FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Kubuntu User

 
 
LinkBack Thread Tools
 
Old 12-21-2008, 11:59 PM
alan c
 
Default ssh and vnc

andrew heggie wrote:
> alan c wrote:
>
>>> I was going to start by setting up a ssh server on it and trying to log
>>> in from this hardy box but openssh doesn't seem to be in the repository,
>>> is there another program that's supported and just the same?
>>
>>
>> I am just recently doing this for an elderly friend (88years , first
>> PC......, wants to do shopping on tesco direct).
>
> It's for my father-in-law 86, he was going to buy a pc but his son had
> windows virus problems and he's been put off. I wanted to give him a pc and
> tell him not to worry about anything as he couldn't affect it. I've
> installed kubuntu hardy with 3.5 on the gifted box, from a member of my
> lug. It's p4 1.6G Gateway. It's just updating now and that's one of the
> reasons I'm not keen on this full install, because it will receive a lot of
> updates for programs he'll never use and I might have to access the
> internet by a 3g modem as he hasn't broadband yet. I've stuck with Kubuntu
> because I can use linux but am not at all competent with it. I've minded to
> stick puppy in the cd tray and a usb stick and run from that, possibly with
> no hdd. We were recently given a talk at a lug meeting by a chap that had
> done something similar but used debian and cut it down himself. He also
> configured some high contrast skins and changed system fonts to large
> verdana.
>
>
>> It is going quite
>> well so far. My initial problems were related to the difficulty or
>> maybe impossibility - of using my local LAN to do tests. The nearly
>> final tests were to use the ful internet address of the target PC (ssh
>> server machine) trying to log in to it, using my laptop (ssh client
>> machine), where both machines were (conveniently) inside my own local LAN.
>
> This is going to challenge me, I've not even networked computers before
> despite having up to four in the house. I'm using two routers, dhcp
> disabled on one, on the same subnet which gives me wireless and 6 ethernet
> ports.
>
> By full internet address do you mean something like
> bill@nameofcomputer.fullipaddressortnumber?

I use
bill@[full IP address]
the name of computer is not needed if the IP is given.
The port numbers are used differently , please see below near to the end.


>> I am using vnc in a ssh tunnel, and non standard ports
>
> Could you pad this out a bit please?
>
> I'd like to know the order of doing things to make the ssh tunnel and then
> run vnc whilst at home and then I guess I'll take the pc over at christmas!

(I am not any expert, so if one reads this and can correct or add
stuff, please do so?)

your machine is the ssh client
login for user 'bill' (his machine) is the ssh server

make sure the target machine (bill's) has ssh server installed and
that your machine that you will use to connect from has the ssh client
installed (openssh-server, openssh-client that is)

It is not essential to use keys that you specially generate - that is,
public and private key pairs, but it is an advantage I think,
particularly since you have both machines with you at present. I found
note1 useful here.

You can easily generate a key pair on each machine. The private key
stays with its machine (in principle) and its public key gets copied
to other machines that will talk to it. This applies to each machine
in turn. The key pairs can be copied for reference to a usb stick of
yours and kept by you in a safe place. I have not fully understood key
pairs yet.

The general technique of configuration and testing is to initially set
up an ssh communication between the two machines. This can be done
within your local network initially for test, then later over the
internet. Ideally each machine should be allocated a fixed IP inside
your LAN now and later also for bill's machine in his LAN so that you
know what the IP are and they will not change in the middle of tests
or whatever.

Assuming that while things are only inside your own LAN, your client
machine is
192.168.1.100
and that bill's machine (server) is
192.168.1.101

then from your machine use commands:
ssh bill@192.168.1.101

should get a sensible response probably a warning that the remote
machine is unknown (no keys yet) and it is this or that fingerprint,
and do you want to connect to it? If you accept, the ID key of the
remote machine will be added to a file in your machine for reference.
Note: the key I think may be different when seen across the internet
(not sure). The real trick in this sort of situation is to be certain
that the target machine really is the one you expect, and that in
principle there is no third party interception at this initial stage.
Inside your local LAN this is trivial.

Once you know that ssh is working inside your lan, you can be more
ambitious.

Again, inside your LAN it is easy to get VNC working. I usually use
kubuntu 8.04 but in this case I have been using ubuntu 8.04 (easy to
have both as alternate sessions at login, anyway), so some apps might
be ubuntu based, although I think they are also available in kubuntu.

