View previous topic :: View next topic |
Author |
Message |
whjeon Tux's lil' helper
Joined: 20 Nov 2017 Posts: 82 Location: Seoul,Korea(Republic of)
|
Posted: Sun Feb 25, 2018 5:11 pm Post subject: [SOLVED]Can I access to my gentoo desktop at school with lap |
|
|
So, I have a gentoo desktop in my home and want to use that machine with my laptop at school.
(to compile something or developing while listening to class.)
I mean I don't want that desktop to be used as media server.
I just want to use the machine while I'm not sitting in front of it.
Can I achieve this? If can, How?
Last edited by whjeon on Tue Feb 27, 2018 12:43 am; edited 1 time in total |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
whjeon Tux's lil' helper
Joined: 20 Nov 2017 Posts: 82 Location: Seoul,Korea(Republic of)
|
Posted: Sun Feb 25, 2018 6:38 pm Post subject: |
|
|
Jaglover wrote: | Do you have a public IP address at home? Some ISPs do NAT. |
Yes. I think I have. But if you can provide a way to find out, I can make it sure. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Feb 25, 2018 7:00 pm Post subject: |
|
|
whjeon,
You need to look at your router and compare its IP address with those listed here.
These are non routable IPs. As long as your routers internet address is not one of those, then you can use ssh to reach your home systems.
Your router will do NAT. You can tell which interface in your router is which as one of them will be in the same range as your PC.
will show that.
Code: | $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.20 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::2e0:4cff:fe69:1509 prefixlen 64 scopeid 0x20<link>
inet6 2a02:8010::1509 prefixlen 64 scopeid 0x0<global> |
From my PC now, inet 192.168.100.20 is a private NATted IPv4 address. My router has my public IPv4 address.
inet6 fe80::2e0:4cff:fe69:1509 is an IPv6 self assigned address, like the 169.254.0.0/16 IPv4 range.
inet6 2a02:8010::1509 is a public (well firewalled) IPv6 address. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Feb 25, 2018 7:06 pm Post subject: |
|
|
Enable WAN ping on your router and try to ping it from school. You probably have to make changes in /etc/ssh/sshd_config because I think the default is to not allow logins from the internet. For safety's sake I would not allow root logins from the internet. You can always log in then "su -" anyway.
I'm not sure how to reach a particular box behind the router but I'd sure like to know. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Feb 25, 2018 7:17 pm Post subject: |
|
|
Tony0945,
That's what port forwarding is for :)
I'm sure we will get to that. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sun Feb 25, 2018 7:19 pm Post subject: |
|
|
I've found no standard format for port forwarding, but I've never had a hard time setting it up.
My only advice is to move the standard ssh port and only open a single port to a single non-root user. Security through obscurity and all that. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Feb 25, 2018 8:02 pm Post subject: |
|
|
Also, since this is a new setup, take the opportunity to disable password-based authentication. Require clients to use a key to authenticate. |
|
Back to top |
|
|
whjeon Tux's lil' helper
Joined: 20 Nov 2017 Posts: 82 Location: Seoul,Korea(Republic of)
|
Posted: Sun Feb 25, 2018 8:23 pm Post subject: |
|
|
Hu wrote: | Also, since this is a new setup, take the opportunity to disable password-based authentication. Require clients to use a key to authenticate. |
What does it mean exactly?
Sorry for asking alot, but I'm quite Newbie.
Thanks for your help! |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Feb 25, 2018 8:58 pm Post subject: |
|
|
whjeon,
There are two ways to log into your home PC with ssh.
With the username and password
With the username and a key pair.
There are lots of scripts on the internet trying to guess usernames and passwords for ssh.
They will find you too if you use the default port of 22.
Everyone has a user called root - thats 50% of the information an attacker needs.
By default, root is not allowed to log in with a password over ssh.
You can play with ssh for testing sat at your own console.
Start sshd if its not running. Leave the default configuration for now.
As your normal user, do at the prompt, give your user password.
That will work and you are connected over the lo interface to your system
The who command
Code: | $ who
roy tty1 2018-02-25 14:24
roy pts/1 2018-02-25 20:41 (::1) | will show you logged in nomally and again using a psudo tty. That's ssh. ::1 is IPv6, IPv4 will show 127.0.0.1
Logout from ssh.
This time try It will do the password dance but even if you give the right password, it will be rejected.
Add your normal user to the wheel group if you will need remote root access. Then you ssh in as your normal user and use su to become root or sudo su, so you don't need roots password.
So far so good but an attacker could still guess your username and password.
Generate a key pair with ssh-keygen. Choose a good pass phrase. Put the public part in ~/.ssh/authorized_keys. Keep the private part private.
You will need it on your laptop later.
When you log over ssh now, you will be asked for the pass phrase for the key. Once that works, turn off password logins altogether.
