Unusual implimentation of X using one way data diode device

Vaevictus · 04-16-2007, 08:08 AM

Hi Everyone,

I hope I can get a solution to a problem thats been bothering me for a long time! We are implimenting a Tenix Data Diode Device and Tenix's thin client KBS switch, these devices are for high security environments linking networks of different security classifications together using one way transmission of data (the device makes it physically impossible for data to leave the higher classification network).

We want users on the high classification network to be able to browse the internet securely so we are using the thin client switch also by tenix. The switchbox has a network presence on the low side network and a physical PS2 connection on the high side network.

The idea is when the lowside button is activated, all keyboard and mouse input is redirected to the lowside thin client session (which can be windows terminal services / citrix for example).

The thin client application is launched on the lowside linux box, the X data that is generated from this session is encapsulated into UDP and sent across the data diode device and then forwarded to an XServer application(such as winaxe or hummingbird) that is runnng on the users high side workstation.

It works great with citrix, but it will be too expensive to impliment!

instead of the linux server launching the citrix icaclient, we want it to launch a linux X login window, which when eventually logged into will start a kde session.

Freenx / commercial NX is not an option unfortunately.

The script that the diode server launches when a user activates his low side session is as follows, a screen (eg :1.0) is reserved and passed as $1 to the script.
#!/bin/sh
HOME=/root
export HOME
DISPLAY=$1
export DISPLAY
SOME APPLICATION EXECUTED HERE - eg rdesktop or citrixclient
What I want to know is, what command do I use to spawn a xlogin window.

ps We aim to have 10-15 users logged in per box.

I would really appreciate any input!

Vaevictus

Matir · 04-16-2007, 10:45 AM

I'd look at spawning 'kdm' there.

Vaevictus · 04-18-2007, 01:58 AM

Great - thanks.

I tried it, and it didnt work. But because Im using RHEL it was using GDM as the login manager. I looked at a tool "gdmconfig" and noticed that it was disabling remote connections. I enabled remote connections in the config tool and voila, it worked using GDM.

However - the colours are really messed up(kinda like low colour depth, but more like weird gamma) so now I have another problem to work out :0)