Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Trying to build a headless box. Struggling with X security over VNC

  1. #1
    Join Date
    Mar 2021
    Beans
    10

    Trying to build a headless box. Struggling with X security over VNC

    Good Evening,

    I'm on a fresh install of 20.04. I have TightVNC running with XFCE. All the built in applications work just fine but when i attempt to open anything else i get errors like this one.
    Client is not authorized to connect to Server[6117:6117:0317/024325.644018:ERROR:browser_main_loop.cc(1390)] Unable to open X display.
    AUDIT: Wed Mar 17 02:55:10 2021: 5616 Xtightvnc: client 14 rejected from local host
    If i start the VNC server with '-ac' to disable X security it works fine. I've checked several tutorials on setting up VNC on 20.04. None of them mention this error or how to fix it. Searching using the error text has gotten me nowhere.

    Thanks in advance,

    *EDIT* The problem is that apparently SNAP packages have a different XAuthority file. The solution is here: https://forum.snapcraft.io/t/x11-for...ing-ssh/2381/2

    Symlink the Xauthority in the snap package with the one in the home directly. I suspect that an update may break this.
    Code:
    ln -s ~/.Xauthority ~/snap/brave/current/.Xauthority
    Last edited by pi-thrower; March 24th, 2021 at 06:53 PM.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Trying to build a headless box. Struggling with X security over VNC

    How tied to VNC are you? There are better solutions with 1000x better network security and 2-3x better performance.

    What are the client machines running?

  3. #3
    Join Date
    May 2010
    Beans
    3,232

    Re: Trying to build a headless box. Struggling with X security over VNC


  4. #4
    Join Date
    Mar 2021
    Beans
    10

    Re: Trying to build a headless box. Struggling with X security over VNC

    Quote Originally Posted by ActionParsnip View Post
    I've essentially followed that. There are others that give the effectively the same guidance with only minor changes in the 'xstartup' script.


    *edit* This one uses a different VNC server. I haven't tried it but i get the sense that this is an X problem not a VNC problem: https://tecadmin.net/install-vnc-ser...-ubuntu-20-04/
    Last edited by pi-thrower; March 17th, 2021 at 08:36 PM.

  5. #5
    Join Date
    Mar 2021
    Beans
    10

    Re: Trying to build a headless box. Struggling with X security over VNC

    Quote Originally Posted by TheFu View Post
    How tied to VNC are you? There are better solutions with 1000x better network security and 2-3x better performance.

    What are the client machines running?
    Client machines are mainly windows but I'd prefer not to break Linux/OSX compatibility. My current plan was to use SSH port forwarding with PuTTY. People aren't kidding about the bad performance though.

  6. #6
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Trying to build a headless box. Struggling with X security over VNC

    Quote Originally Posted by pi-thrower View Post
    Client machines are mainly windows but I'd prefer not to break Linux/OSX compatibility. My current plan was to use SSH port forwarding with PuTTY. People aren't kidding about the bad performance though.
    x2go is the answer you seek. https://www.digitalocean.com/communi...n-ubuntu-20-04 I guess those instructions are fine. Didn't look to closely. The clients for linux and Windows are solid. All traffic goes over ssh, automatically, but setup ssh w/keys first.

  7. #7
    Join Date
    Mar 2021
    Beans
    10

    Re: Trying to build a headless box. Struggling with X security over VNC

    Quote Originally Posted by TheFu View Post
    x2go is the answer you seek. https://www.digitalocean.com/communi...n-ubuntu-20-04 I guess those instructions are fine. Didn't look to closely. The clients for linux and Windows are solid. All traffic goes over ssh, automatically, but setup ssh w/keys first.
    I don't seem to be able to win here. I'm on a windows box that has key auth working. I'm using the *same* private key in X2Go as i am in Putty. It endlessly asks me for the decryption passphrase and never goes through. Auth log shows only shows that the user disconnected during preauth after several attempts.

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Trying to build a headless box. Struggling with X security over VNC

    Quote Originally Posted by pi-thrower View Post
    I don't seem to be able to win here. I'm on a windows box that has key auth working. I'm using the *same* private key in X2Go as i am in Putty. It endlessly asks me for the decryption passphrase and never goes through. Auth log shows only shows that the user disconnected during preauth after several attempts.
    I don't think the same ssh-key format that putty uses works anywhere else. Maybe if you setup the ssh-key using the pseudo-native Win10 ssh-keygen and append that over to the remote system?