Attackers now need your private key and pass phrase to log into your system.
You can test and configure all this over the lo interface without risking your system on the big bad internet.
You should do it that way, so you don't leave anything to chance. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sun Feb 25, 2018 9:06 pm Post subject: |
|
|
The Doctor wrote: | I've found no standard format for port forwarding, but I've never had a hard time setting it up.
My only advice is to move the standard ssh port and only open a single port to a single non-root user. Security through obscurity and all that. |
There's a "standard", UPnP, but not all routers support it properly and it isn't designed for permanent port forwarding. The upnpc command (from net-libs/miniupnpc) can be quite useful though because it can also query your public IPv4 address without asking an external website. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sun Feb 25, 2018 10:03 pm Post subject: |
|
|
Ant P., I was referring to the GUI user interface each manufacturer offers on the unit, but the point is well taken. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Feb 26, 2018 1:29 pm Post subject: |
|
|
The Doctor wrote: | Ant P., I was referring to the GUI user interface each manufacturer offers on the unit, but the point is well taken. |
Ah! I brought up the web interface of my DLink router and followed the menu from Loginpage->Advanced->PortForwarding where a menu is setup and some help text. It seems like you can tie a game (known ports I'm sure) to a computer or a port or port range to a particular computer by name or local net address. Very simple. But what if I want to log in to multiple computers? I could use multiple addresses but then how would the local computers ssh into each other? Multiple ssh instances?
Just asking for curiosity. The one case I'm interested in is logging into my sister's gentoo computer that I set up for her a thousand miles away for maintenance. There is only one computer on that net. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Mon Feb 26, 2018 1:36 pm Post subject: |
|
|
Tony0945 wrote: | I could use multiple addresses but then how would the local computers ssh into each other? Multiple ssh instances? |
If they are all behind the same nat, you need to just access one, once you had access to this one, you use this one to access other
So my default forward rule is setup to reach "beleg"... and once you are in beleg, access other.
Code: | outside> ssh myip
beleg> ssh faramir
faramir> ssh hurin
...
|
I should had say: note that beleg ssh to faramir doesn't imply any port forwarding, now that you are in beleg, you're doing local access. the first time you access myip you are accessing my router, it then apply forwarding rule to reach ssh on beleg, but once you are in beleg, you no longer ssh "to the router" when doing ssh faramir. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Feb 26, 2018 1:43 pm Post subject: |
|
|
krinn wrote: | If they are all behind the same nat, you need to just access one, once you had access to this one, you use this one to access other | Yes. I've done this on the LAN, sometimes coming back to the initial machine which generates "Man in the Middle" warnings.
Sorry, I just got up and checking e-mail while drinking my first coffee of the day. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Mon Feb 26, 2018 1:48 pm Post subject: |
|
|
Tony0945 wrote: | krinn wrote: | If they are all behind the same nat, you need to just access one, once you had access to this one, you use this one to access other | Yes. I've done this on the LAN, sometimes coming back to the initial machine which generates "Man in the Middle" warnings.
Sorry, I just got up and checking e-mail while drinking my first coffee of the day. |
I do that too
you can ssh to faramir from beleg, and ssh to beleg from faramir then ; that's when you forget the exit command exist
gonna get myself another coffee now that you speak about it
It's funny to think about the security paradox of key vs password login because of that. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Mon Feb 26, 2018 2:33 pm Post subject: |
|
|
Tony0945,
If you only have one public IP, which is the usual case, you can do port forwarding on different ports to different hosts.
sshd can listen on any port you want.
This means that you need to use Code: | ssh -p xxx <public_IP> | to reach the right internal machine.
I use this to connect to the KVMs on my rented server.
I could pay another <currency_unit> per month per extra IP. That mounts up but I have lots of spare ports.
I also have IPv6, so I get a whole /64, so I'm not exactly short of IP addresses.
Each KVM has a /96 to itself, that's the same as the entire IPv4 address space.
At home, it gets sillier, I get a /64 just for my uplink (that's one used IP) and a /48 for my subnets. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Feb 26, 2018 11:39 pm Post subject: |
|
|
Thanks, NeddySeagoon. I will remember that. Better, I will start making a web page on my internal server will these tips. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Mon Feb 26, 2018 11:46 pm Post subject: |
|
|
Tony0945,
Share it with the community - put it on the Gentoo Wiki or improve an existing page. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
whjeon Tux's lil' helper
Joined: 20 Nov 2017 Posts: 82 Location: Seoul,Korea(Republic of)
|
Posted: Tue Feb 27, 2018 12:42 am Post subject: |
|
|
Tony0945 wrote: | Thanks, NeddySeagoon. I will remember that. Better, I will start making a web page on my internal server will these tips. |
And also share that page with me!
Thanks! |
|
Back to top |
|
|
|