Ubuntu:Feisty/RemoteAccess

From

Contents 1 Remote Access 1.1 Remote Login via XDMCP 1.1.1 What is XDMCP? 1.1.2 How to turn on the XDMCP feature 1.1.3 How to login from another PC running Ubuntu 1.2 Run an Ubuntu host from a Windows Client machine 1.3 Remote Desktop Sharing/Duplication using VNC 1.3.1 How to configure a Remote Desktop host 1.3.2 How to connect into remote desktop or VNC host from a Ubuntu/Linux machine 1.3.3 How to connect into a remote Ubuntu desktop host from a Windows machine 1.3.4 How to connect into a remote Ubuntu desktop host from OS X 1.3.5 How to Run a Windows machine from Ubuntu securely using VNC

Remote Access

Note: By themselves, neither XDMCP nor Remote Desktop sharing (VNC) are secure methods of sharing. Both send unencrypted data. They are recommended only for use within your firewall-protected LAN, or coupled with secure tunnels such as SSH or VPN.

Remote Login via XDMCP

What is XDMCP?

• Gnome (like other display managers) supports multiple simultaneous users. XDMCP is a thin client that allows multiple remote Gnome (and other display manager) users to log into a host machine, even if a local user is signed in there. There is no screen sharing with the local user; each login has their own session. (This is in contrast to VNCviewer (Remote Desktop), which merely duplicates the host screen for display on the remote client and provides screen sharing capabilities with the remote computer.)

The thin client features of XDMCP allows users on the LAN to login to a host to use CPU-intensive applications on a host server.

• XDMCP uses UDP port 177 and TCP port 6000. You should make sure that your router does not allow these ports to be accessed from the Internet, or your system will be potentially accessible from the Internet. If you have Firestarter installed as a local firewall, make sure that you open the ports for your LAN only by specifying incoming/outgoing traffic on these ports for your LAN:

192.168.0.1/24 (if your LAN is on 192.168.0.1-192.168.0.254, for example).

You are strongly urged to learn how to use IPTables (or the Firestarter GUI which manages IPTables) before using XDMCP.

How to turn on the XDMCP feature

• To turn on the XDMCP feature on the host computer:

System-->Administration-->Login Window-->
Remote-->Style:Same as Local

You can reach the same configuration panel by typing in the console:

sudo gdmsetup

Now restart your network

sudo /etc/init.d/networkin restart

Voilá.

How to login from another PC running Ubuntu

• Note: XDMCP is not encrypted and is not secure outside of a firewall-protected LAN. If you are attempting to use XDMCP over the Internet, it should be used with VPN secure tunneling. Unfortunately, UDP port forwarding is not available with SSH, so XDMCP cannot be used with SSH.

At the login screen:

Options-->Remote Login via XDMCP

Type in the host name or IP address (example: 192.168.0.2) of the remote computer.

Run an Ubuntu host from a Windows Client machine

• You can run a screen-sharing-only solution (through an SSH tunnel) using VNC (remote desktop). Read #How to connect into a remote Ubuntu desktop host from a Windows machine

• Xming is a full X-client for the Windows platform, that allows a windows user to access applications on a Linux host. For full information, see the Xming website.

• Cygwin/X is a miniature Linux installation on your Windows machine that runs Linux applications, including an X-server. See the Cygwin/X website for more information. Also Read Installing OpenSSH with Cygwin.

Remote Desktop Sharing/Duplication using VNC

Unlike the Gnome thin-client XDMCP, VNC (Remote Desktop) is merely a screen sharing solution. It allows a remote user to view and manipulate the desktop of a single user logged into the host computer. Combined with an SSH tunnel, however, it can allow secure remote access to the host computer's Gnome (or other GUI) desktop.

How to configure a Remote Desktop host

• Note: By itself, Remote Desktop (VNC) hosting is not a secure method of sharing your desktop because communications are not encrypted. Simple password authentication is also used (which can be broken by simple hacking programs). It should therefore not be used outside of a firewall-protected LAN unless it is coupled with a secure SSH or VPN data tunnel.

• Remote Desktop will only work if a user is currently logged in to Gnome
• Leaving a computer with an unattended Gnome session is not secure. It is recommended to use System-->Lock Screen and switch off the monitor when the computer is left unattended.

• Enable Remote Desktop (VNC):

System --> Preferences --> Remote Desktop
Remote Desktop Preferences

Sharing ->
Allow other users to view your desktop (Checked)
Allow other users to control your desktop (Checked)

Security ->
Ask you for confirmation (Un-Checked)
Require the user to enter this password: (Checked)
Password: Specify the password

How to connect into remote desktop or VNC host from a Ubuntu/Linux machine

• Read #General Notes
• If the remote host is an Ubuntu machine, it must have Remote Desktop configured (read #How to configure a Remote Desktop host)
• If the remote host is a Windows machine, it must be running a VNC server such as TightVNC server.

• In this example, the remote host computer has an IP address on the LAN of 192.168.0.2.

vncviewer -fullscreen 192.168.0.2

The -fullscreen option creates a fullscreen replica of the remote computer's screen on your screen. To run the viewer in a window, do not add this option.

• To quit vncviewer

Press 'F8' -> Quit viewer

How to connect into a remote Ubuntu desktop host from a Windows machine

• Read #General Notes
• The remote Ubuntu host must have Remote Desktop configured (read #How to configure a Remote Desktop host)
• Note: This method is not encrypted and should not be used outside of a LAN unless secured through an SSH (or VPN) tunnel. Opening a VNC server on port 5900 to the Internet is very risky.
• Port 5900 should be opened for use within your LAN only. If more than one VNC/Remote Desktop session is to be used, you must open more ports (5901, 5902, etc.) In Firestarter, this can be done by selecting the appropriate ports (5900-5904, for example) and restricting this port range for incoming and outgoing usage to your LAN, 192.168.0.1/24 for example). See Wikipedia port forwarding and the Firestarter instructions.

• Several VNC clients are available for Windows. Download and install one.

Tight VNC: http://www.tightvnc.com/ (Recommended. Best for low bandwidth solutions such as DSL or wireless.)

RealVNC: http://www.realvnc.com/products/personal/ (The original VNC. Also available in an enterprise edition.)

DotNetVNC: http://dotnetvnc.sourceforge.net/ (Requires the Microsoft DotNet framework.)

• Run the VNC application. You can enter the IP address of your remote computer (192.168.0.2 in the example) in any of these formats:

192.168.0.2

192.168.0.2:0 (assuming this is the first connection. Use 192.168.0.2:1 for the second connection, and so on.)

192.168.0.2:5900 (assuming this is the first connection. Use 192.168.0.2:5901 for the second connection, and so on.)

If you wish to connect with VNC over the Internet, you must tunnel VNC through SSH (or VPN). Ubuntu has the OpenSSH server installed by default, but the service must be started. PuTTY is an SSH client for Windows that will connect to OpenSSH. Once an SSH tunnel is established, VNC can be run through the SSH tunnel port (and not port 5900) in an encrypted, secure fashion.

How to connect into a remote Ubuntu desktop host from OS X

• Read #General Notes
• Remote Ubuntu host machine must have Remote Desktop configured (read #How to configure a Remote Desktop host)
• Note: This method is not encrypted and should not be used outside of a LAN unless secured through an SSH (or VPN) tunnel. Opening a VNC server on port 5900 to the Internet is very risky.
• Port 5900 should be opened for use within your LAN only. If more than one VNC/Remote Desktop session is to be used, you must open more ports (5901, 5902, etc.) In Firestarter, this can be done by selecting the appropriate ports (5900-5904, for example) and restricting this port range for incoming and outgoing usage to your LAN, 192.168.0.1/24 for example). See Wikipedia port forwarding and the Firestarter instructions.

• Download and install:

ChickenOfTheVNC: http://sourceforge.net/projects/cotvnc/

• Run the VNC application. You can enter the IP address of your remote computer (192.168.0.2 in the example) in any of these formats:

192.168.0.2

192.168.0.2:0 (assuming this is the first connection. Use 192.168.0.2:1 for the second connection, and so on.)

192.168.0.2:5900 (assuming this is the first connection. Use 192.168.0.2:5901 for the second connection, and so on.)

If you wish to connect with VNC over the Internet, you must tunnel VNC through SSH (or VPN). Ubuntu has the OpenSSH server installed by default, but the service must be started. MacSSH is an SSH client for OS X that will connect to OpenSSH. Once an SSH tunnel is established, ChickenOfTheVNC can be run through the SSH tunnel port (and not port 5900) in an encrypted, secure fashion.