    Honestly, I haven't used x2go from Windows in over a year. We didn't move to Win10 here. We kept a few systems on Win7 for emergencies and all the others moved to Linux desktops. Not everyone can do that.

    Let me look for x2go issues with ssh-keys from Windows10.

    Got it working. Use the ssh-keygen program included with x2go, not the putty one.

    A quick search found this guide from the x2go team: https://wiki.x2go.org/doku.php/wiki:...sswordless-ssh
    1. Ok, so I booted a Win7 box, installed the "current" x2go client.
    2. Created an ssh-keygen -t ed25519 (using the ssh-keygen in the X2Go-Client directory) and forced it into the directory I wanted/expected. For me, that was d:/Users/thefu/.ssh/ 2 files are created ... id_ed25519 and id_ed25519.pub.
    3. The .pub file has to be transferred to the remote system. I used the x2go pscp.exe program to do that. On Unix, I'd use ssh-copy-id and it would do the right thing correctly, always.
    4. From Windows, we are in the 1990s and have to manually get the .pub file over to the remote system,

    Now move to the Linux server
    1. Next append it to the ~/.ssh/authorized_keys file correctly. If you don't already have any ~/.ssh/authorized_keys file, just copy the .pub file into that file/location. Each key must be on 1 line. Some editors insert line breaks rather than wrapping. Don't allow that.
    2. The permissions need to be 600 on that file and 700 on the ~/.ssh/ directory. Get those wrong and ssh won't work. Security matters.


    Back on the client/Windows system,
    1. run the x2go-client program.
    2. In the session settings, there's a place to browse to the d:/Users/thefu/.ssh/id_ed25519 file and
    3. 1 checkbox that says to use that automatically.

    The first time you use it, ssh-agent will ask if you want to remember the key-unlock credentials. Your choice. Then for the next few hours, you won't be asked to unlock that ssh key on any system where you've pushed that .pub keyfile.

    Personal Notes/Techniques: I use a different key for each customer and for different security levels for systems. For normal servers inside a customer's LAN, I use 1 key. But for any internet facing systems, I use a different key. This sounds like a hassle, but it isn't. On Unix systems, we can specify which keys are used for each remote system in the ~/.ssh/config file - it supports all sorts of other configuration options to make life easier. But that's a different question.

    If you don't use ed25519 keys ... well, please go read this: https://nbeguier.medium.com/a-real-w...s-b26b0b31bfd9 RSA and DSA really shouldn't be used.

    I use x2go mainly when traveling, not when I'm at home working. 99.9% of the time, I use straight ssh connections from home. On the LAN, I'll use ssh -X for X/Windows tunneling. It is much more convenient for me than wasting a full Linux desktop, but we are all different. Right now, I have 22 windows open on my workstation across a few different virtual desktops. Of those, 10 are ssh sessions into other systems inside a terminal each. Each terminal gets started with something like this command:
    Code:
    xterm -geometry 80x25+1030+50 $XTERM_OPTS -e ssh -X istar &
    They have different placement and different remote system names for a nice layout. Some people use tmux or screen tools to accomplish the same thing. In the olden days, connectivity was not so great and a disconnect would kill remote programs. I've been lucky - never had that issue. Part of me wishes I'd have learned to use tmux.

    You can tune x2go connection parameters as needed. I usually set the connection speed to be 1 less than whatever the truth is. Also, I tweak the image compression to use 4k-png. This is the difference between a nice, fast, experience and something sluggish ... like VNC or RDP.

    Anyway, hope this is helpful and I'll see the night vs day difference that x2go provides. xfce is a good choice, btw. Really just avoiding Gnome3 seems to be the only DE requirement for x2go to work well. I've used it from different continents and been happy. I've connected to my Mom's Lubuntu desktop over the slowest DSL possible - basically ISDN speeds. That wasn't snappy, but it was serviceable.
    Last edited by TheFu; March 18th, 2021 at 06:27 PM.

  9. #9
    Join Date
    May 2010
    Beans
    3,232

    Re: Trying to build a headless box. Struggling with X security over VNC

    What are you wanting to do on the remote system once you get connected via VNC? What is the purpose of the connection? There may be a sleeker solution to what you are trying to achieve

  10. #10
    Join Date
    Mar 2021
    Beans
    10

    Re: Trying to build a headless box. Struggling with X security over VNC

    Quote Originally Posted by TheFu View Post
    I don't think the same ssh-key format that putty uses works anywhere else. Maybe if you setup the ssh-key using the pseudo-native Win10 ssh-keygen and append that over to the remote system?

