For a Secure Remote Desktop on Ubuntu 9.10 here is how I did it using OpenSSH, FreeNX and a router with DD-WRT v24.
Pic of it in use at bottom of post, transferring a file and remote desktop at the same time.
For the purposes of this guide I will use a Desktop as the Server (Host) which is at home.
The Client will be a Laptop that I can use to control the Desktop remotely.
First you should already be familiar with the Terminal which is where you enter commands (anything in a "Code:" box). In Ubuntu it is in
Applications > Accessories > Terminal
In Kubuntu it is usually on the lower left taskbar and is called Konsole
I am using Ubuntu so you may have to make some adjustments to this guide if you are not using Ubuntu.
Installing OpenSSH (for the rest of this guide I will refer to it as only SSH)
Installing the Server on the Desktop (Host)
Code:
sudo apt-get update
then
Code:
sudo apt-get install openssh-server
then we want to backup the original configuration file and protect it from being overwritten with
Code:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
and
Code:
sudo chmod a-w /etc/ssh/sshd_config.original
Choosing a port other than the default port number 22. You can use just about any port number but it's best to stay away from commonly used ports something between 1024 and 65536, but between 49151 and 65536 is usually better. I recommend AGAINST using 2222 or 8888 like the guides use as "examples". You can find more info on ports at these links among others:
http://en.wikipedia.org/wiki/List_of...P_port_numbers
http://www.iana.org/assignments/port-numbers
http://www.neohapsis.com/neolabs/neo...neo-ports.html.
Once you have chosen a port to use. To change the default port from 22 to another port number open the config file using
Code:
gksu gedit /etc/ssh/sshd_config
Find the line that says:
change the 22 to the port number you decided to use and uncomment it by removing the "#" so it will look like
but with your port number.
There are other things to be changed in this file later, but for right now the idea is to get it up and running, then we can tweak it and secure it better so click on Save and close it.
Restart the server using
Code:
sudo /etc/init.d/ssh restart
You can replace "restart" with "stop" or "start" if you want to stop or start the SSH server. Stopping it when it's not going to be used is a good idea, you can always start it again.
Installing the Client on the Laptop
Code:
sudo apt-get update
then
Code:
sudo apt-get install openssh-client
then to change the port on the Client to the same as the Host run
Code:
gksu gedit /etc/ssh/ssh_config
Find the line that says:
change the 22 to the port number you decided to use and remove the "#" so it will look like
but with your port number.
---------------
Both host and client config files will need to be changed so edit both to the same port #.
sshd_config is the configuration file for the SSH Server (Host) (/etc/ssh/sshd_config).
ssh_config is the configuration file for the SSH Client (/etc/ssh/ssh_config).
Make sure you don't get them mixed up.
---------------
Static IP Address for the server & port forwarding
While I am using a router with dd-wrt firmware and have included the instructions for it. It is not required as long as you can set port forwarding and static IP Addresses in your routers configuration to accomplish the same thing.
This would be a good time to give your server (host) and Client static IP addresses using your router. You should already know how to access your routers configuration since you set up your network and put dd-wrt on it.
You can find out the servers MAC Address of the adapter (it will be like xx:xx:xx:xx:xx:xx where the x's are leters and numbers), and its current IP address by opening a Terminal and putting in:
Do the same with the Client.
In DD-WRT v24 you would go to Services > Services > Static Leases and click on Add (twice if you are going to give them both static IP Addresses), this will open 3 boxes where you can put your adapters
"MAC Address - A description or name like Server or Client (no spaces allowed) - IP Address you want the adapter to have"
More ifo and a guide here: http://www.dd-wrt.com/wiki/index.php/Static_DHCP
Be sure to set your static IPs outside of your automatic DHCP address range (see the above guide).
Click on "Apply Changes" at the bottom of the page to make it take effect immediately. The router will reboot itself and the changes will be in effect. So wait for it to reboot.