How to Run a Windows machine from Ubuntu securely using VNC

• By itself, VNC is not a secure solution over the internet. SSH (or VPN) tunneling is recommended in combination with VNC. OpenSSH is the SSH hosting/tunneling package used for both Ubuntu and Windows. OpenSSH is installed by default in Ubuntu, but must be installed (with Cygwin) on a Windows machine.

• To set up a secure SSH tunnel on a Windows machine, you should set up Cygwin (a mini-Linux installation for Windows) first, selecting OpenSSH under Cygwin as part of the installation process. Read Installing OpenSSH and Cygwin on Windows. Follow the instructions exactly.

• Make sure you open the appropriate ports in IPTables (using Firestarter, for example) for SSH tunneling on your Ubuntu client. Also open the port in the Windows Firewall for your Windows host. Port 22 is the standard SSH port, but if you want extra security, you can change the SSH port (see the OpenSSH configuration instructions) to an alternate port number. Make sure the router on your host LAN forwards the chosen SSH port (e.g. 22) to the Windows host computer. For example, if your Windows SSH host on your LAN is at 192.168.0.71, your router must forward port 22 to 192.168.0.71. (If you have multiple SSH hosts on your LAN, each individual host can have its own dedicated SSH port to be forwarded by the router. Change the OpenSSH configuration file on each host to reflect the chosen dedicated alternate SSH port number.)

• Read #How to SSH into remote Ubuntu host. When you request an SSH tunnel from your remote Ubuntu client, you must SSH to the IP address of the router, not the host. If the router's IP address changes dynamically, you must set up Dynamic DNS addressing for the host LAN through a service such as DynDNS. You would then create the SSH tunnel to the DynDNS URL assigned to your LAN instead of to the actual IP address (which constantly changes with dynamic IP addressing).

• When the SSH tunnel has been confirmed as working all the way to your Windows host on your LAN, install a VNC server on the Windows host machine. TightVNC Server is recommended. Read the TightVNC instructions for tunneling over SSH.

• Read #Using SSH to Port Forward. Create a tunnel over SSH for port 5900 (the port that VNC uses by default) to either your host LAN's static IP or to the DynDNS URL you have set up. This will direct any calls to port 5900 from the remote Ubuntu client through the SSH tunnel, instead of sending them over the Internet directly over port 5900 (a risky proposition).

ssh -L <local port>:<remote computer>:<remote port> <user>@<remote ip>

In this example, port 5900 is used locally for VNC on both the host and client computers, but data is passed through the SSH tunnel (on port 22 by default). The user named foowho has an account on the host computer. The host is on a LAN that has dynamic IP addressing through the DynDNS service and has a URL foobar.dyndns.org. The router forwards port 22 to the host, where the TightVNC server is listening on remote port 5900.

ssh -L 5900:foobar.dyndns.org:5900 foowho 

In this example, port 5900 is again used by VNC on both sides of the tunnel. This time the host LAN has a static IP address of 94.97.2.18. The host OpenSSH is set to listen on port 11022 in the ssdh_config file. The TightVNC server is listening on remote port 5900.

ssh -L 5900:94.97.2.18:5900 foowho -p 11022

• On your Ubuntu remote machine, VNC to 127.0.0.1, the loopback address.

vncviewer 127.0.0.1

VNCViewer will then (by default) look for local port 5900 in the loopback, on which the SSH tunnel is running from the previous step. The Ubuntu SSH client will now send the VNC connection data over port 22 (instead of over port 5900) to the Windows OpenSSH host server, which is listening on port 22 (unless you have changed it). The Windows OpenSSH server (in Cygwin) will then internally redirect port 5900 communications to the TightVNC server on your Windows host. By using this tunnel for all VNC/port 5900 communications, port 5900 on your router needs never be open to the Internet, since all port 5900 communications are handled only locally on each end, and sent over the internet through the tunnel. In fact, port 5900 ought to be remain closed on your router, to prevent non-secure VNC connection attempts from the Internet (by hackers/crackers).

• Routine usage requires starting the SSH tunnel to your Windows host first, then starting the vnc client (vncviewer 127.0.0.1). You can write a simple two line script file to automate the process.