View previous topic :: View next topic |
Author |
Message |
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Thu Jun 03, 2004 5:26 am Post subject: HOWTO: A simple, quick way for remote desktops |
|
|
Hello, I have been using Gentoo for....lets see....around two years now. I've always wanted to post to the forums but I never had time due to school, or thats what I am going to say anyways . Now that I am done school I would like to *try* and help others out...so here it goes.
I have used these forums greatly and have come across people trying to set up remote desktops and having trouble. This is what I do, it's probably not the best way but it works well.
A few notes on my setup:
I have four computers at home. One is used as a router/firewall. The router has port forwarding all set up so that each computer has its own "ssh" port. For simplicity lets say they are 4444 for the computer with IP A, 5555 for the computer with IP B, and 6666 for the computer with IP C. Computer A wants to be able to hold remote sessions from computers B and C. Heres how I did it.
You will need to have gdm and ssh
Step 1: Set up SSH
Assuming that the router is set up properly (If you are having trouble with your software router I HIGHLY reccommend you trying out coyote linux just for that putpose), we must place SSH on computers A, B, and C. Thankfully this is generally an easy task as we simply use portage.
If the other computers don't have portage you're own your own!
There are a few config files we must set up on computers A, B, and B.
Code: |
/etc/ssh/ssh_config
#Uncomment the following lines and set to yes
#ForwardAgent no
#ForwardX11
|
Code: |
/etc/ssh/sshd_config
#Uncomment and set the desired ssh port
#Port 22
#Uncomment and set to yes
#X11Forwarding no
|
Then we start up the services. On each computer:
Code: |
rc-update add sshd default
/etc/init.d/sshd start
|
Step 2: Connect to the machine
First, as in my situation, I will assume the computers are on a router/firewall.
As computer A is the computer we are on and computers B and C are our ginnue-pigs:
Code: |
ssh ip -l username -p port -X -C
|
ip is the IP of the ROUTER
username is the user account on the computer you wish to connect to, not the router, but from computer B or C
port is the port you have set up on the router to forward to the port on either computer B or C. Obviouslly the username and port must belong to the same computer!
X enables X11 support
C gives us compression.
If you don't have a router and are simply connecting directly to the machine you simply use that machines ip address and port.
Note that you may get error messages about security when accessing different ports for ssh on the same machine. I don't know much about this (maybe someone reading this does?), but my quick hack is to simple delete the known_hosts file in the .ssh directory of your home.
Code: |
rm ~/.ssh/known_hosts
|
If you have successfully connected, test out an X app.
Code: |
/usr/X11R6/bin/xcalc
|
If the calculator comes up we are in business!
Step 3: Starting a remote session
Now, as GNOME has there nifty nested gdm session thingamabob, we might as well use this rather than something that requires more work. You don;t need to use the GNOME desktop, just gdm. For instance, I use XFCE4 with the minimum number of gnome related packages requied to have gdm run. The following command will set up a remote session.
And thats it. You should have a remote desktop in front of your eyes. Pretty simple eh? Ive looked around before I posted this and I didn't see a similar post. If there is one, well...sorry!
Any comments? _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
tscolari l33t
Joined: 02 May 2004 Posts: 602 Location: curitiba - pr - Brazil
|
Posted: Thu Jun 03, 2004 5:39 am Post subject: |
|
|
just a question whats the diference betwen openssh and ssh?
there are the both for emerge |
|
Back to top |
|
|
ajtidball n00b
Joined: 30 May 2004 Posts: 7
|
Posted: Thu Jun 03, 2004 6:50 am Post subject: |
|
|
tscolari wrote: | just a question whats the diference betwen openssh and ssh?
there are the both for emerge |
This says it better than I can
http://www.openssh.com/ |
|
Back to top |
|
|
zaiyon Apprentice
Joined: 19 May 2004 Posts: 219 Location: Germany
|
Posted: Wed Sep 15, 2004 9:04 pm Post subject: |
|
|
one question, I have got a message without X, my "allround" server, who is my primary ssh daemon too, I usually connect to my workstation over it... so how can I get X11 to be forwardet through that non-X11 machine? I tried your howto way, but it does not work like this. do you have any idea for me? _________________ What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
Back to top |
|
|
ian! Bodhisattva
Joined: 25 Feb 2003 Posts: 3829 Location: Essen, Germany
|
Posted: Wed Sep 15, 2004 9:23 pm Post subject: |
|
|
Moved from N&S. _________________ "To have a successful open source project, you need to be at least somewhat successful at getting along with people." -- Daniel Robbins |
|
Back to top |
|
|
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Thu Sep 16, 2004 12:03 am Post subject: |
|
|
Im not sure I understand 100%.