Set remote desktop (this is the VNC server) in bill's machine to allow
others to control it, maybe with a password. Do not set to use
encryption I do not think it is working yet, anyway you expect to use
ssh and a tunnel so there is no need for yet more encryption. Do not
set ask for confirmation - you may not want that level of interaction
the other end.

Then from your own machine:
vncviewer 192.168.1.101

or maybe
vncviewer 192.168.1.101:0
I think they both work for me.

and you should connect to bill's machine inside your LAN.

So now you have had ssh working and vnc working both inside your LAN.

(exit or ctrl -c will close a process in a terminal if you need to)

VNC expects to use port identities 5900 I think, and if you did not
use any tunnel in ssh process, and if you were doing it all over the
internet (not just inside your LAN) then you would have to somehow get
through to port 5900 on bill's machine, which would be sitting behind
a protective router at a remote location. However, if you use vnc with
ssh tunneling, then the VNC stuff (activity for port 5900) is not
visible at the router, only ssh stuff is visible, because it will be
ssh protocols which will be sent to the remote (bill's) machine.

Bill's router will still not let ssh activity through because it was
certainly not expecting it. So you will have to configure bill's
router to specifically allow ssh transmissions through and ensure they
get sent from bill's router and on to bills actual machine, marked for
attention of ssh server.

I found trying to understand port forwarding tended to make my brain
hurt, but I think I now grasp enough. I hope.

The main port forwarding which affects (bill's) hardware configuration
- his router - is the need for the ssh information to get through his
router and get sent to bill's actual machine. Recall that bill's
machine will be set with a fixed IP inside his LAN.

It is conventional that ssh information is marked as using port 22
and this is where the action is expected by the server. However, it is
not considered wise to actually use port 22 in most cases because the
bad guys can see you coming too easily, and lots of bots will hit
bill's routers port 22 and try to (unsuccessfully) connect. Choose a
number above 1024 and below the maximum ports number and decide to
change the ssh default port, both at your client end and also at the
server end. An ssh config file will need a simple edit at each
machine, client and server machines. Bill's router should be
configured to accept your chosen port number in place of the more
conventional port 22 of course.

At this stage you are ready to connect using a ssh tunnel.

In your client machine with both machines inside your LAN, use a terminal:

ssh -vvv -L 5900:localhost:5900 bill@192.168.1.101

(comment - the -vvv increases vobosity na dI found this useful. Not
sure if -vvv is any better than -vv though)
( -L means tunnel forwarding in sonme way an dthje rest of it tunnels
vnc, that is all I know just now).
comment - across the internet this becomes:
ssh -vvv -L 5900:localhost:5900 bill@[internet IP address]


You should get a lot of response and then get to log in to bills machine.

Now, for a good reason I cannot tell you, you need to open a new
*different* terminal, leaving the original one alone, and type:
vncviewer localhost

This should result in you getting a graphic view of bill's display.

Good luck, and don't panic!

I have a lot of background information:

note 1:
https://help.ubuntu.com/community/SSHHowto

other:
https://help.ubuntu.com/community/VNC
http://ubuntuforums.org/showthread.php?t=990436
http://ubuntuforums.org/showthread.php?t=1004677
http://ubuntuforums.org/showthread.php?t=1005634
http://ubuntuforums.org/showthread.php?t=994365

http://ftp.sjtu.edu.cn/centos/3/docs/html/rhel-sag-en-3/s1-openssh-client-config.html
http://maketecheasier.com/set-up-a-vnc-server-in-ubuntu-hardy-heron/2008/05/30
http://www.securityfocus.com/infocus/1806
http://www.securityfocus.com/infocus/1816
http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html
http://www.cskk.ezoshosting.com/cs/answers/vnc-thru-firewall-via-ssh.txt
http://ubuntuforums.org/showthread.php?t=383053
http://www.networksecurityarchive.org/html/Secure-Shell/2008-06/msg00029.html
http://linux.die.net/man/1/vncviewer
http://www.bleepingcomputer.com/tutorials/tutorial38.html
http://aplawrence.com/Security/ssh.html
http://kimmo.suominen.com/docs/ssh/


http://www.dyndns.com/services/dns/dyndns/


It does sound daunting at first, but I know it can be done, take heart!

--
alan cocks
Ubuntu user #10391
Linux user #360648

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
 

Thread Tools




All times are GMT. The time now is 12:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org