ssh and vnc

alan c aeclist at candt.waitrose.com
Mon Dec 22 00:59:04 UTC 2008


andrew heggie wrote:
> alan c wrote:
> 
>>> I was going to start by setting up a ssh server on it and trying to log
>>> in from this hardy box but openssh doesn't seem to be in the repository,
>>> is there another program that's supported and just the same?
>> 
>> 
>> I am just recently doing this for an elderly friend (88years , first
>> PC......, wants to do shopping on tesco direct).
> 
> It's for my father-in-law 86, he was going to buy a pc but his son had
> windows virus problems and he's been put off. I wanted to give him a pc and
> tell him not to worry about anything as he couldn't affect it. I've
> installed kubuntu hardy with 3.5 on the gifted box, from a member of my
> lug. It's p4 1.6G Gateway. It's just updating now and that's one of the
> reasons I'm not keen on this full install, because it will receive a lot of
> updates for programs he'll never use and I might have to access the
> internet by a 3g modem as he hasn't broadband yet. I've stuck with Kubuntu
> because I can use linux but am not at all competent with it. I've minded to
> stick puppy in the cd tray and a usb stick and run from that, possibly with
> no hdd. We were recently given a talk at a lug meeting by a chap that had
> done something similar but used debian and cut it down himself. He also
> configured some high contrast skins and changed system fonts to large
> verdana.
> 
> 
>> It is going quite 
>> well so far. My initial problems were related to the difficulty or
>> maybe impossibility - of using my local LAN to do tests. The nearly
>> final tests were to use the ful internet address of the target PC (ssh
>> server machine) trying to log in to it, using my laptop (ssh client
>> machine), where both machines were (conveniently) inside my own local LAN.
> 
> This is going to challenge me, I've not even networked computers before
> despite having up to four in the house. I'm using two routers, dhcp
> disabled on one, on the same subnet which gives me wireless and 6 ethernet
> ports.
> 
> By full internet address do you mean something like
> bill at nameofcomputer.fullipaddress:portnumber?

I use
bill@[full IP address]
the name of computer is not needed if the IP is given.
The port numbers are used differently , please see below near to the end.


>> I am using vnc in a ssh tunnel, and non standard ports 
> 
> Could you pad this out a bit please?
> 
> I'd like to know the order of doing things to make the ssh tunnel and then
> run vnc whilst at home and then I guess I'll take the pc over at christmas!

(I am not any expert, so if one reads this and can correct or add 
stuff, please do so?)

your machine is the ssh client
login for user 'bill' (his machine) is the ssh server

make sure the target machine (bill's) has ssh server installed and 
that your machine that you will use to connect from has the ssh client 
installed  (openssh-server, openssh-client that is)

It is not essential to use keys that you specially generate - that is, 
public and private key pairs, but it is an advantage I think, 
particularly since you have both machines with you at present. I found 
note1 useful here.

You can  easily generate a key pair on each machine. The private key 
stays with its machine (in principle) and its public key gets copied 
to other machines that will talk to it. This applies to each machine 
in turn. The key pairs can be copied for reference to a usb stick of 
yours and kept by you in a safe place. I have not fully understood key 
pairs yet.

The general technique of configuration and testing is to initially set 
up an ssh communication between the two machines. This can be done 
within your local network initially for test, then later over the 
internet. Ideally each machine should be allocated a fixed IP inside 
your LAN now and later also for bill's machine in his LAN so that you 
know what the IP are  and they will not change in the middle of tests 
or whatever.

Assuming that while things are only inside your own LAN, your client 
machine is
192.168.1.100
and that bill's machine (server) is
192.168.1.101

then from your machine use commands:
ssh bill at 192.168.1.101

should get a sensible response probably a warning that the remote 
machine is unknown (no keys yet) and it is this or that fingerprint, 
and do you want to connect to it? If you accept, the ID key of the 
remote machine will be added to a file in your machine for reference. 
Note: the key I think may be different when seen across the internet 
(not sure). The real trick in this sort of situation is to be certain 
that the target machine really is the one you expect, and that in 
principle there is no third party interception at this initial  stage. 
Inside your local LAN this is trivial.

Once you know that ssh is working inside your lan, you can be more 
ambitious.

Again, inside your LAN it is easy to get VNC working. I usually use 
kubuntu 8.04 but in this case I have been using ubuntu 8.04 (easy to 
have both as alternate sessions at login, anyway), so some apps might 
be ubuntu based, although I think they are also available in kubuntu.