    Honestly, I haven't used x2go from Windows in over a year. We didn't move to Win10 here. We kept a few systems on Win7 for emergencies and all the others moved to Linux desktops. Not everyone can do that.

    Let me look for x2go issues with ssh-keys from Windows10.

    Got it working. Use the ssh-keygen program included with x2go, not the putty one.

    A quick search found this guide from the x2go team: https://wiki.x2go.org/doku.php/wiki:...sswordless-ssh
    1. Ok, so I booted a Win7 box, installed the "current" x2go client.
    2. Created an ssh-keygen -t ed25519 (using the ssh-keygen in the X2Go-Client directory) and forced it into the directory I wanted/expected. For me, that was d:/Users/thefu/.ssh/ 2 files are created ... id_ed25519 and id_ed25519.pub.
    3. The .pub file has to be transferred to the remote system. I used the x2go pscp.exe program to do that. On Unix, I'd use ssh-copy-id and it would do the right thing correctly, always.
    4. From Windows, we are in the 1990s and have to manually get the .pub file over to the remote system,

    Now move to the Linux server
    1. Next append it to the ~/.ssh/authorized_keys file correctly. If you don't already have any ~/.ssh/authorized_keys file, just copy the .pub file into that file/location. Each key must be on 1 line. Some editors insert line breaks rather than wrapping. Don't allow that.
    2. The permissions need to be 600 on that file and 700 on the ~/.ssh/ directory. Get those wrong and ssh won't work. Security matters.


    Back on the client/Windows system,
    1. run the x2go-client program.
    2. In the session settings, there's a place to browse to the d:/Users/thefu/.ssh/id_ed25519 file and
    3. 1 checkbox that says to use that automatically.

    The first time you use it, ssh-agent will ask if you want to remember the key-unlock credentials. Your choice. Then for the next few hours, you won't be asked to unlock that ssh key on any system where you've pushed that .pub keyfile.

    Personal Notes/Techniques: I use a different key for each customer and for different security levels for systems. For normal servers inside a customer's LAN, I use 1 key. But for any internet facing systems, I use a different key. This sounds like a hassle, but it isn't. On Unix systems, we can specify which keys are used for each remote system in the ~/.ssh/config file - it supports all sorts of other configuration options to make life easier. But that's a different question.

    If you don't use ed25519 keys ... well, please go read this: https://nbeguier.medium.com/a-real-w...s-b26b0b31bfd9 RSA and DSA really shouldn't be used.

    I use x2go mainly when traveling, not when I'm at home working. 99.9% of the time, I use straight ssh connections from home. On the LAN, I'll use ssh -X for X/Windows tunneling. It is much more convenient for me than wasting a full Linux desktop, but we are all different. Right now, I have 22 windows open on my workstation across a few different virtual desktops. Of those, 10 are ssh sessions into other systems inside a terminal each. Each terminal gets started with something like this command:
    Code:
    xterm -geometry 80x25+1030+50 $XTERM_OPTS -e ssh -X istar &
    They have different placement and different remote system names for a nice layout. Some people use tmux or screen tools to accomplish the same thing. In the olden days, connectivity was not so great and a disconnect would kill remote programs. I've been lucky - never had that issue. Part of me wishes I'd have learned to use tmux.

    You can tune x2go connection parameters as needed. I usually set the connection speed to be 1 less than whatever the truth is. Also, I tweak the image compression to use 4k-png. This is the difference between a nice, fast, experience and something sluggish ... like VNC or RDP.

    Anyway, hope this is helpful and I'll see the night vs day difference that x2go provides. xfce is a good choice, btw. Really just avoiding Gnome3 seems to be the only DE requirement for x2go to work well. I've used it from different continents and been happy. I've connected to my Mom's Lubuntu desktop over the slowest DSL possible - basically ISDN speeds. That wasn't snappy, but it was serviceable.
    Thanks for the help. I got this working on Windows with the recommended keygen. It fired up on my ubuntu laptop with a couple attempts to figure out settings.

    I noticed that after a certain amount of time (inactivity?), somewhere around 15 min, the session locks up. The behavior is the same on both clients. The cursor still moves and changes if hovered over the edge of a window but the session stops responding or any other inputs. I even went so far as to open a terminal, wait for it to freeze then use 'wall' on a different terminal to see if the text would pop up. It didn't. Could it be that there is some sort of screen saver or power saving mode that X is trying to go into that i cannot wake it from?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •