dcsimg

Secure Remote Access from Your Desktop

Connecting to your home computer from work, a friend's house, or while on vacation in another country is very simple — if you know how to use a small handful of tools. Ken Hess shows you how to connect securely and tunnel traffic using SSH.

Connecting to your home computer from work, a friend’s house, or while on vacation in another country is very simple — if you know how to use a small handful of tools. Indeed, as a Linux user, you have a host (pun intended) of possibilities for remote access. Of course, you can access a character-based terminal screen, but you can also access a graphical desktop as a remote terminal or even via remote control.

However, connecting is not enough. You must also connect securely. In these days of hackers, crackers, phishers, sniffers, spammers, and terrorists, you must assume someone is always listening-in on your network conversations and looking for an opportunity to grab important information. This month’s “On the Desktop” demonstrates how to securely connect from a remote computer to your home Linux computer.

SSH and Related Protocols

One of the first remote access tools available on Unix was telnet. However, telnet is no longer widely used because its data is transmitted in plain text, including confidential information such as your username and password.

The replacement for telnet (and ftp, rcp, and rsh) is ssh, or the Secure Shell, which transmits all data in an encrypted form. ssh provides a classic character-based terminal similar to a telnet session, but also provides for file transfer via scp and sftp, and arbitrary, encrypted client-server communication via tunneling. ssh, sftp, and scp use TCP port 22.

Here’s an example of accessing a remote system named curly via ssh:

$ ssh curly -l fred

ssh connects to curly and attempts to login as the user fred. (If you don’t use the -l option to specify a username, you connect to the remote with the username you’re using on the host you’re connecting from.) The first time you connect to a remote host via ssh (or its variants scp and sftp), you’ll receive a message similar to the one shown in Figure One. Once you answer yes, the prompt never appears again.

FIGURE ONE: Initial connection to a host via ssh

The authenticity of host '10.0.1.250 (10.0.1.250)' can't be established.RSA key fingerprint is d5:3f:ab:25:66:c3:67:0e:4a:b6:9a:5d:76:93:43:ab.Are you sure you want to continue connecting (yes/no)?

SSH Client Software

On Linux, you can use the command-line ssh (as shown above) in character and graphical user interface mode. Within KDE and GNOME, you can use the Konquerer and Nautilus browser, respectively, using either the fish:// or the sftp:// protocol. (fish://, is simply another SSH file transfer protocol.) Figure Two shows Konqueror opening an SSH connection via fish://. (root is running Konqueror, hence it is the default username shown in the dialog box.)

FIGURE TWO: The Konquerer browser using the fish protocol.

If you find yourself on a Windows computer and need remote access to your Linux desktop, you’re in luck. Both Putty (pictured in Figure Three) and WinSCP are capable SSH clients. Putty is a freeware Windows application that gives you a great deal of flexibility and many advanced options, including X forwarding. Generally, Putty is used for character-based terminal access to a Linux computer. Better yet, Putty requires no installation, so there’s no permanent configuration, registry, or service changes to your Windows PC.

FIGURE THREE: How to configure a session in FreeNX.

WinSCP is the other indispensible freeware application. It too requires no installation. WinSCP provides you with a graphical interface for copying and transferring files securely with SSH. It is very similar to graphical FTP programs you may use already, and may be customized with an Explorer- or Norton Commander- like interface.

X11 Forwarding with SSH

If you prefer to work remotely with familiar X Window System applications and have Cygwin installed on a Windows computer, you can use Cygwin’s versions of X and ssh to create a rich remote access experience. Open a Windows Command Prompt and type bash. At the bash prompt, enter:

$ /usr/X11R6/bin/startxwin.sh

An X server starts and an xterm appears on your desktop. At the xterm prompt, connect to your Linux computer with the following command (the command works exactly the same on Linux):

$ ssh -X -C curly -l fred

Enter your password at the prompt to login to your Linux computer. Unlike other X sessions, though, you do not have to set the X DISPLAY variable — it’s automatically set with the -X (X forwarding) switch. The -C switch enables compression for this connection (X applications are large and bandwidth intensive). You may now launch any graphical application from the current shell on the remote system to display it on your remote Windows desktop.

