[SOLVED] Remote Linux desktop through SSH tunnel from Mac

[Dennola4]

Issue: I would like to use SSH to control my home computer's desktop (Linux) from my work computer (Mac).

I have used VNC in the past. I find it slow, and I also don't want to install ChickenOfTheVNC on my boss' computer if I can just use the existing ssh with X forwarding. I downloaded Remmina which I hear is great. When I open it I don't see the SSH tab (?). Anyway, my real problem -- with or without Remmina -- is setting up SSH, since I do not fundamentally understand what in the world I'm doing. Steps I have blindly taken so far include:

1) made /etc/rc.d/rc.sshd executable, then ran sshd_start which generated host keys in /etc/ssh.
2) modified ssh and sshd config files so that "no" was changed to "yes" on: ForwardAgent, ForwardX11 and Tunneling. (I left them commented, though).
3) Ran ssh-keygen -t dsa which created id_dsa and id_dsa.pub in ~/.ssh (passphrase was created, presumably using downloaded repo pkg x11-ssh-askpass.
4) Started ssh
5) From client computer (Mac) ran all sorts of weird commands, like: ssh -X root@xx.xxx.xxx.xx which kept timing out.

I don't know what I'm doing, Please help. My ace-in-the-hole is to just install TeamViewer on both sides from the SlackBuild repo, but it's an ugly solution. I'd rather learn the proper *nix way.

P.S. - when you answer this, please assume I know NOTHING about hostnames, domains, proxies, tunneling, port-forwarding, etc.

Thanks in advance.

Dennis in New Orleans.

[Shador]

I recommend you to be utterly careful with ssh and this is not getting any better by "blindly" trying stuff. Otherwise you get hacked easily. Some measures to prevent this (no guarantee for completeness though):

• keep your software up-to-date
• disable password authentication --> use private/public key authentication only
• don't permit root login
• possibly run ssh on a non-standard port (helps against script-kiddies but is mostly relevant for password auth)
• possibly explicitly set users which should be allowed ssh access

I'm running myself to ssh instances on my server, one with hardened settings for public access and another one with loose default settings for comfortable local access. This is not completely straightforward to setup though, at least if you want both daemons to autostart.

Now to your actual problem, although I really recommend to check your security first. I guess your machine is behind a NAT device (e.g. a router). Such devices act as firewalls, as usually multiple devices are or can be connected to them and are using one IP address together, incoming connections (from the internet) can't be accepted by them unlike outgoing ones, as for those the device nows which local machine to route to. The device just can't now which machine to route to for outgoing ones. Therefor you need to setup a port forwarding in your device, which instructs it to forward port 22 to port 22 of the machine you're running ssh on. Be aware that the same port can only be forwarded to exactly one machine behind that NAT device, i.e. only one machine with public ssh access on the same port.
If you're not behind a router, I guess you've got a firewall of some sort running and need to open port 22.
Possibly if you're using a router and a firewall on your local machine you need to open the port on both.
Be aware that this exposes port 22 of that machine to the public!

Also I recommend you test your public/private key setup and your setup in general locally first.

Do you know that the functionality of X11 Forwarding and VNC are not the same? The latter allows you to view a remote desktop, while the first only allows to start X applications on the remote host and to view them locally.

You also need some X11 libraries for X11 Forwarding at least on Windows.

[Dennola4]

Shador,

as always, I appreciate the thorough response. This line in particular was an eye-opener:

Do you know that the functionality of X11 Forwarding and VNC are not the same? The latter allows you to view a remote desktop, while the first only allows you to start X applications on the remote host and to view them locally.

I did not know that. Huh. Maybe I should start over, and redefine my problem not so much as a desire to learn SSH but to implement an efficient remote desktop solution. From home (Salix box) I can control my work desktop (Mac) using LogMeIn Free. I would like to be able to do the same in reverse, that is, control my Linux machine from the Mac at work. Problem is that LogMeIn isn't offering a Linux version currently. On these forums I have heard Gapan (whose opinion I tend to respect as gospel) praise both SSH and Remmina as the best solutions for remote desktop. I am stuck at figuring out how to get them to work.

I have read the Remmina wiki. I don't need RDP since there are no Windows machines involved. For VNC I could just use TightVNC on one end and ChickenOfTheVNC on the other. So the only other reason to use Remmina seems to be for the NoMachine NX protocol, which runs over SSH sessions. Problem is that when I start Remmina there is no visible SSH tab, though it's there on Remmina screenshots. Also, I don't know how to set it up; there is no Remmina man page and the wiki is very sparse. Blah.

