Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-16-2004, 08:24 AM
|
#1
|
Member
Registered: Mar 2004
Posts: 54
Rep:
|
Secure remote control
anyone have any recommendations and/or links to how-tos for prefered secure methods of remote control for linux?
I am new to linux coming from windows where I utilize Terminal Services all the time. For those not familiar with windows this is like VNC. I need to get the same functionality for linux. I want to control my linux box from a windows machine. Can VNC do this? is it secure? encrypted? I was under the impression that VNC was not secure. Can VNC be combined with SSH?
anyway, currently I am playing with SSH and X11 forwarding. I have the cygwin/x X server installed on my windows machine and use the Putty ssh client. This is nice, secure, as I understand it. But everything has to be launched from command line seperately (which is cool in a way but..). Its not really a remote 'terminal'. Meaning, I want to see my whole linux desktop GUI.
I have read a little about XDMCP and understand it is not secure either. Is combing XDMCP with SSH a preferred method? is so can someone point me in the direction of some good step by steps and/or how-tos?
Is there something else?
thanks
|
|
|
04-16-2004, 09:13 AM
|
#2
|
LQ Newbie
Registered: Apr 2004
Posts: 19
Rep:
|
I am in the same boat. I posted in Linux Software about running Windows Manager thru SSH, but no respond at all.
Same as you, problem I am facing is, PuTTY is secured by SSH, but when I run Cygwin/X with XDMCP, it is not going thru PuTTY, therefore not thru SSH.
The way I run my Linux is, it firewalled everything except SSH port. So the Cygwin/X XDMCP request never reached the Linux.
The only solution I can think of is, using PuTTY SSH to proxy/forward the XDMCP port inside SSH, then it should reach Linux within SSH. I am reading on how to proxy/forward a specific port in PuTTY right now.
You said you read about XDMCP, do you know what port(s) it is using? Note that X11 is already forwarded by PuTTY, so it's just a matter of tunneling the XDMCP over PuTTY thru SSH.
|
|
|
04-16-2004, 09:32 AM
|
#3
|
Member
Registered: Mar 2004
Posts: 54
Original Poster
Rep:
|
http://en.tldp.org/HOWTO/XDMCP-HOWTO/index.html
quote from above HOWTO:
"Using XDMCP is inherently insecure, therefore, most of the distributions shipped as it's XDMCP default turned off. If you must use XDMCP, be sure to use it only in a trusted networks, such as corporate network within a firewall. Unfortunately, XDMCP uses UDP port 177 and TCP port 6000; therefore, it is not natively able to use it with SSH. Currently, SSH1 and SSH2 are not implemented to securely forward the UDP communication.
To secure the connection with SSH, the technique is called X11 TCP/IP Port Forwarding. Check this Why Port Forwarding? site and the Resources area for additional HOW-TO information. If you would like to experiment this, I have add a little section below to show you how it works. I will give you only the basic idea how it works, and I will leave the more advanced way of running it to other experts and/or HOWTOs. "
I think this HOWTO started me in the right direction. However I didnt get real deep into it yet. Then, (like a few minutes ago) I realized I need to change distros (currently have RH9). I new RH was discontinuing desktop distros and support, however since their server packages are still going to be around I thought I could still get updates/patches. I'm an idiot. I am new to linux and bought the full RH9 Pro package with DVD and books. Now I have to change to something else so I have halted my research into the x11/ssh forwarding until I get a new distro up and running. What distro do you use?
|
|
|
04-16-2004, 09:46 AM
|
#4
|
LQ Newbie
Registered: Apr 2004
Location: Tulsa, Oklahoma
Distribution: Slackware 9.1,RedHat 9, Fedora Core 1, Fedora Core 2, Redhat Enterprise Linux AS v. 3, Mac OS 10.3.3
Posts: 16
Rep:
|
I use VNC tunnelled through SSH when I need a Linux gui remotely. Works great for me.
1. Make sure your sshd_config is set to "X11Forwarding yes" on the Linux box.
2. Run "vncserver" as your user on the Linux box (note that you shouldn't do this while you are connected w/ your port forwarded PuTTY connection, as it will be taking up the port you're trying to forward to, and the vncserver will open under a different port)
3. Set up your portforwarding config in PuTTY if that's your preferred SSH client, and connect with it.
4. Open your vncclient to connect to your localhost:<whatever port number you set in your PuTTY port forwarding config> and viola! vnc'ed to your Linux box, with an encrypted connection by tunnelling through SSH, with the firewall only open to SSH if that's how you have it configured.
<Edit>
Note also that the default window manager for some versions of VNC is Tiny Window Manager, which while easy on the bandwidth, is ugly as hell. To change this edit your ~<your username>/.vnc/xstartup and follow the instructions in there.
</Edit>
Last edited by Jim.DiGriz; 04-16-2004 at 09:56 AM.
|
|
|
04-16-2004, 10:23 AM
|
#5
|
Member
Registered: Mar 2004
Posts: 54
Original Poster
Rep:
|
thanks, that sounds like what I'm looking for. After choosing a new distro I'll play with that config
|
|
|
04-16-2004, 06:56 PM
|
#6
|
LQ Newbie
Registered: Apr 2004
Posts: 19
Rep:
|
Hey djc, I am not new to UNIX/Linux, but never really used it extensively. I am using it at work when I need some free tools. At home, I use LiveCD to boot Linux (LiveCD means you have an installed functional Linux on CD that you can boot from.) The reason I use LiveCD to boot Linux because it lower a lot of chance the Linux will be hacked. Hacker cannot write to the CDR. They can only hack in memory. And I use LiveCD for like 5 min at a time just to do my online banking, etc.
Oh SSH doesn't support UDP inside SSH. And XDMCP is on UDP 177 as you know. Oh well.
Anyhow, at work, I use SuSE 9.0 because all I needed was to downloaded 2 floppies to boot, then I install the whole Linux thru internet. No need to burn Linux to 3 CDs at all. This might not work for you because I have DS3 at work. Whole install took less then 2 hours.
|
|
|
All times are GMT -5. The time now is 06:06 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|