While you're in the routers configuration you can also set a "port forward" if you plan on accessing your server (host) from outside your LAN (Local Area Network). In other words from the Internet by going to NAT/QoS > Port Forwarding, enable it and put in your info consisting of:
A name (whatever you want)
Port From (the port you will use in the Client for when you want to connect to the server from outside your LAN)
Protocol (Both, TCP is needed, I'm not sure if UDP is)
IP Address (the static IP Address you just assigned to your server (host) above)
Port To (the port # you set SSH to on your server (host))
Tick the box to Enable
Click on "Apply Changes" at the bottom of the page to make it take effect immediately. The router will reboot itself and the changes will be in effect. Again wait for it to reboot.
Port forwarding guide here: http://www.dd-wrt.com/wiki/index.php/Port_Forwarding
You can have and save profiles so one for the LAN and one for accessing it from outside the LAN is simple so you don't have to use the same port # as SSH.
Firewall, Opening a port
A rule should be added to the servers firewall to allow connections to the servers port. I'm using firestarter, if you're using something else the see the documentation for the one you're using. If using Firestarter open it.
System > Administration > Firestarter
The Staus tab should show it as active
Click on the Policy tab, then left click in the bottom box, then on the + sign.
Here you can enter a Name or use the drop down
Change the port # to the one you setup SSH to use.
And choose who can connect to it. You can choose from Everyone, LAN only, a specific IP Address, or IP Addresses.
You can set it to the IP Address of your client for now (if you want) while configuring things and change it later so you'll be able to connect to it from anywhere.
Click Add, then the Check mark to apply the settings then you can close it.
Connecting for the first time
If you want to easily be able to tell if you made it to the server make a file (an empty text file) in the home folder on the server so you'll know you're looking at that folder and not the one on the client. Name it something unique MADE-IT or WhoooHooo. Whatever you pick a name you can delete the file anytime you want later.
Use this to connect to the server (changing the port from 22 to what you made it and the IP Address to the one you gave the server):
Code:
ssh -p 22 192.168.?.???
If you put in a password earlier then it will ask for it so enter it and hit Enter.
Once it connects use
That will list the files in the servers home folder and you should see the file you made (MADE-IT, WhoooHooo or whatever).
If everything looks good then congratulations you have an active SSH Server and Client working. If not go back thru and see what's wrong. This is far from secure at this point. So next we want to secure it.
Passwords and Keys
You should really read this page
http://help.ubuntu.com/community/SSH/OpenSSH/Keys
since I'm not going to reproduce it all here since it's very good.
Don't just start putting in the commands... Read it all first since at first it says to use
but farther down the page it changes that (increasing it's strength) to this
Code:
ssh-keygen -t rsa -b 4096
When you get to the part in the above titled "Password Authentication" it recommends disabling password authentication altogether. Which we will, but if you do it right now you wont be able to test FreeNX yet, as FreeNX requires it to be enabled to work by default. Disabling it will come later.
There is a link there for "strong passwords" this will come in handy it leads here:
http://help.ubuntu.com/community/StrongPasswords
Once you finish the instructions on that page you should be able to connect like before with:
Code:
ssh -p 22 192.168.?.???
Again changing the port from 22 to what you made it and the IP Address to the one you gave the server
But without being prompted for a password.
SSH should now be setup, have a static IP Address, you should be able to connect to it by terminal without a password using the keys, and from another computer that doesn't have they keys with a password (at this point).
Tranferring files using a GUI (Graphical User Interface) like nautilus or krusader
Nautilus (Ubuntu)
Places > Connect to server
Service Type: SSH
Server: IP Address of the server
Port: The port you set the server to
Folder: /home/<your-user-name-on-the-server>/
You can check the "Add Bookmark" box and it will show up under Places as Whatever you name it so you can just click on it like a folder.