I'm frustrated because just as not every car driver is an expert auto mechanic, not every Linux-based OS end-user is computer literate. I am trying my hardest to figure this stuff out but really I just want to control my Linux desktop from work. The easy solution seems to be TeamViewer, but I HATE that it uses Wine. So the question is, how do I control my home computer from work using Remmina or other in such a way that (a) the response time isn't ridiculously sluggish (b) minimal installation is required on the client side, and (c) the solution is straightforward enough that a person who doesn't understand the terms but CAN follow directions can implement it?

Thanks.

[thenktor]

On these forums I have heard Gapan (whose opinion I tend to respect as gospel) praise both SSH and Remmina as the best solutions for remote desktop. I am stuck at figuring out how to get them to work.

As Shador noted SSH is no remote desktop. You can still use it to start single graphical apps on the server and display them on the client. The downside of this solution: it's damn slow.
For the Remmina part: I did not test Remmina, but for me it looks just like a client. You need to run the usual daemons on your server like ssh, tightvnc or freenx.

So the only other reason to use Remmina seems to be for the NoMachine NX protocol, which runs over SSH sessions. Problem is that when I start Remmina there is no visible SSH tab, though it's there on Remmina screenshots.

I've packaged FreeNX (NoMachine NX server) long time ago. I remember packagaging and configuring was a bit hard these times. IIRC it uses a ssh tunnel for data transfer, so need a running ssh daemon and all data transfer is encrypted. But it's totally different from using plain ssh. It provides a full desktop solution and the main advantage of the NX technology is it high quality compression, which allows a decent speed even over slow connections (e.g. DSL).

Also, I don't know how to set it up; there is no Remmina man page and the wiki is very sparse. Blah.

There is probably not much to know about Remmina configuration, because the main configuration part is done on your server. You just need to enter the correct login informations in Remmina.

Another important thing: Do you want to connect to an already running X session on your server or do you want to start a new X session?

[Dennola4]

Hey Thenktor.

In answer to your last question, I would like to connect to an existing instance of X running at home (server), which I would access and remotely control from another machine (in this case a Mac).

As I said earlier, I have used VNC before with success. My two issues were that rendering is slow and security is an issue since I wasn't running it over SSH. I get what you are saying about Remmina....that at the end of the day it is a client. An interface, basically. So setting up the system is the challenge and that requires choosing the connection type (SSH, VNC, NX, etc) and then connecting using whichever client I choose.

*sigh* I think I am discovering that until either TeamViewer or LogMeIn releases a (real) Linux version of their product, I am best off using the Wine-based TeamViewer product to accomplish my goal. I downloaded it from SlackBuilds, executed it on both ends and sure enough it functions as hoped. The problem I have is the ugly Windows theme, the C: drive and H: drive garbage, and the fact that when it closes it forces my browser to open to the Teamviewer website in a resized window which I then have to maximize again. I can't seem to find the script that is generating the offensive ~/.teamviewer/6/drive_c/teamviewer.html.

UGH. Anyway, it does work, so unless you can offer an alternative solution (which I would happily take to get this Wine bull-crap off of my computer) I guess for now this is the solution and I will mark this thread solved. Thanks.

[gapan]

2) modified ssh and sshd config files so that "no" was changed to "yes" on: ForwardAgent, ForwardX11 and Tunneling. (I left them commented, though).

Leaving them commented is like you never edited them. But it's ok, since you don't really want any of that and it's better that you don't use them anyway.

You need to take this step by step. First make sure that you have a working ssh connection. Better change the ssh port too as others said. Restart the ssh server after you do. Try to connect locally first. While on the server, try to connect with ssh:

Code: Select all

ssh -p ssh_port user@localhost

exchange ssh_port with the port you're using and user with your username. If that works and you get logged in, your server is running fine.

Then try the same from inside your local network, from another pc:

Code: Select all

ssh -p ssh_port user@server_ip

change server_ip to the respective local ip address of the server (using dhcp is not recommended, use static ips).

Now try creating an ssh tunnel from the server to the client. Run this in the client:

Code: Select all

ssh -p ssh_port -C -t -L 5900:localhost:5900 user@server_ip 'x11vnc -display :0'

you should now be able to connect using vnc through that tunnel with

Code: Select all

vncviewer -compresslevel 9 localhost

(the -C option in ssh and the compresslevel in vncviewer is for compressing, should not matter with local connections, but it could make a difference with remote connections later).

If you connect, you need to make sure that the ssh_port you're using is forwarded from your router to your server pc. That way you can connect from outside your local network using the same two commands, replacing only the local server_ip with your external ip.

3) Ran ssh-keygen -t dsa which created id_dsa and id_dsa.pub in ~/.ssh (passphrase was created, presumably using downloaded repo pkg x11-ssh-askpass.

You did that on the client, right? That will help you login to your server without the need for typing your password. But you need to add those keys you created in your client to your server too. The easiest way to do it, is to take the id_dsa.pub file with your in a usb drive, connect it to your server and run:

Code: Select all

cat id_dsa.pub > ~/.ssh/authorized_keys2

If you try to connect with ssh after that you should need no password. You can now disable password logins with ssh and permit only passwordless logins, so that nobody else can connect unless they have your key.

