JP Vossen on 30 Aug 2008 14:14:55 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Question about Remote Desktop through a NAT

 > Date: Sat, 30 Aug 2008 15:18:01 -0400
 > From: "Brian Vagnoni" <>
 > Subject: Re: [PLUG] Question about Remote Desktop through a NAT

 > However, if you Dad's wireless router is a Linksys that is from this
 > decade it no doubt has a remote admin port that simply needs to be
 > activated so that you can connect and configure his device for him.

Huh?  Are you suggesting that he open up administration of the 
WAP/FW/Router to the Internet?!?  What the heck are you smoking?!?  Or 
correct me if I misinterpreted...

+1 for the reverse SSH idea, it's really easy, and it will work great.
-1 for the OpenVPN idea, it's overkill and more complicated.
-8 (That's infinity, not eight) for opening up the FW to Internet admin

OP already said he has a static IP on his side, so this couldn't be easier.

Dad's side, one time only [[NOT TESTED, but correct or very close, 
remove  leading tab for content]]:
     vi ~/.ssh/config
	Host tshoot
	    HostName {OP static IP here, or hostname>
	    Port 2222
	    User {whatever}
	    Compression yes
	    ServerAliveInterval = 100
	    RemoteForward {OP static IP here, or hostname>:5900    localhost:5900

(Last 2 lines should be 1 line, it just wrapped)

OP side, one time only:
	Port forward 2222 to appropriate internal machine 22 [1].

To use, have Dad run 'ssh -c ~/.ssh/config tshoot' and type in the 
password.  Yes, other people mentioned using SSH certs and you certainly 
can use them, but a plain old password is easier to get running up front 
and will avoid accidentally making the connection.  And using SSH certs 
correctly (i.e. *with* a password and SSH Agent), is even more of a 
pain, relatively speaking [2].  Make the command an icon (launcher) if 
you like [3].  Once he's make the connection to you, and has the VNC 
server running on his side, you VNC to 'localhost' and that's it.

You may or may not need the '-c ~/.ssh/config' part.  When I was doing 
the opposite of this 2 weeks ago on Ubuntu 8.04 I needed it, but I never 
bothered to figure out why.  There's probably a trivial way to make it 
unnecessary.  Other distros may vary but OP mentioned Ubuntu.


[1] Some will argue that using 2222 is "security by obscurity" and thus 
a bad idea.  It isn't.  It's simply an extra layer to keep a lot of the 
script kiddies away.  The actual security is provided by SSH itself. 
Also, 2222 is just an example, use whatever.

[2] _bash Cookbook_ recipe 14.21 (pages 308-316, which gives you an idea 
of the "ease" of use issues) and/or Google for the 'keychain' script 
originally in Gentoo, and/or Google for 'SSH Agent'.

[3] Launcher:
	gnome-terminal -x /usr/bin/ssh -c ~/.ssh/config tshoot
This will NOT do what you expect/want:
	/usr/bin/ssh -c ~/.ssh/config tshoot
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --