel them
through some other app, such as ssh).

If someone was able to interpose themselves on the wire they could quite
conceivably read the contents of your screen, sniff out your keystrokes
and, possibly, send keystrokes upstream.

I keep hoping for someone to build SSL into the server and the client, but
it keeps not happening.

>> Someone mentioned telnet.  There is no valid reason to run telnet.
>> Period.  Telnet bad.
>
> Stock telnet bad.  There are some versions of telnet that support
> strong authentication and encryption.  Some secadmins may prefer a
> fully kerberized network over individually configured SSHD daemons.

Thanks for being pedantic.  The world needs more pendants :-P

-Peter

More information about the LUG mailing list