Click on Connect
krusader (Kubuntu)
Tools > New Net Connection
Protocol: fish://
Host: IP Address of the server
Port: The port you set the server to
Username: Your username on the host computer
Password: Your password on the host computer
Click on Connect
I'm not sure how or if it can be done with Konqueror
Some others that can be used
gFTP
Host: IP Address of the server
Port: The port you set the server to
Username: Your username on the host computer
Password: Your password on the host computer
Select SSH2
Click on the icon to the left of Host that has 2 computers to connect (and disconnect)
Dolphin (also has a split view to work on 2 folders at one time)
Click on Networks on the left
Click on Add Network Folder
Select Secure shell (ssh)
Click on Next
Put in your Name
Put in your Username (username on the host computer)
Server: The IP Address of the server
Port: The port you set the server to
Folder: /home/<your-user-name-on-the-server>/
Encoding: Change to (Unicode UTF-8) or whatever works for you
Checking "Create an icon for this remote folder" is up to you
Click on Connect
Gigolo
Click on Connect
Service type: SSH
Server: IP Address of the server
Port: The port you set the server to
Username: Your username on the host computer
Click on Connect
The server will show up in the window (sftp for (username) on (IP Address of the server))
Installing FreeNX for the graphical remote desktop
The guide here http://help.ubuntu.com/community/FreeNX is real good so just follow the parts in it for:
Installing the FreeNX server on Ubuntu Karmic (9.10)
Installing the NX Client
How to start/stop FreeNX
Configuring SSH port (some you have already done and you'll be using the port you gave the server earlier)
and
Using custom SSH keys
************
Note: When setting up the Custom Keys in FreeNX I just went with Create new custom keys and Authenticate via SSH. I am not familiar with the other options and I didn't write the wiki for FreeNX.
************
Thanks to Zalbor there is another option and I'll quote it here along with how it should change things.
Originally Posted by
Zalbor
You said to pick "SSH" authentication when running dpkg-reconfigure, and later on you change the node.conf file to disallow it and use another (PASSDB) first. You could simply choose "PASSDB" when reconfiguring.
My understanding is that if you follow those instructions you would NOT need to change these 2 lines in the /etc/nxserver/node.conf file as described in this how to and those being:
change
#ENABLE_PASSDB_AUTHENTICATION="0"
and
#ENABLE_SSH_AUTHENTICATION="1"
to
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="0"
So disregard those changes if you choose "PASSDB" when reconfiguring.
Since I haven't tried it myself I'm leaving them in the how to for now until I'm sure they can be omitted. I probably wont upgrade this server for a while to try it out myself, so if you try it let me know how it goes.
While I don't agree with the "SU" solution in it since I believe that would defeat the whole purpose of the keys.
Zalbor provided some good detailed information about how his/her install in the reply to this how to in post #8 here: POST #8
*************
Once you finish that there are a few more things to do
Remember, we didn't disable password authentication in SSH.
So we're going to edit 2 files on the server (host)
/etc/ssh/sshd_config
and
/etc/nxserver/node.conf
So open a terminal.
Applications > Accessories > Terminal
and use:
Code:
gksu gedit /etc/ssh/sshd_config
Hit Enter
Type in your password and hit Enter
(uncomment & change the following by removing the # and any space from the beginning of the lines.)
change
#PasswordAuthentication yes
to
PasswordAuthentication no
add
AllowUsers nx <yourusername> (yourusername is the name you use when logging in on the server normally)
UsePAM yes (already there at bottom place AllowUsers above this)
Save the file and close it then use:
Code:
gksu gedit /etc/nxserver/node.conf
(uncomment & change the following by removing the # and any space from the beginning of the lines if you haven't already)
#SSHD_PORT=22 change to the SSH port number and uncomment the line by removing the # sign
change
#ENABLE_PASSDB_AUTHENTICATION="0"
and
#ENABLE_SSH_AUTHENTICATION="1"
to
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="0"
Save the file and close it then use this to create a account on the NX server:
Code:
sudo nxserver --adduser (yourusername)
(yourusername is the name you use when logging in on the server normally)
NX server will reply with:
NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 1000 NXNODE - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 716 Public key added to: /home/yourusername/.ssh/authorized_keys2
NX> 1001 Bye.
NX> 999 Bye
and add a password
Code:
sudo nxserver --passwd (yourusername)
NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
New password:
(enter your NEW password here and hit Enter (I wont be displayed)see below)
Password changed.
NX> 999 Bye
(you can paste in a good long premade password which is what you will put into the freenx client so make it a good one you'll only need to put it into the FreeNX client for each profile once if you tick the save password in the configuration for (Home and Away)
I'm not sure how long it can be but it can handle at least 30 characters see:
http://help.ubuntu.com/community/StrongPasswords
Don't forget to restart the sshd daemon after making that change using:
Code:
sudo /etc/init.d/ssh restart
I am not sure if it is really necessary but I guess it can do no harm to restart to freenx server.
Code:
sudo /etc/init.d/freenx-server restart
In Ubuntu the FreeNX client will be under Applications > Internet > NX Client For Linux > (take your pick, there is a wizard if you need it, I just use the top one).
Start the FreeNX Client and you should be able to connect the client to the server (host) on your LOCAL network using yourusername and the password you just created. Once you put in yourusername and the password then click on "configure", put the IP Address of the server (Host) where it says Host, put in the port # you gave SSH, tick the save password box and import the key file you created when installing FreeNX, then save at the bottom. Then OK then you should already have your username and password in there so Hit Login.
You should be able to connect over your LAN now. If not go back thru and check everything until you can.
You can have and save more than one profile so one for the LAN and one for accessing it from outside the LAN for EXAMPLES:
Home: the IP Address of the server (host) is used along with the SSH port #.
Away: the DynDNS .com address we will get later is used along with the port # we forwarded in the router "Port From" (above).
What's done and what's left to do:
SSH installed, configured and secured. (Done)
FreeNX installed, configured and secured. (Done)
Router configured to forward port to SSH server. (Done)
Static IP Address for server configured in router. (Done)
Now to set it up so we can access it from outside the LAN. That means from the Internet when we're away from home using the Laptop that we setup as the client.
If you have a STATIC IP Address from your ISP then all you will need to do is setup your Away profile under "Configure > General > Host" to point to that IP Address and put in the port you setup in DD-WRT's Port Forwaring "Port From" along with your username and password.
If your ISP gives you a Dynamic IP Address that changes then look in your routers DD-WRT setting under "Setup > DDNS". Enable it and you'll find a long list of services like DynDNS.org that you can use to setup a .com, .net, .org, etc. for free.
What these services do is you'll get url like "billybobsburgers.dydns.org" (That's just an example you get to pick the name). You'll put that info into your DD-WRT router and whenever your ISP changes your IP Address it will update so that "billybobsburgers.dydns.org" would still point to your router.
So pick one and go sign up for your url.
Then you would just put your "billybobsburgers.dydns.org" url into the Away profile under "Configure > General > Host" and put in the port you setup in DD-WRT's Port Forwaring "Port From" along with your username and password that you created earlier. Tick the save password box and import the key file you created when installing FreeNX, then save at the bottom. Then OK then you should already have your username and password in there so Hit Login.
Now you should be able to logon using it from anywhere. You can try it without going anywhere since FreeNX is pointing to the url as host if everything is setup right it will work. If somethings not right it wont.
NOTES:
-----
How to start/stop/restart FreeNX
The FreeNX server is not a service but uses ssh. The following command will stop the FreeNX program from accepting connections.
Code:
sudo /etc/init.d/freenx-server stop
(Replace stop with start for starting it again or restart to restart it)
-----
How to start/stop/restart the SSH Server
Code:
sudo /etc/init.d/ssh stop
(Replace stop with start for starting it again or restart to restart it)
-----
If you don't plan on using the server anytime soon stopping FreeNX then SSH can only help your systems security
If you want to start them again start SSH first then start FreeNX
******
You can make other changes to the files if you want but here's the ones we've done.
On the Server
MODS TO /etc/ssh/sshd_config
#PORT 22 (change the number and remove the # before it)
change
#PasswordAuthentication yes
to
PasswordAuthentication no
add
AllowUsers nx
AllowUsers (yourusername)
UsePAM yes (already there at bottom place AllowUsers above this)
AllowUsers can be shortened to
AllowUsers nx (yourusername)
Both on the same line with a space between them.
MODS TO /etc/nxserver/node.conf
#SSHD_PORT=22 change to the SSH port number and uncomment the line by removing the # sign
change
#ENABLE_PASSDB_AUTHENTICATION="0"
and
#ENABLE_SSH_AUTHENTICATION="1"
to
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="0"
On the Client
MODS TO /etc/ssh/sshd_config
Changed the line
# Port 22
to
Port (the number of the SSH port you set on the server)
--------
Other things you can do
If you want a banner to be displayed whenever someone logs in thru a terminal a sample banner can be found here
http://help.ubuntu.com/community/SSH...SH/Configuring
On the server edit the /etc/issue.net
Code:
gksu gedit /etc/issue.net
Type or paste your banner in it (it should be empty at first)
Save and close
On the server edit the /etc/ssh/sshd_config file
Code:
gksu gedit /etc/ssh/sshd_config
Change
#Banner /etc/issue.net
to
Banner /etc/issue.net
Save and close
Don't forget to restart the SSH Server for it to take effect with
Code:
sudo /etc/init.d/ssh restart
*******
Here's a good page to read
Top 20 OpenSSH Server Best Security Practices
*******
Uninstalling if you decide you don't want it anymore
On the Client run
Code:
sudo apt-get purge nxclient openssh-client
On the Server (Host) run
Code:
sudo /etc/init.d/freenx-server stop
sudo /etc/init.d/ssh stop
sudo apt-get purge freenx openssh-server
Remove the firewall rule from the server.
Disable the Port Forward on the router.
Removing everything is sure easier than setting it up.
*******
References:
Installing OpenSSH
http://help.ubuntu.com/9.10/servergu...sh-server.html
I wanted stronger keys so I followed this for the keys
http://help.ubuntu.com/community/SSH/OpenSSH/Keys
Strong Passwords
http://help.ubuntu.com/community/StrongPasswords
Installing FreeNX
http://help.ubuntu.com/community/FreeNX
Thread on FreeNX Security in the Ubuntu Forum
Secured freeNX using custom keys. But ssh now open
DD-WRT Static IP Address Leases
http://www.dd-wrt.com/wiki/index.php/Static_DHCP
DD-WRT Port Forwarding
http://www.dd-wrt.com/wiki/index.php/Port_Forwarding
Display Banner
http://help.ubuntu.com/community/SSH...SH/Configuring
Port Lists
http://en.wikipedia.org/wiki/List_of...P_port_numbers
http://www.iana.org/assignments/port-numbers
http://www.neohapsis.com/neolabs/neo...neo-ports.html
More information
Shadowing a running session and taking control of it
To shadow the servers desktop with FreeNX.
All you have to do is in the NX Client go to Configure and set (everything is the same as earlier except).
Desktop: Set to Shadow
You'll have to play with the screen size a little but you can resize it once it's open.
When you click on Login you will get a Available sessions window.
Try the top one first and click on Attach. See pic. at bottom.
if that doesn't work try the next one.
That's it.
*************
Playing sound thru a FreeNX session
http://www.nomachine.com/ar/view.php?ar_id=AR03D00355
More Documentation including RDP and VNC thru FreeNX
http://www.nomachine.com/configuration.php
Secure Remote Desktop with SSH FreeNX & DD-WRT
Adv Reply
Bookmarks