[Tfug] SSH/SSL question...

James Hood ebenblues at gmail.com
Fri Mar 21 12:14:31 MST 2008


Well, router/firewall appliances are cheap, simple and MUCH better than a
direct connection to a cable modem...even if you are running linux. If you
do go the vnc route, without some kind of firewall (you can use iptables,
but like I said, the appliance is easier), anyone can try to login to his
vnc session. But with a router, you can do something better like only open
the SSH port, use private key-only auth and use vnc via ssh tunnel like was
suggested by others.

James

On Fri, Mar 21, 2008 at 12:00 PM, Jim March <1.jim.march at gmail.com> wrote:

>
> On Thu, Mar 20, 2008 at 10:29 PM, Jeff Breadner <jeff at breadner.net> wrote:
>
> > Jim March wrote:
> > > What I need to make sure of is, is it possible for me to get in and
> > > run via a Gnome desktop that is viewable identically at both ends?
> > > What I have to avoid is a situation where I have one console session
> > > and he has another.  Running my side as a different user is a no-go, I
> > > have to do access as his user account to adjust the settings HE sees.
> > > This guy is going to be new to Linux :).
> >
> > x11vnc (http://www.karlrunge.com/x11vnc/) will export the console login
> > session via VNC (default port 5900), at whatever resolution his desktop
> > is running at.  To encrypt the session, you could either ssh to another
> > machine on his network and forward back the 5900 port from the machine
> > you wish to control, or he could trust you to connect directly to that
> > machine with ssh -n (to prevent you from getting a console on the ssh
> > connection that is forwarding the VNC port back).  Something like the
> > following should work:
> >
> > On his machine, have him log in, start a shell, and run:
> >
> > sudo apt-get install x11vnc (if it's not installed already)
> > x11vnc -display :0
> >
> > On your machine:
> >
> > ssh -L5900:localhost:5900 -n -2 non_root_user at remote.machine
> >
> > then, in a different window:
> >
> > vncviewer localhost
> >
> > The VNC session you get will be his console login session, you'll both
> > have control, and he can kill the session at any time by killing the
> > x11vnc program.
> >
> > I'm assuming he's exposing his SSH port (TCP/22) directly to the
> > Internet.  If he doesn't trust you to ssh -n yourself then he could
> > probably give you an ssh key that is restricted to non-interactive
> > shells, but that's beyond the scope of this email :)
> >
> > If he's realllly concerned about you having ANY unmonitored access, then
> > simply trusting you to ssh -n is probably going to be inadequate because
> > while you're controlling the main desktop session via VNC, you could
> > start up an unmonitored SSH connection and do other stuff on the side
> > without him being able to tell.  To address this, you'll either have to
> > hop in through another machine on his network running SSH (one that
> > doesn't have sensitive material on it, a Windows box running a live
> > linux CD should suffice), or we'll have to figure out the shell-less SSH
> > key thing.
> >
> > cheers
> >  Jeff
> >
>
> Ug.  Problem: he has just one PC attached straight Ethernet to a cable
> modem.  Setting up something better may be beyond him.
>
> Is there any simpler solution?
>
> Jim
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>


-- 
"The humble learn the fastest because they don't waste time on defending a
false image."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20080321/f4d8d37f/attachment-0002.html>


More information about the tfug mailing list