Graphical Desktop (X) Questions

From NST Wiki
Revision as of 16:05, 16 November 2010 by Rwh (talk | contribs) (Does the Network Security Toolkit Support Virtual X (VNC)?)
Jump to navigationJump to search

Does the Network Security Toolkit Support A Graphical Desktop (X)?

Yes. However, the Network Security Toolkit boots in Console mode by default.

How Do I Start Get To The Graphical Desktop (X)?

The easiest way to bring up a graphical desktop (X) is by selecting Graphical Desktop mode at the initial boot screen.

If your system automatically boots into Console mode before you select the Graphical Desktop mode, you will need to log in as the root user, and run the following command to switch the system to Graphical Desktop mode:

[root@dhcp136 ~]# init 5

The above will start up the Graphical Desktop mode, but leave the system running the network instead of NetworkManager service. If you plan on logging in using the GNOME desktop, you may want to disable the network service and enable the NetworkManager service prior to starting the Graphical Desktop. To do this, enter the commands:

[root@dhcp136 ~]# chkconfig network off
[root@dhcp136 ~]# chkconfig NetworkManager on
[root@dhcp136 ~]# init 5

Does the Network Security Toolkit Support Virtual X (VNC)?

Yes. You can run a virtual X desktop on the Network Security Toolkit probe and view it remotely on any client machine. This allows Windows, Mac OS X and many other client systems to bring up the graphical desktop running on a remote Network Security Toolkit system. The client system will require a Java enabled web browser, or a native VNC viewer application.

You can start the VNC server on your Network Security Toolkit system either by running the nstvncadmin script or using the lvnc command after logging into the Network Security Toolkit system. Alternatively, you can use the Network Security Toolkit Web User Interface (NST WUI). From the main menu bar, select 'System | Virtual Computing | VNC Server Session Management. The NST WUI provides a form which allows you to tweak many of the VNC server options (we highly recommend it).

Once you have the VNC server running on your Network Security Toolkit, you can use a VNC client program to attach to and control the virtual X desktop. Linux and Apple OS X 10.6 systems typically ship with a native or 3rd party VNC viewer. Here are some other 3rd party VNC clients which are known to work (shown alphabetically):

  • Chicken of the VNC - For Apple OS X users.
  • RealVNC - Many different versions and platforms. Not all of the versions are free.
  • TigerVNC - Based off of TightVNC. For Windows and Linux systems (and Apple OS X users skilled in compiling GNU software).
  • TightVNC - For Windows and Linux systems.
  • UltraVNC - A Windows specialized version of VNC.

Why Won't The X Applications Launch From The WUI?

The Network Security Toolkit web based user interface (WUI) provides many links to launch X based applications. In order to use these links, all of the following conditions must be met:

* The client machine must be running a X server. Linux and Mac OS X machines typically support this natively. Windows machines do not support this natively - but you can use packages from http://www.cygwin.com/ to add this capability.
* The machine running the X server must have its firewall rules set such that TCP connections to the X server port are permitted. This will typically be port 6000. For security reasons, most systems will prohibit this by default.
* The X server on your client machine must permit TCP connections. For security reasons, many distributions disable this feature. You can scan the X server port (typically port 6000) to determine if the X server is accepting external TCP connections.
* You must run the xhost command on your X server to add the IP address of the Network Security Toolkit probe. This will allow the Network Security Toolkit probe to make use of your client machine's X server as its display.

The Best/Simplest Way To Enable X Connections

Refer to the "Running X Window Applications Through The SSH Tunnel" section on the "HowTo Limit Remote Access To "ssh" Connections" page for details on using ssh to enable the launching of X applications from the NST WUI.

The Difficult Less Secure Way

The following documents a more generic and difficult approach to enabling your NST system to accept remote X connections such as those triggered by launching commands from the NST WUI.

By default, the gdm desktop manager does not permit TCP connections to the X server. You can used the gdmsetup utility to enable this feature. Alternatively, you can add (or modify) the following line in your /etc/gdm/custom.conf.

[security]

# Adding the following to the [security] section will
# allow TCP connections to the X server

DisallowTCP=false

After updating the gdm configuration, you will need to restart gdm. This can be done by killing the gdm-binary process. Make sure you close all of your X applications BEFORE restarting the gdm process as all processes owned by the X server will be killed.

[root@probe ~]# ps -ef | grep gdm-binary
root      1354     1  0 14:19 ?        00:00:00 /usr/sbin/gdm-binary -nodaemon
root      2027  1917  0 14:48 pts/1    00:00:00 grep gdm-binary
[root@probe ~]# kill 1354
       

At this point, you should be able to log into your system and TCP port 6000 should be open. You can use the nmap command to verify this:

[root@probe ~]# nmap 192.168.110.2

Starting Nmap 5.21 ( http://nmap.org ) at 2010-11-03 14:49 EDT
Nmap scan report for probe (192.168.110.2)
Host is up (0.000014s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
6000/tcp open  X11

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
[root@probe ~]# 

Just because TCP port 6000 is open does not mean that your X server will accept connections from any host. In order to project a X window onto your X server, you will need to run the xhost command and grant access to the remote machine. For example, if the NST WUI you are using is running on machine 192.168.110.3, you need to permit machine 192.168.110.3 to display windows on your X server. To do this, you need to run the following command:

[root@probe ~]$ xhost +192.168.110.3
192.168.110.3 being added to access control list
[root@probe ~]# xhost
access control enabled, only authorized clients can connect
INET:192.168.110.3
SI:localuser:gdm
SI:localuser:root
[root@probe ~]#  

You should now be able to display applications running on machine 192.168.110.3 on your desktop. If your system is 192.168.110.2, here is a simple check you can use to verify this.

[root@probe]# ssh root@192.168.110.3
Password:
[root@192.168.110.3]# export DISPLAY=192.168.110.2:0.0; xclock &      

If everything is setup correctly, you should see the window of a clock application running remotely on 192.168.110.3 show up on your desktop.


How Do I Enable A Graphical Desktop Login At Boot?

On A Live Boot

When the NST system boots, choose Graphical Desktop from the syslinux boot loader screen.

You will need to do this each time you boot the system if you are booting from read-only media like a DVD. If you are booting from a Live USB installation, you can make the Graphical Desktop the default boot method by editing the file: "/syslinux/syslinux.cfg". The trick is to move the line: "menu default" from the bottom of the Console section to the bottom of the Graphical Desktop section.

On A Hard Disk Installation

There are several methods to boot directly to Graphical Desktop mode.

By default, you will have a text based login when you boot from the Network Security Toolkit CD. To enable a graphical login, the following must be done:

  • At the grub boot screen, select Graphical Desktop mode. If you choose this route, you will need to do this every time your system boots.
  • Edit the file: "/boot/grub/grub.conf". Change the number in the line: "default=0" to the index (starting from 0) of the entry in your grub configuration file that corresponds to the Graphical Desktop mode.
  • Edit the file: "/boot/grub/grub.conf" and remove the " 3", " 5" values found at the end of each kernel line. The number 3 forces a Console boot and the number 5 forces a Graphical Desktop boot. By removing these values from the grub configuration file, whether or not a Graphical Desktop boot should be controlled by the "id:" line found in "/etc/inittab". Edit the "/etc/inittab" file and change the "id:" line to:
id:5:initdefault: