Disclaimer

It is the responsibility of the sysadmin to take into consideration the security implications of performing the steps outlined in this article. Knowledgeable readers are invited to provide additional insight, corrections, or suggestions in their comments.

Motivation

Up until recently, the XenApp Unix Admin Guide suggested that the rsh command be used when publishing applications that needed to connect to yet another machine to provide the application. The typical use case for this was when administrators would like to publish an application on a platform that the XenApp Unix server product does not run on (e.g. Linux, FreeBSD, etc.). Due to the lack of security provided by the rsh facility, it is recommended that users use the ssh command instead. This article is meant to act as a tutorial for sysadmins who need to do this and would like a single place to go for a reference.

This update was inspired by an astute response to a previous blog article. 

Setting Up Host Based Authentication

This step is only necessary if your requirements are that users should not re-authenticate when a connection is made from the XAU server to the host providing the application (henceforth the apphost)

When your XAU server’s Public Host Keyis placed in the appropriate location on the apphost, the SSH server daemon assumes that any incoming users have been properly authenticated and will not reauthenticate. However, if the incoming userid does not exist on the apphost, access will not be granted.

Configuring the XAU Server machine

  1. As root, using ssh-keygen, create a private key file at /etc/ssh/ssh_host_rsa_key
    Quite often, this is done at OS installation time, and this step is unnecessary.
  2. Make sure that file is only readable by root
  3. Copy the file /etc/ssh/ssh_host_rsa_key.pub to a secure location on the apphost.
  4. Set the ssh client binary to setuid root on the XAU Server.
  5. Find ssh-keysign on your machine, and make sure that it is setuid root .
  6. In /etc/ssh/ssh_config, set HostbasedAuthentication to yes .

Configuring the Apphost

  1. In /etc/ssh/sshd_config on the apphost, set the config option HostbasedAuthentication to yes
    (for Sun’s sshd, you might need to add this directive)
  2. in the file ssh_host_rsa_key.pub that you just copied over, add the canonical hostname of the XAU Server machine to the beginning of the first (and what should be the only) line in the file, followed by a space. e.g.
    potato.citrix.com ssh-rsa AAAAB3N.../CIMtw==
    Then append ssh_host_rsa_key.pub to /etc/ssh/ssh_known_hosts
  3. Append the line
    +<hostname>
    to the file /etc/ssh/shosts.equiv where <hostname> is the canonical hostname of the XAU Server machine.
  1. Tell the sshd process to reread its configuration file.
    cat /var/run/sshd.pid | xargs kill -HUP
  2. Finally, ensure that any users on the XAU Server that you would like to allow access on the apphost have entries in /etc/passwd on the apphost.

Publishing the remote application

The steps in this section are outlined in the admin guide, but some examples of the contents of the published scripts will be provided for concreteness.

Publishing vi in text mode on the remote machine lettuce.citrix.com

#!/bin/bash
xterm -e ssh -t lettuce.citrix.com vi

Publishing emacs in graphical mode on the remote machine tomato.citrix.com:

#!/bin/bash
ssh -X tomato.citrix.com emacs

References

  • the sshd manpage
  • the ssh manpage
  • the sshd_config manpage
  • the ssh_config manpage
  • the ssh-keygen manpage