Set remote desktop (this is the VNC server) in bill's machine to allow 
others to control it, maybe with a password. Do not set to use 
encryption I do not think it is working yet, anyway you expect to use 
ssh and a tunnel so there is no need for yet more encryption. Do not 
set ask for confirmation - you may not want that level of interaction 
the other end.

Then from your own machine:
vncviewer 192.168.1.101

or maybe
vncviewer 192.168.1.101:0
I think they both work for me.

and you should connect to bill's machine inside your LAN.

So now you have had ssh working and vnc working both inside your LAN.

(exit or ctrl -c will close a process in a terminal if you need to)

VNC expects to use port identities 5900 I think, and if you did not 
use any tunnel in ssh process, and if you were doing it all over the 
internet (not just inside your LAN) then you would have to somehow get 
through to port 5900 on bill's machine, which would be sitting behind 
a protective router at a remote location. However, if you use vnc with 
ssh tunneling, then the VNC stuff (activity for port  5900) is not 
visible at the router, only ssh stuff is visible, because it will be 
ssh protocols which will be sent to the remote (bill's) machine.

Bill's router will still not let ssh activity through because it was 
certainly not expecting it. So you will have to configure bill's 
router to specifically allow ssh transmissions through and ensure they 
get sent from bill's router and on to bills actual machine, marked for 
attention of ssh server.

I found trying to understand port forwarding  tended to make my brain 
hurt, but I think I now grasp enough. I hope.

The main port forwarding which affects (bill's) hardware configuration 
- his router - is the need for the ssh information to get through his 
router and get sent to bill's actual machine. Recall that bill's 
machine will be set with a fixed IP inside his LAN.

It is conventional that ssh information is marked as using port 22 
and this is where the action is expected by the server. However, it is 
not considered wise to actually use port 22 in most cases because the 
bad guys can see you coming too easily, and lots of bots will hit 
bill's routers port 22 and try to (unsuccessfully) connect. Choose a 
number above 1024 and  below the maximum ports number and decide to 
change the ssh default port, both at your client end and also at the 
server end. An ssh config file will need a simple edit at each 
machine, client and server machines. Bill's router should be 
configured to accept your chosen port number in place of the more 
conventional port 22 of course.

At this stage you are ready to connect using a ssh tunnel.

In your client machine with both machines inside your LAN, use a terminal:

ssh -vvv  -L  5900:localhost:5900  bill at 192.168.1.101

(comment - the -vvv increases vobosity  na dI found this useful. Not 
sure if -vvv is any better than -vv though)
( -L means tunnel forwarding  in sonme way an dthje rest of it tunnels 
vnc, that is all I know just now).
comment - across the internet this becomes:
ssh -vvv  -L  5900:localhost:5900  bill@[internet IP address]


You should get a lot of response and then get to log in to bills machine.

Now, for a good reason I cannot tell you, you need to open a new 
*different* terminal, leaving the original one alone, and type:
vncviewer localhost

This should result in you getting a graphic view of bill's display.

Good luck, and don't panic!

I have a lot of background information:

note 1:
https://help.ubuntu.com/community/SSHHowto

other:
https://help.ubuntu.com/community/VNC
http://ubuntuforums.org/showthread.php?t=990436
http://ubuntuforums.org/showthread.php?t=1004677
http://ubuntuforums.org/showthread.php?t=1005634
http://ubuntuforums.org/showthread.php?t=994365

http://ftp.sjtu.edu.cn/centos/3/docs/html/rhel-sag-en-3/s1-openssh-client-config.html
http://maketecheasier.com/set-up-a-vnc-server-in-ubuntu-hardy-heron/2008/05/30
http://www.securityfocus.com/infocus/1806
http://www.securityfocus.com/infocus/1816
http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html
http://www.cskk.ezoshosting.com/cs/answers/vnc-thru-firewall-via-ssh.txt
http://ubuntuforums.org/showthread.php?t=383053
http://www.networksecurityarchive.org/html/Secure-Shell/2008-06/msg00029.html
http://linux.die.net/man/1/vncviewer
http://www.bleepingcomputer.com/tutorials/tutorial38.html
http://aplawrence.com/Security/ssh.html
http://kimmo.suominen.com/docs/ssh/


http://www.dyndns.com/services/dns/dyndns/


It does sound daunting at first, but I know it can be done, take heart!

-- 
alan cocks
Ubuntu user #10391
Linux user #360648




More information about the kubuntu-users mailing list