|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Question about Remote Desktop through a NAT
|
> Date: Sat, 30 Aug 2008 15:18:01 -0400
> From: "Brian Vagnoni" <bvagnoni@v-system.net>
> Subject: Re: [PLUG] Question about Remote Desktop through a NAT
<snip>
> However, if you Dad's wireless router is a Linksys that is from this
> decade it no doubt has a remote admin port that simply needs to be
> activated so that you can connect and configure his device for him.
Huh? Are you suggesting that he open up administration of the
WAP/FW/Router to the Internet?!? What the heck are you smoking?!? Or
correct me if I misinterpreted...
+1 for the reverse SSH idea, it's really easy, and it will work great.
-1 for the OpenVPN idea, it's overkill and more complicated.
-8 (That's infinity, not eight) for opening up the FW to Internet admin
OP already said he has a static IP on his side, so this couldn't be easier.
Dad's side, one time only [[NOT TESTED, but correct or very close,
remove leading tab for content]]:
vi ~/.ssh/config
Host tshoot
HostName {OP static IP here, or hostname>
Port 2222
User {whatever}
Compression yes
ServerAliveInterval = 100
RemoteForward {OP static IP here, or hostname>:5900 localhost:5900
(Last 2 lines should be 1 line, it just wrapped)
OP side, one time only:
Port forward 2222 to appropriate internal machine 22 [1].
To use, have Dad run 'ssh -c ~/.ssh/config tshoot' and type in the
password. Yes, other people mentioned using SSH certs and you certainly
can use them, but a plain old password is easier to get running up front
and will avoid accidentally making the connection. And using SSH certs
correctly (i.e. *with* a password and SSH Agent), is even more of a
pain, relatively speaking [2]. Make the command an icon (launcher) if
you like [3]. Once he's make the connection to you, and has the VNC
server running on his side, you VNC to 'localhost' and that's it.
You may or may not need the '-c ~/.ssh/config' part. When I was doing
the opposite of this 2 weeks ago on Ubuntu 8.04 I needed it, but I never
bothered to figure out why. There's probably a trivial way to make it
unnecessary. Other distros may vary but OP mentioned Ubuntu.
Later,
JP
[1] Some will argue that using 2222 is "security by obscurity" and thus
a bad idea. It isn't. It's simply an extra layer to keep a lot of the
script kiddies away. The actual security is provided by SSH itself.
Also, 2222 is just an example, use whatever.
[2] _bash Cookbook_ recipe 14.21 (pages 308-316, which gives you an idea
of the "ease" of use issues) and/or Google for the 'keychain' script
originally in Gentoo, and/or Google for 'SSH Agent'.
[3] Launcher:
gnome-terminal -x /usr/bin/ssh -c ~/.ssh/config tshoot
This will NOT do what you expect/want:
/usr/bin/ssh -c ~/.ssh/config tshoot
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|