...
Protecting your SLAC AFS ~/.fastx_server/ directory
Your SLAC AFS ~/.fastx_server/ directory contains sensitive information which could expose your FastX X11 connections to others. This could lead to a compromise of your account, and/or unauthorized keystroke monitoring. Keystoke monitoring can capture other passwords you type, such as sudo, ssh password authentication to remote sites, or information entered in browser windows, even for https sites since the keystrokes are captured before SSL encryption is done.
Therefore, please take care in protecting access to this directory. Since this directory is in AFS space, you need to use AFS Access Control Lists (ACLs) to lock down the directory (regular Unix file modes using chmod do not work inside AFS space). The Scientific Computing Services (SCS) tool "system ranger" will automatically detect and fix any ~/.fastx_server/ directories in AFS space which are too permissive, and you will get an information email just letting you know it was fixed. If you get this email, it is only for your information, and no action is required. If necessary, the system ranger protects your ~/.fastx_server/ directory by removing the following entries from the AFS Access Control List:
system:anyuser rl
system:slac rl
system:authuser rl
Frequently Asked Questions
| Question | Answer |
|---|---|
| How do I copy/paste when using an xterm with the desktop client? | Copy and paste work just like any other program. On linux xterm, copy is highlight. Paste is middle mouse click (Command-click on a Mac laptop). Paste can also be shift+insert If you use a Mac, the usual ⌘-c for copy will not work in an xterm FastX window. |
| What makes FastX fast? | https://www.starnet.com/xwin32kb/what-makes-fastx-fast/ |
| What is the latest version of FastX? Where are the release notes? | https://www.starnet.com/xwin32kb/fastx-release-notes/ |
| How do I connect to SLAC's FastX service? | http://fastx.slac.stanford.edu:3000 or https://fastx.slac.stanford.edu:3443 You can use FastX from any browser, or you can download the client application by going to either one of those URLs and click on 'Looking for the desktop client?' |
| I get 'Permission Denied' when trying to reconnect to a session | Please report this problem to unix-admin if you see it. This problem has been seen in the past, and reported to FastX. It should be fixed in the latest versions of FastX server and clients. There are a couple of things you can try if you get this error: Connect to the specific server where your session is, instead of the load balanced name. You can do that by using one of these URLs: https://fastx-srv01.slac.stanford.edu:3443 https://fastx-srv02.slac.stanford.edu:3443 If you can connect using this method, then do a 'kinit' in your FastX xterm window to renew your AFS token. Now you should be able to use the load balanced fastx.slac.stanford.edu URL once again. |
I get a strange error message when I try to log into the browser client (or the desktop client with a Web connection) I see some output from my .cshrc in the error, and then it does not allow me to log in. | You You have to protect any echo commands in your ~/.cshrc file by testing for an interactive shell. fastx uses a non-interactive ssh connection for authentication, and any echo commands will cause it to fail. This is the same issue for scp or sftp – if you put echo commands in your .cshrc that do not test for a prompt, then scp or sftp will fail to work. The fix it to put any echo commands inside a test like this: if( ${?prompt} ) thenYou can verify you found all your non-protected echo commands by testing with a non-interactive ssh command, like this: $ ssh iris.slac.stanford.edu date If you see any echo command output besides the date, you need to either remove those echo commands, or put them inside a test for a prompt as shown above. |