If you wanted to forward a X server app you would need an xserver on your server. If you are trying to use X11 apps on another non-X11 machine I would recommend tight vnc.
Just emerge tightvnc and use the vncserver script. Right off that bat it won't be secure but you can tunnel it using ssh. There are plenty of tutorials on this. _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
zaiyon Apprentice
Joined: 19 May 2004 Posts: 219 Location: Germany
|
Posted: Thu Sep 16, 2004 6:13 am Post subject: |
|
|
thanks for the answer, but thats not what I meant. I really want X11, no VNC, and forwarding works just fine, my problem is that I connect to my workstation from the server from the outside, so that means to me:
somewhere... :
$ ssh -XC myserver.mydomain
$ ssh -XC myworkstation
but I want to have X11 forwarding from myworkstation to somewhere, not on the server.... so it just has to be delivered - not used... is this somehow possible? _________________ What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
Back to top |
|
|
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Thu Sep 16, 2004 1:16 pm Post subject: |
|
|
Interesting...So you want to first get into your server using ssh. Then once in your server you again ssh into the workstation. Then you finally try to use X11 apps on your workstation?
so:
some.computer $ ssh -flags myserver.mydomain (your ssh)
some.computer.myserver $ ssh -flags myworkstation (servers ssh)
some.computer.myserver.workstation $ xcalc (workstations xcalc)
Is the above your situation?
If so can you tell me the output you get? Maybe the X11 info is being sent to the server and not you.
In my situation I had a server too without X. I had portforwarding setup so that when I accessed port 4444 on the server it relayed that to port 22 on the client connected to the server. The client connected to the server had ssh set up to listen to port 22 and X11 forwarding enabled. ssh on the server wasn't present as it wansn't necessary. The commands I wrote (with fake ips) were:
ssh 555.555.555.555 -l phoenix -p 4444 -X -C
where 555.555.555.555 was the address of the server and I already said what port 4444 was for.
This connected me to my client box and the server just acted as a middle man relaying information between us.
Maybe that helps? If not Ill keep trying until you get too frustrated. If you are getting errors on any machine post them. It makes it easier. _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
zaiyon Apprentice
Joined: 19 May 2004 Posts: 219 Location: Germany
|
Posted: Thu Sep 16, 2004 1:44 pm Post subject: |
|
|
thanks, I've been too stupid to think about that solution, I could just redirect every stuff received on port 4444 from my router to my workstation, and 22 connections to my Server, that of course works, but it is kinda not the nice way.... is there no other way to.. "tunnel" the data through ssh, over the server from client to client? If you find a way, plz tell me, I'll use the portfw way since that day comes _________________ What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
Back to top |
|
|
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Thu Sep 16, 2004 1:56 pm Post subject: |
|
|
Yah, I like using strange ports like 4444 so hackers wont know where to look for entry points. I am sure they attack known open ports like 22,21,80 so I just close them up and use other random ones.
I am not sure if there is another way to tunnel the data (other than front-ends and utilities that do the same thing. Ill let you know if I do though.
And dont be too hard on yourself _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
ljuti n00b
Joined: 11 Sep 2004 Posts: 3
|
Posted: Thu Sep 16, 2004 6:51 pm Post subject: |
|
|
Slightly OT, but do not ever rely on security through obscurity. Using "strange ports" won't make you any safer, because a quick port scan reveals them anyway.
Just try
Code: | $ nmap -v -sT localhost |
and see the results. Your unknown-to-all-hackers port should very quickly to be general knowledge.