VNC Tunneling with SSH

While SSH connections are encrypted, many other TCP/IP protocols are not. Moreover, many common Linux services are blocked by firewalls. However, just like transmitting X traffic through SSH, you can use SSH — which is typically enabled on servers — to securely “piggyback” another protocol through blocked ports. Piggybacking another protocol via SSH is called tunneling.

Tunneling is simple: An SSH connection is established between two hosts. On the local host, a local port is tied to the SSH connection; writing to the local port sends traffic over the SSH connection. On the remote host, the opposite end of the SSH connection is tied to the destination service. Hence, each client request enters the local port, traverses the SSH connection, and is finally delivered to the remote service.

Let’s look at how to use SSH tunneling to transmit VNC traffic through a firewall that doesn’t permit that protocol. For this example, the VNC server was started with:

$ vncserver -name Home_Computer -depth 8 -geometry 800x600

First, on the local host, choose a local port numbered between 5902 and 5999. This port binds locally to one end of the SSH connection. Next, find the TCP port number that the VNC server is using on the VNC host computer. By default, vncserver uses port 5901. You also need your username and password on the VNC host. This is used to establish the SSH connection. Once you login to the remote host, launch your VNC client and connect it to the port you chose for the local host.

For example, here’s how to connect to your home Linux desktop from a remote computer:

$ ssh -L 5999:localhost:5901 fred@fred.homelinux.com 

This says, “Using the username fred, connect port 5999 on localhost to one end of the SSH connection, and connect the other end of the SSH connection to port 5901 on the machine fred.homelinux.com. ” Or, in other words, tunnel everything sent to localhost’s port 5999 via SSH to port 5901 on fred.homelinux.com. Connect your VNCViewer to port 5999 on localhost, enter your name and password, and enjoy! All VNC traffic is now passed through this secure SSH tunnel.

FreeNX: A Secure Remote Desktop Connection

FreeNX, or” NX” as it is generally known, may very well be the best way to connect securely to a remote Linux desktop. NX is secure, and it allows you your choice of window managers for each connection. You can also connect to other services such as VNC and Windows Terminal Services with the FreeNX client software. FreeNX also uses port 22 for its secure communications, so there is no need to worry about another TCP port.

FreeNX is very easy to use. Assuming that the FreeNX Server is installed and configured on the remote Linux computer (if not, stay tuned for next month’s” On The Desktop”, which shows you how to setup the FreeNX server), download and install the FreeNX client software appropriate for your system from http://www.nomachine.com. Open the client application on your local computer: Either double click the NX Connection Wizard icon on Windows or launch nxclient from the command-line on Linux.

$ /usr/NX/bin/nxclient

When the Wizard opens, click Next at the first screen. Next, enter the session name, which can be any string. Enter the host you want to connect to (name or IP Address), and select your connection speed, as shown in Figure Four. Click Next. Select your session type and screen resolution, and select the type of data transmission (uncheck to encrypt). Click Next and Finish.

FIGURE FOUR: How to configure a session in FreeNX.

At the login screen, enter your SSH username and password, then click Login. The next dialog to appear (shown in Figure Five) presents you with a choice of window managers. Choose one, select the size of the remote desktop, and click Next and Finish.

FIGURE FIVE: How to configure a session in FreeNX.

FreeNX is the next generation of remote connectivity for Linux users. It is frugal with bandwidth, secure, and feature-rich. While non-trivial to install, it is still the best graphical option I have seen to date. There is a commercial version of NX available, if you use the software under certain circumstances or need support. Please read the documentation carefully.

Router/Firewall Setup

Finally, let’s configure a broadband connection and a router/firewall appliance to allow access to the computer you have on your desk at home.

1.Find the” uPnP Forwarding or Port Forwarding” page in your router’s web interface.

2.Select an internal and external TCP port for the service (22 for SSH and related protocols). You may choose any port you want for the external TCP port but you have to remember it.

3.Select a protocol, typically TCP.

4.Enter the IP address of your Linux computer to forward incoming requests to.

6.Enable the service and save the configuration.

See Figure Six. You may now connect to your Linux computer from anywhere in the world via the SSH protocol. However, you will have to know the external IP address assigned to you by your ISP to do so.

FIGURE SIX: How to configure uPnP port forwarding.

For instance, from a remote computer, run…

$ ssh 10.10.100.1 -l fred

… to connect to your home machine, assuming 10.10.100.1 is your external IP address.

If you have dynamically assigned IP address, use a dynamic DNS service such as http://dyndns.org to update your changing IP address. You can also use DynDNS to assign a name to your IP address like fred.homelinux.com, which provides you with a static and easy to remember name. Full instructions on updating DynDNS with your IP address can be found on the site.

Comments on "Secure Remote Access from Your Desktop"

Wow, awesome blog format! How long have you been blogging for?
you made running a blog glance easy. The total look of your website is magnificent, let alone the
content!

Also visit my weblog :: BlairUBrantz

One of our visitors not too long ago recommended the following website.

The time to read or stop by the content material or web pages we have linked to below.

The facts mentioned inside the report are some of the best available.

We came across a cool web-site which you may well take pleasure in. Take a look when you want.

I’ve learn a few good stuff here. Definitely value bookmarking for revisiting. I surprise how much effort you put to make such a fantastic informative web site.

Here are some hyperlinks to web sites that we link to for the reason that we consider they may be worth visiting.

I see you don’t monetize your website, i’v got idea how to earn some
additional money using one simple method, just search in google for – money making ideas by Loocijano

Please check out the sites we comply with, such as this one, because it represents our picks in the web.

The details talked about within the write-up are some of the best accessible.

Wonderful story, reckoned we could combine a number of unrelated data, nevertheless truly really worth taking a appear, whoa did one particular study about Mid East has got far more problerms at the same time.

Valuable information. Fortunate me I discovered your site accidentally, and I am shocked why this twist of fate didn’t happened in advance!

I bookmarked it.

My weblog :: WallyVWiesen

The time to read or go to the content or web pages we have linked to below.

Just beneath, are many entirely not associated web-sites to ours, on the other hand, they’re certainly really worth going over.

Although internet websites we backlink to beneath are considerably not connected to ours, we really feel they’re truly really worth a go as a result of, so have a look.

Usually posts some very interesting stuff like this. If you?re new to this site.

The time to read or go to the content or sites we have linked to beneath.

Very couple of websites that happen to be detailed beneath, from our point of view are undoubtedly well worth checking out.

Here is a good Weblog You may Discover Fascinating that we encourage you to visit.

The time to read or go to the subject material or web pages we have linked to beneath.

I constantly accustomed to read post in news papers however right now while
i am an end user of net thus from now I am just using net for content,
thanks to web.

Also visit my site: HaiHShillito

Wonderful story, reckoned we could combine several unrelated information, nonetheless seriously really worth taking a search, whoa did one discover about Mid East has got much more problerms at the same time.

We like to honor a lot of other internet web sites on the web, even when they aren?t linked to us, by linking to them. Below are some webpages really worth checking out.

Check below, are some completely unrelated internet websites to ours, even so, they’re most trustworthy sources that we use.

One of our guests recently recommended the following website.

Very handful of internet websites that transpire to be in depth beneath, from our point of view are undoubtedly nicely worth checking out.

Very couple of web sites that occur to become in depth beneath, from our point of view are undoubtedly very well really worth checking out.

That will be the end of this report. Here you will come across some websites that we believe you will value, just click the hyperlinks.

Below you will come across the link to some internet sites that we feel you must visit.

Thank you a lot for sharing this with all people you actually recognise what you’re speaking approximately! Bookmarked. Kindly also talk over with my site =). We can have a link alternate contract among us!

Usually posts some incredibly exciting stuff like this. If you are new to this site.

Here are some links to sites that we link to since we think they may be really worth visiting.

Empresa dedicada a la reparación e instalación de gas, calefacciòn y aire acondicionado. Después de perder mucho tiempo navegando por la complicada web de asistencia de Sony VAIO, dí con un un número de teléfono. Inocente de mí, al no haber pasado dos años de la compra, llamé al nº de teléfono para equipos en garantía. Ahí, un ordenador me dijo al introducir el nº de serie que ya no lo está, que es sólo de un año: primera ilegalidad: en España la garantía de los productos electrónicos es de 2 años por ley. Creo que no compro nada SONY , en mi vida y; !Ojo a navegantes¡si compras tecnología desde luego piensa en el servicio de postventa, no en SONY.

Leave a Reply