S-Terminal: A Secure X Terminal

Introduction
I've always loved the idea of X terminals. They require almost zero setup and maintenance. They don't suit everybody, but there are plenty of situations where they're an excellent solution. The down side has always been security. Traditionally, an X terminal user authenticates by passing plaintext user name and password information to a display manager application (e.g., xdm) running on a remote host. Once the user is successfully authenticated, the remote display manager fires up a collection of X applications (a "session") that are displayed by the local computer's X server. None of this activity is encrypted, and none of the subsequent traffic between your keyboard and the remote applications is encrypted.

One solution might be to run everything through an encrypted tunnel. Unfortunately, xdm seems designed to prevent this possibility. For example, say you've created an encrypted tunnel between localhost port 177 (xdmcp) and port 177 on server.somewhere.com. When you type "X -query localhost -port 177", xdm sends back a message saying "connect to server.somewhere.com" This causes your X server to bypass the encrypted tunnel and attempt to connect directly (unencrypted) to the remote host. (See the description of the "Willing" packet in the XDMCP protocol documentation: xdmcp.PS.gz.)

What is S-terminal?
Rather than trying to come up with a complicated way of encrypting communications with xdm, I decided to dump xdm altogether. The result is S-terminal. S-terminal collects the user's authentication information locally, then creates an encrypted tunnel to the remote host using ssh and starts an X session. All X applications on the remote machine communicate with the local host through the encrypted tunnel.

S-terminal and KNOPPIX
After security, my second goal was to make setup as easy as possible. An X terminal doesn't need disk space or CPU power. Any old box should do fine. I wanted to be able to just pop in a CD, reboot, and have a running, secure X terminal ready to use. But different hardware (ethernet cards and video cards especially) needs different drivers. I wanted one CD I could use in any computer that happened to be available, without having to worry about what hardware it contained.

That's where KNOPPIX comes in. KNOPPIX is a wonderful bootable Linux CD, with an amazingly complete set of software installed on it. The greatest thing about KNOPPIX, though, is its hardware detection. Klaus Knopper, the author of KNOPPIX, has done an outstanding job of detecting hardware at boot time, and automatically configuring the operating system appropriately.

KNOPPIX also has the ability to read configuration information from a floppy disk, or from additional files added to the CD image. (For information on easily creating a customized KNOPPIX disk, see making-a-cd.txt in the S-terminal distribution.) This makes it easy to customize KNOPPIX for a particular use.

Getting S-Terminal
You can download S-terminal here. See below for licensing terms and warranty disclaimer. The current version is 0.5.

How it Works
For use with KNOPPIX, I've packaged up the actual S-terminal application along with a set of modified configuration files (inittab, etc.) and a script (knoppix.sh) that installs these files at boot time. The S-terminal application consists of several perl scripts, a configuration file and a Wish script. These files and the modified KNOPPIX configuration files are packed up into a compressed tar archive, configs.tbz.

To try out S-terminal, you just need to burn a "stock" KNOPPIX CD, then take a blank floppy and copy knoppix.sh and configs.tbz onto it. Insert the floppy, boot the CD and type "knoppix floppyconfig" at the boot prompt. You should shortly see an S-terminal login window on the screen.

The modified inittab contained in configs.tbz has three lines near the bottom that

Start the local X server
Start the main S-terminal program (sterminal.pl)
Start a cron-watcher program, which is part of S-terminal's update system (more about this later)

If any of these processes dies, init automatically restarts it.

The sterminal.pl program collects some information about the local system (MAC address, etc.), reads configuration directives from several optional sources (see the section below, on customizing), then fires up sterminal.xsession.tcl, which does most of the actual work. This is a Wish script that produces a login window like the one shown here:

The name of the remote host may be specified in S-terminal's configuration files, as well as whether the user is allowed to edit the host name.

Once the user's name and password have been collected, the script uses "expect" to start an X session on the remote host, via ssh. S-terminal's configuration options allow you to specify what command to use to start a session. For most Linux computers, the default value (/etc/X11/xdm/Xsession) should work, but you can specify any valid command on the remote system.

After the user logs out, S-terminal exits and the local computer's init process (remember the modified inittab we installed?) automatically restarts it, so it's ready for the next login.

Portability
S-terminal should be easily portable to any system that has an X server, perl, wish and expect.

Customizing S-terminal
S-terminal draws its configuration information from several sources.

The sterminal.conf file, installed at boot time from configs.tbz.
A "setup url" specified in the sterminal.conf file, which is consulted each time S-terminal restarts, and may override values contained in sterminal.conf. This url should return text information in the same format as sterminal.conf.
A nightly update url ("cron url"), which is consulted each night, at a random time between Midnight and 4am, local time. This url should return an updated version of configs.tbz, which will be unpacked and installed in the same way knoppix.sh does it at boot time. The nightly update is done by a cron job that runs /etc/sterminal-update.pl. After installing the new configs.tbz, sterminal-update.pl also looks for an executable script called /etc/sterminal-update.script, and executes it if it exists. This script may contain any additional commands you'd like to have executed each night.