You might as well keep that SSH binded to 22 so you don't have to mess all the configurations and apps harnessing ssh(d). |
|
Back to top |
|
|
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Fri Sep 17, 2004 2:30 am Post subject: |
|
|
I stand corrected _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
BlindSpy Apprentice
Joined: 20 Mar 2004 Posts: 263
|
Posted: Fri Sep 17, 2004 1:01 pm Post subject: |
|
|
GREAT GUIDE! I've always known abou the ssh config settings but never enough to know how to propperly set it up and use the GNOME session thing - thats just cool. Great great work. Took me about 10 minutes to read/do completely though and worked great. _________________ Symlinks to:
xorg.conf |
|
Back to top |
|
|
nightblade Guru
Joined: 20 Jul 2004 Posts: 368 Location: back from SE Asia
|
Posted: Fri Sep 17, 2004 2:33 pm Post subject: |
|
|
ljuti wrote: | Slightly OT, but do not ever rely on security through obscurity. Using "strange ports" won't make you any safer, because a quick port scan reveals them anyway.
Just try
Code: | $ nmap -v -sT localhost |
and see the results. Your unknown-to-all-hackers port should very quickly to be general knowledge.
|
I agree with you that changing port to the ssh daemon will not deter a determined attacker from figuring out that you have a ssh server listening (a simple netcat connection will show you a clear OpenSSH banner with version and everything).
Still, it will hide you from script kiddies that scan thousands of IP addresses looking for open well-known ports.
In the end, changing the port will not stop somebody actively try to hack you, but for sure will keep away a lot of casual observers. Not the ultimate security hack, but still useful
...sorry for the slight OT
p.s.: You should add "-p 1-65535" to your nmap scan. Otherwise you will only check the ports that appear in the nmap-services file (~1600 ports, as far as I remember), and if I set my server to listen on a port that is not in that file, the nmap scan will miss it... _________________ In God we trust. All the others must provide a valid X.509 certificate |
|
Back to top |
|
|
koroumel Guru
Joined: 17 Jun 2004 Posts: 339 Location: Athens, Greece
|
Posted: Wed Sep 22, 2004 1:22 pm Post subject: |
|
|
I have a hardware firewall/router, in which... I cannot ssh (obviously) . Is this solution still useable? And by the way, if I login though GDM, and let D4X download, if I dissconnect and then reconnect, will I have to relogin? And if so, will I see the same desktop (and D4X I left running) as before? gemvnc is too slow to rely on so, will this thread be a replacement? _________________ "Yep linux is an alternative. Windows on the other hand isn't even an option"
Registered Linux User No #242616 |
|
Back to top |
|
|
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Thu Sep 30, 2004 2:06 pm Post subject: |
|
|
Hi, thanks for the good comments Im glad others have gotten use out of it.
You can use this technique with a firewall/router, you just have to make sure the proper ports are open so that you can connect.
Im not to sure, but in the ssh configs you can set which X display you log in to. If you set that one to zero, and were also logged in at home, I believe you would be able to start a program up and it also start up at home. This way when you start an app remotely and then log out, it should still be there an progressing when you log in later as there is an instance of it at home. Does that make sense? Can anyone confirm this? _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
vdboor Guru
Joined: 03 Dec 2003 Posts: 592 Location: The Netherlands
|
Posted: Fri Oct 01, 2004 2:12 pm Post subject: |
|
|
Hi,
I've read your tutorial, and there is one thing I have to mention; you don't need to enable ForwardX11 by default in ssh_config (the client config), just use the -X switch if you want to enable X11 forwarding for your session. There is a reason why these options are off by default:
From the ssh_config manual:
Code: |
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must be
``yes'' or ``no''. The default is ``no''.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through the
forwarded connection. An attacker cannot obtain key material from
the agent, however they can perform operations on the keys that
enable them to authenticate using the identities loaded into the
agent.
ForwardX11
Specifies whether X11 connections will be automatically redirected
over the secure channel and DISPLAY set. The argument must be
``yes'' or ``no''. The default is ``no''.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X11 authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able to
perform activities such as keystroke monitoring if the
ForwardX11Trusted option is also enabled.
|
Btw, also try "ssh -X -C" to enable some additional compression _________________ The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
Back to top |
|
|
darkphoenix16 n00b
Joined: 23 Apr 2003 Posts: 71 Location: Nova Scotia, Canada
|
Posted: Sat Oct 02, 2004 2:01 pm Post subject: |
|
|
Ok, cool. thanks _________________ I really wish I could put something witty here. |
|
Back to top |
|
|
CarlUman Apprentice
Joined: 07 Jul 2004 Posts: 158 Location: SE Iowa
|
Posted: Mon Oct 04, 2004 4:58 pm Post subject: |
|
|
RE ssh_config
I know you comment a full line by putting # at the start of line but I'm getting an error on some of the lines where I have # to add a comment to the end of a line. Is there a way to put a comment on line like this...
Code: | ForwardAgent no # comment here |
Thanks
Carl
EDIT:
fixed spelling my fingers must not have been working (I'll blame it on the cold weather) |
|
Back to top |
|
|
CarlUman Apprentice
Joined: 07 Jul 2004 Posts: 158 Location: SE Iowa
|
Posted: Wed Oct 06, 2004 1:11 pm Post subject: |
|
|
Bump for any ideas on my question (see previous post) |
|
Back to top |
|
|
Lepaca Kliffoth l33t
Joined: 28 Apr 2004 Posts: 737 Location: Florence, Italy
|
Posted: Thu Oct 07, 2004 8:18 am Post subject: |
|
|
Thanks! Helped me too. _________________ It isn't enough to win - everyone else must lose, and you also have to rub it in their face (maybe chop off an arm too for good measure).
Animebox! |
|
Back to top |
|
|
RiverRat n00b
Joined: 07 Oct 2004 Posts: 65 Location: Colorado
|
Posted: Thu Oct 07, 2004 9:28 am Post subject: |
|
|
There is another way to do the full Gnome session remotely as well but it eludes me at the moment. These little tricks are excellent to know but exceptionally hard to find. Here is another one:
Log into a Linux system graphically (either w/ [xgk]DM or startx).
Goto one of the text consoles and login.
Type "startx -- :1" (and another xsession is started)
I don't see why you couldn't login twice w/ the same user name but every program that you run twice (including gnome-session) has the potential for some serious race conditions. That is why I use it primarily for root to login without me, and all of the crap that stays open for months at a time on my computer, having to close down and log off. By the way you can use the command multiple times; just increment the display number (:1, :2... ) each time and see how much memory you can consume!!!
Tres |
|
Back to top |
|
|
senduran n00b
Joined: 05 Aug 2005 Posts: 71
|
Posted: Mon Oct 09, 2006 1:31 pm Post subject: Re: HOWTO: A simple, quick way for remote desktops |
|
|
darkphoenix16 wrote: |
If you have successfully connected, test out an X app.
Code: |
/usr/X11R6/bin/xcalc
|
If the calculator comes up we are in business!
|
I get this far (well, using xclock since I don't have xcalulator), but...
Quote: |
Step 3: Starting a remote session
Now, as GNOME has there nifty nested gdm session thingamabob, we might as well use this rather than something that requires more work. You don;t need to use the GNOME desktop, just gdm. For instance, I use XFCE4 with the minimum number of gnome related packages requied to have gdm run. The following command will set up a remote session.
And thats it. |
I have a working XFCE4 setup (works directly on the server, I start it up with 'startxfce4'), have installed gdm, but when I try and use gdmflexiserver -n I get a flash of a large white window and then an error window 'Cannot start new display / The X server failed. Perhaps it is not configure well.'. How do I configure it well, and/or what constitues 'the minimum number of gnome related packages requied to have gdm run'. |
|
Back to top |
|
|
squeegee n00b
Joined: 04 Nov 2005 Posts: 10
|
Posted: Thu Dec 28, 2006 5:44 pm Post subject: |
|
|
Well, this is what I do, with TightVNC.
1. Start an ssh session (sshd set up to only allow authentication by key).
2. run a startvnc script on the server, which only accepts a single connection, on localhost only, and cannot be disconnected by another user
Code: |
#!/bin/sh
vncserver :1 -geometry 1024x768 -depth 16 -pixelformat rgb565 -localhost -nevershared -dontdisconnect
|
3. at home, run a script to set up the tunnel.
Code: |
#1/bin/sh
ssh -2 -CL 5902:localhost:5901 [myserver].com
|
4. at home, run a script to start vncviewer (jpeg quality 4 is fine for me).
Code: |
#1/bin/sh
vncviewer -quality 4 -encodings tight localhost:2
|
It asks for my password, and then opens the desktop. |
|
Back to top |
|
|
|