5) From client computer (Mac) ran all sorts of weird commands, like: ssh -X root@xx.xxx.xxx.xx which kept timing out.

Don't try to login as root. It's disabled by default and you better leave it like that. You don't need -X either as X11 forwarding is not what you want.

[Dennola4]

Gapan,

thank you so much for taking the time to type out these instructions. Step one worked fine.

Code: Select all

ssh -p 6666 dennis@localhost

I do not fully understand what got connected to what in this step, but suddenly I was dennis@darkstar.

Step two -- connecting from inside LAN -- will have to wait until I have a reliable second computer (I'm having driver issues with eth0 and wlan0 on my old Fujitsu S-Series Lifebook). Question: in the code you shared, ssh -p ssh_port user@server_ip, would I put dennis@xx.xxx.xxx.xx where the IP number is my public IP? The one I get when I go to http://www.ipchicken.com ? If not, as I assume, then is it the inet # that comes up when I type ifconfig -a? I'm sorry if these sound like dumb questions.

Also, I have two different ways that I connect at home. One is a ppp connection -- Sprint Aircard (pcmcia) -- and the other is an Alfa usb modem connecting to an unsecured network in the area (it really is open, not managed, I swear). So is it overly ambitious of me to think that I can do this when neither of these connections allow me access to a router? (I do have Corkscrew downloaded, by the way).

Thanks again for your patience. I am sure that this lesson will benefit many users.

[gapan]

Question: in the code you shared, ssh -p ssh_port user@server_ip, would I put dennis@xx.xxx.xxx.xx where the IP number is my public IP? The one I get when I go to http://www.ipchicken.com ?[

No. Your public IP is the external ip I'm mentioning. You need that to connect from outside your local network.

If not, as I assume, then is it the inet # that comes up when I type ifconfig -a? I'm sorry if these sound like dumb questions.

Correct.

Also, I have two different ways that I connect at home. One is a ppp connection -- Sprint Aircard (pcmcia) -- and the other is an Alfa usb modem connecting to an unsecured network in the area (it really is open, not managed, I swear). So is it overly ambitious of me to think that I can do this when neither of these connections allow me access to a router? (I do have Corkscrew downloaded, by the way).

I'm guessing that connecting through ppp using your pcmcia card doesn't have any firewalls (in which case you should better install one in your pc), so you should be able to connect using your public ip from outside your network without having to open/forward any ports. I don't know what an "Alfa usb modem" is though.

[Dennola4]

Gapan,

I went home and connected to Internet with ppp. I came to work and opened a terminal on Mac. I typed:

Code: Select all

ssh -p 6666 dennis@111.222.333.44

where "6666" is the assigned SSH port on my server and "dennis@number" is user@server_public_IP. Sure enough I was connected, became dennis@darkstar on the client and could navigate my filesystem. That's pretty cool.

Next step. You say run this in the client:

Code: Select all

ssh -p ssh_port -C -t -L 5900:localhost:5900 user@server_ip 'x11vnc -display :0'

I interpret that to mean that on my work Mac (client), I am to type this line into the terminal:

Code: Select all

ssh -p 6666 -C -t -L 5900:localhost:5900 dennis@111.222.333.44 'x11vnc -display :0

When I do, this happens:

Code: Select all

01/07/2011 15:20:41 x11vnc version: 0.9.10 lastmod: 2010-04-28  pid: 9220
No protocol specified
01/07/2011 15:20:41 XOpenDisplay(":0") failed.
01/07/2011 15:20:41 Trying again with XAUTHLOCALHOSTNAME=localhost ...
No protocol specified

01/07/2011 15:20:41 ***************************************
01/07/2011 15:20:41 *** XOpenDisplay failed (:0)

Am I doing something wrong here?

[aiya88]

Hi Dennis,

Good job on the first step: you can connect through SSH. You now have a secure link between your home and your office.

Then, the 2nd step Gapan gave you, is to launch another connection inside the secure connection. I think you did it right. The problem is here:

Code: Select all

01/07/2011 15:20:41 XOpenDisplay(":0") failed.

It means your mac is unable to understand the X11 protocol (which is the one used by Linux to display things on your screen).
You typed this command inside the Terminal app of your mac, right? Actually, MacOS doesn't use X11 by default, it uses its own protocol. Hopefully, Apple supply the X11 tools. You should check if you have an application named "X11" in your mac Application folder. Maybe it's in the Utilities subdirectory (sorry, I haven't used mac for a while...).

If you don't have this application, you can find it on your MacOS install DVD as an optional package (I think it's named "X11 Tools").

Once you have it, launch it and you'll get another terminal from which you could type the Gapan's code.