Connecting to your home computer from work, a friend's house, or while on vacation in another country is very simple — if you know how to use a small handful of tools. Ken Hess shows you how to connect securely and tunnel traffic using SSH.
Connecting to your home computer from work, a friend’s house, or while on vacation in another country is very simple — if you know how to use a small handful of tools. Indeed, as a Linux user, you have a host (pun intended) of possibilities for remote access. Of course, you can access a character-based terminal screen, but you can also access a graphical desktop as a remote terminal or even via remote control.
However, connecting is not enough. You must also connect securely. In these days of hackers, crackers, phishers, sniffers, spammers, and terrorists, you must assume someone is always listening-in on your network conversations and looking for an opportunity to grab important information. This month’s “On the Desktop” demonstrates how to securely connect from a remote computer to your home Linux computer.
SSH and Related Protocols
One of the first remote access tools available on Unix was telnet. However, telnet is no longer widely used because its data is transmitted in plain text, including confidential information such as your username and password.
The replacement for telnet (and ftp, rcp, and rsh) is ssh, or the Secure Shell, which transmits all data in an encrypted form. ssh provides a classic character-based terminal similar to a telnet session, but also provides for file transfer via scp and sftp, and arbitrary, encrypted client-server communication via tunneling. ssh, sftp, and scp use TCP port 22.
Here’s an example of accessing a remote system named curly via ssh:
$ ssh curly -l fred
ssh connects to
curly and attempts to login as the user
fred. (If you don’t use the -l option to specify a username, you connect to the remote with the username you’re using on the host you’re connecting from.) The first time you connect to a remote host via ssh (or its variants scp and sftp), you’ll receive a message similar to the one shown in Figure One. Once you answer
yes, the prompt never appears again.
FIGURE ONE: Initial connection to a host via
The authenticity of host '10.0.1.250 (10.0.1.250)' can't be established.
RSA key fingerprint is d5:3f:ab:25:66:c3:67:0e:4a:b6:9a:5d:76:93:43:ab.
Are you sure you want to continue connecting (yes/no)?
SSH Client Software
On Linux, you can use the command-line ssh (as shown above) in character and graphical user interface mode. Within KDE and GNOME, you can use the Konquerer and Nautilus browser, respectively, using either the
fish:// or the
sftp:// protocol. (
fish://, is simply another SSH file transfer protocol.) Figure Two shows Konqueror opening an SSH connection via
fish://. (root is running Konqueror, hence it is the default username shown in the dialog box.)
FIGURE TWO: The Konquerer browser using the
If you find yourself on a Windows computer and need remote access to your Linux desktop, you’re in luck. Both Putty (pictured in Figure Three) and WinSCP are capable SSH clients. Putty is a freeware Windows application that gives you a great deal of flexibility and many advanced options, including X forwarding. Generally, Putty is used for character-based terminal access to a Linux computer. Better yet, Putty requires no installation, so there’s no permanent configuration, registry, or service changes to your Windows PC.
FIGURE THREE: How to configure a session in FreeNX.
WinSCP is the other indispensible freeware application. It too requires no installation. WinSCP provides you with a graphical interface for copying and transferring files securely with SSH. It is very similar to graphical FTP programs you may use already, and may be customized with an Explorer- or Norton Commander- like interface.
X11 Forwarding with SSH
If you prefer to work remotely with familiar X Window System applications and have Cygwin installed on a Windows computer, you can use Cygwin’s versions of X and ssh to create a rich remote access experience. Open a Windows Command Prompt and type
bash. At the bash prompt, enter:
An X server starts and an xterm appears on your desktop. At the xterm prompt, connect to your Linux computer with the following command (the command works exactly the same on Linux):
$ ssh -X -C curly -l fred
Enter your password at the prompt to login to your Linux computer. Unlike other X sessions, though, you do not have to set the X
DISPLAY variable — it’s automatically set with the
-X (X forwarding) switch. The
-C switch enables compression for this connection (X applications are large and bandwidth intensive). You may now launch any graphical application from the current shell on the remote system to display it on your remote Windows desktop.
VNC Tunneling with SSH
While SSH connections are encrypted, many other TCP/IP protocols are not. Moreover, many common Linux services are blocked by firewalls. However, just like transmitting X traffic through SSH, you can use SSH — which is typically enabled on servers — to securely “piggyback” another protocol through blocked ports. Piggybacking another protocol via SSH is called tunneling.
