D0 PC Support

WRQ Reflection Critical Vulnerability Security Settings

Go to:
Start > Programs > WRQ Reflection > Reflection X
This window appears.

You are required to set your security by implementing either user-based access or host-based access. user-based: You improve your security the most by using user-based access. host-based:You improve your security quite a bit by only allowing client connections from the systems you need to use at any given moment. You can give your X server process a list of hosts from which client connections should be permitted.

The main difference between user-based and host-based is that with host-based, anyone on the unix host can potentially hi-jack your X Session.

To set your WRQ X-Server security:
Go to:
Settings > Security.
This window appears:

Under "Security mode" select either Host-based or User-based security. Also, ensure that you select refuse under "If client cannot be authorised".

USER-BASED SECURITY: Preferred - best security

Many have been trying to follow the instruction in the http://computing.fnal.gov/security/CriticalVuln/X-Servers.html link and are unsure how to do the "user based" access.

What you have to do is add:

/usr/bin/X11/xauth add %IP#% %C%;

to the COMMAND line of any X connection you currently have created. Make sure to ADD it to the beginning of the command and do not replace the command with this. You must also make sure that under SETTINGS/Security you select "user-based" access.

HOST-BASED SECURITY: Easier to get working

Under Security mode choose "Host-based security". (You must not choose "Unrestricted access" due to Fermilab security issues.)
Under If client cannot be authorized choose "Refuse connection".
Click on edit button.
This window appears:

At the bottom of the text file, add all xhosts that you will connect to. In this example, "d0mino.fnal.gov" was added.
Save the file.
Close the text file window.
Click Apply
Click OK.

Special considerations for those using SSH with WRQ

The authorization stuff happens automatically if you tunnel the X connection through ssh. You can set the X server security to be user-based, and everything works transparently. You don't need to mess with xauth commands (in fact, the ssh server makes the appropriate entry in your .Xauthority file automatically).

X-tunneling is enabled in unix ssh using the -X option. Reflection can also tunnel the X connection, provided that you select "open ssh" as the connection method, as opposed to "kerberized telnet."

An added security benefit of this method is that X traffic is normally encrypted, which is not the case when you connect to an X display on a (non-tunneled) remote machine.

If tunneling is successful, your DISPLAY variable is set automatically to something like "localhost:23.0" (i.e. the server number is non-zero). You must not override the default definiton of DISPLAY in your .login or .cshrc file.

Please send any comments or concerns to the D0 NT Administrators

Fermilab Disclaimer