Here's the default sterminal.conf file:

setupurl    : http://sterminal-config.%ipdomain%/sterminal/config/?HWADDR=%hwaddr%&GROUP=%group%
cronurl	    : http://sterminal-config.%ipdomain%/sterminal/config/update/%group%/configs.tbz
group       : terminals
host        : Enter Host Name
xsession    : /etc/X11/xdm/Xsession
presession  : 
postsession : 
prelogin    : 
atsession   : 
postlogin   : 
bgcolor     : CadetBlue
bgimage     : sterminal.gif

The parameters as follows:

setupurl
A url from which to obtain updated information. This may contain variables referring to the local system. These variables will be evaluated before the url is used. Available variables are:
- hwaddr
  The computer's hardware (MAC) address. For convenience, this address is displayed in S-terminal's login window as the "Station ID".
- ipaddr
  The computer's current IP address
- ipdomain
  The computer's IP domain, determined by doing a DNS lookup on the IP address, then taking everything after the first dot. E.g., "my.host.mydomain.com" would have ipdomain set to "host.mydomain.com".
- ipdomain2
  The same, but taking off both the first two elements of the host name. E.g., "my.host.mydomain.com" would have ipdomain2 set to "mydomain.com".
- group
  An arbitrary group name, of which the local computer is a member. Specified elsewhere in sterminal.conf.
cronurl
Similar url for the nightly cron job's use.
host
The default remote host on which a session will be started. If the string begins with a "+" this field will not be editable by the user.
xsession
The command to run on the remote machine to start a session. The default value is "/etc/X11/xdm/Xsession", which should work for most Linux hosts. Alternatives might "gnome-session", "afterstep" or any other valid command on the remote computer (e.g., "/bin/ksh /etc/X11/xdm/Xsession").
bgcolor
The background color for the login screen. Must be a color specification understood by the "xsetroot" command.
bgimage
A background image for the login screen. Currently, this must be 480x480.

Each of the following parameters specifies an arbitrary command to run at some point during the lifetime of a session. Note that these commands will be executed on the LOCAL machine, not the remote system. Also note that a command like "xterm" may pause S-terminal's execution until the xterm exits, unless you explicitly put the command into the background AND disconnect its STDIN and STDOUT (e.g., "xterm > /dev/null 2>&1 &").

prelogin
Executed before the login window appears. Will be executed within perl's backticks.
presession
Executed after login window disappears, but before attempting to start a session. Will be executed by expect's "system" function.
atsession
Executed immediately after session has been successfully begun. Executed by expect's "system" function.
postsession
Executed after session ends, by expect's "system" function.
postlogin
Executed before exiting S-terminal, by perl's backticks.

Configuration Examples

Changing the look: Here are a couple of examples showing the effect of color and bitmap changes:

bgcolor=CadetBlue
bgimage=sterminal.gif
bgcolor=pink
bgimage=tux.gif

Remote re-configuration: Here's a small CGI program that you might point to with "setupurl". It looks for a configuration file corresponding to the remote S-terminal's MAC address. If no such file is found, it serves up a default configuration. This file is included in the S-terminal distribution, under the "examples" directory.

#!/usr/bin/perl -w

#------------------------------------------------------------------------------
# The following is a simple script to implement remote configuration
# of S-terminals.  Just drop this into the location specified in
# '$setupurl' in sterminal.pl.  (You'll have to figure out what you
# need to do to make cgi scripts run on your web server.)
#------------------------------------------------------------------------------

use strict;
use CGI qw/:standard/;

my $hwaddr = param('HWADDR');

print header('text/plain');
print STDERR "[".localtime()."] [sterminal] Connection from $hwaddr\n";

my $output = "";
if ( -f "$hwaddr.dat" ) {
    $output = `cat $hwaddr.dat`;
} else {
    $output = "host: Enter Host Name
               xsession: /etc/X11/xdm/Xsession
               bgcolor: CadetBlue
               bgimage: sterminal.gif
               prelogin:
               postlogin:
               presession:
               postsession:
               atsession:\n";
}
print $output;

Burning a modified KNOPPIX CD: Making minor changes to KNOPPIX is easy. It doesn't require huge resources like a full remastering, it just takes a little finesse. You just use the fact that the information from a KNOPPIX "floppyconfig" floppy can be added to the CD. The floppyconfig files can then be used to re-configure KNOPPIX automatically at boot time. Here's how to do it:

# First, mount the stock KNOPPIX iso and copy the files into a new directory:
mkdir /mnt/knoppix
losetup /dev/loop0 KNOPPIX-blah-blah.iso
mount /dev/loop0 /mnt/knoppix
mkdir /usr/src/new-knoppix

# This will take a while:
cp -r -a -p /mnt/knoppix/* /usr/src/new-knoppix/

# Clean up after ourselves:
umount /mnt/knoppix
losetup -d /dev/loop0

# Now, add salt and pepper to taste:
cp configs.tbz knoppix.sh /usr/src/new-knoppix/KNOPPIX/
# knoppix.sh will automatically be run at boot time.

# Finally, cook up the new iso image:
cd /usr/src/new-knoppix
mkisofs -pad -l -r -J -v -V "KNOPPIX" -b KNOPPIX/boot.img \
   -c KNOPPIX/boot.cat -hide-rr-moved \
   -o /usr/src/new-knoppix.iso .

License
S-terminal is copyright 2003 by Bryan Wright <bkw1a_at_virginia_dot_edu> and released under the terms of the GNU General Public License. You should find a copy of the license included in the S-terminal distribution, in the file LICENSE.txt.

No Warranty
No warranty either expressed or implied. Use S-terminal at your own risk. It's not my fault if it eats your lunch and calls you names.