Tunneling is simple: An SSH connection is established between two hosts. On the local host, a local port is tied to the SSH connection; writing to the local port sends traffic over the SSH connection. On the remote host, the opposite end of the SSH connection is tied to the destination service. Hence, each client request enters the local port, traverses the SSH connection, and is finally delivered to the remote service.
Let’s look at how to use SSH tunneling to transmit VNC traffic through a firewall that doesn’t permit that protocol. For this example, the VNC server was started with:
$ vncserver -name Home_Computer -depth 8 -geometry 800x600
First, on the local host, choose a local port numbered between 5902 and 5999. This port binds locally to one end of the SSH connection. Next, find the TCP port number that the VNC server is using on the VNC host computer. By default, vncserver uses port 5901. You also need your username and password on the VNC host. This is used to establish the SSH connection. Once you login to the remote host, launch your VNC client and connect it to the port you chose for the local host.
For example, here’s how to connect to your home Linux desktop from a remote computer:
$ ssh -L 5999:localhost:5901 email@example.com
This says, “Using the username
fred, connect port
localhost to one end of the SSH connection, and connect the other end of the SSH connection to port 5901 on the machine
fred.homelinux.com. ” Or, in other words, tunnel everything sent to localhost’s port 5999 via SSH to port 5901 on fred.homelinux.com. Connect your VNCViewer to port 5999 on localhost, enter your name and password, and enjoy! All VNC traffic is now passed through this secure SSH tunnel.
FreeNX: A Secure Remote Desktop Connection
FreeNX, or” NX” as it is generally known, may very well be the best way to connect securely to a remote Linux desktop. NX is secure, and it allows you your choice of window managers for each connection. You can also connect to other services such as VNC and Windows Terminal Services with the FreeNX client software. FreeNX also uses port 22 for its secure communications, so there is no need to worry about another TCP port.
FreeNX is very easy to use. Assuming that the FreeNX Server is installed and configured on the remote Linux computer (if not, stay tuned for next month’s” On The Desktop”, which shows you how to setup the FreeNX server), download and install the FreeNX client software appropriate for your system from http://www.nomachine.com. Open the client application on your local computer: Either double click the NX Connection Wizard icon on Windows or launch nxclient from the command-line on Linux.
When the Wizard opens, click Next at the first screen. Next, enter the session name, which can be any string. Enter the host you want to connect to (name or IP Address), and select your connection speed, as shown in Figure Four. Click Next. Select your session type and screen resolution, and select the type of data transmission (uncheck to encrypt). Click Next and Finish.
FIGURE FOUR: How to configure a session in FreeNX.
At the login screen, enter your SSH username and password, then click Login. The next dialog to appear (shown in Figure Five) presents you with a choice of window managers. Choose one, select the size of the remote desktop, and click Next and Finish.
FIGURE FIVE: How to configure a session in FreeNX.
FreeNX is the next generation of remote connectivity for Linux users. It is frugal with bandwidth, secure, and feature-rich. While non-trivial to install, it is still the best graphical option I have seen to date. There is a commercial version of NX available, if you use the software under certain circumstances or need support. Please read the documentation carefully.
Finally, let’s configure a broadband connection and a router/firewall appliance to allow access to the computer you have on your desk at home.
1.Find the” uPnP Forwarding or Port Forwarding” page in your router’s web interface.
2.Select an internal and external TCP port for the service (22 for SSH and related protocols). You may choose any port you want for the external TCP port but you have to remember it.
3.Select a protocol, typically TCP.
4.Enter the IP address of your Linux computer to forward incoming requests to.
6.Enable the service and save the configuration.
See Figure Six. You may now connect to your Linux computer from anywhere in the world via the SSH protocol. However, you will have to know the external IP address assigned to you by your ISP to do so.
FIGURE SIX: How to configure uPnP port forwarding.
For instance, from a remote computer, run…
$ ssh 10.10.100.1 -l fred
… to connect to your home machine, assuming
10.10.100.1 is your external IP address.
If you have dynamically assigned IP address, use a dynamic DNS service such as http://dyndns.org to update your changing IP address. You can also use DynDNS to assign a name to your IP address like fred.homelinux.com, which provides you with a static and easy to remember name. Full instructions on updating DynDNS with your IP address can be found on the site.