Posts Tagged by Ssh

vnc ssh tunnel for remote graphical support

07-Jul-2012 Posted by Sonia Hamilton under , ,
No Comments

I was doing remote internet support the other day for a friend in England (and noticing how cheap their internet access is eg a fast unlimited O2 package is £21 ($AU31) versus the $AU60-80 we pay in Australia). Here’s how I connect remotely to the person’s desktop in graphical mode, using vnc and an ssh tunnel.

1. I setup a dyndns client (eg dyndns, tinydyndns, ez-ipupdate) so I can connect to the changing ip address of their machine by a dns name eg fredbox.dyndns.org

local% sudo apt-get install ez-ipupdate

2. I copy my ssh key to their account – this way I’ll always have access and they can change their password in the future:

local% ssh-copy-id fred@fredbox.dyndns.org

3. I want to connect to vnc running on their desktop, so I can see what they see. But vnc runs on port 5900 and I don’t want to leave that open to the Internet. So I build an ssh tunnel, and startup vnc on the remote machine:

fredbox% ssh -L 5900:localhost:5900 fred@fredbox.dyndns.org
fredbox% x11vnc -safer -usepw -localhost -once -noxdamage \
         -nowf -ncache 0 -scale 2/3 -display :0

4. And finally, I start up my vncviewer on my local Linux/Mac machine, and enter my vnc password when prompted:

local% vncviewer -encodings "copyrect tight zrle hextile" \
  -bgr233 -compresslevel 5 localhost

So here’s a little script that brings it all together:

#!/bin/bash
# kill any previous/hung vnc's
ssh fred@fredbox.dyndns.org 'pkill x11vnc'
ssh -f -L 5900:localhost:5900 fred@fredbox.dyndns.org \
    'x11vnc -safer -usepw -localhost -once -noxdamage \
      -nowf -ncache 0 -scale 2/3 -display :0' \
    && sleep 5 \
    && vncviewer -encodings "copyrect tight zrle hextile" \
         -bgr233 -compresslevel 5 localhost

Denyhosts for sshd – usernames dictionary

03-Feb-2012 Posted by Sonia Hamilton under
No Comments

I’ve just setup the venerable denyhosts on one of my servers, to stop the usual script-kiddies from filling up my logs (I’m not particularly worried about them getting in…).

Anyway, here is restricted-usernames.gz, a list of denied usernames from the log – handy to add to your denyhosts restricted-usernames file. There’s probably a better dictionary of usernames out there – I’ll attach it if I find it stumble upon it.

ssh – DISPLAY is not set – Failed to allocate internet-domain X11 display socket

06-Nov-2011 Posted by Sonia Hamilton under ,
11 Comments

A little ssh error I came across while trying to work remotely on an Ubuntu machine. ssh X Display Forwarding wasn’t working, and I was getting an error:

DISPLAY is not set

Digging through /var/log/auth.log, I also noticed this error:

Failed to allocate internet-domain X11 display socket

After much Googling, it seems that IPv6 was causing the problem. It was solved by adding:

AddressFamily inet

to /etc/ssh/sshd_config, and restarting the ssh server.

rsyncp – provide ssh password to rsync using expect

28-Jul-2011 Posted by Sonia Hamilton under , ,
No Comments

A script I wrote – rsyncp. It allows you to provide a password to rsync over ssh, when you’re unable to use ssh key-based authentication:

% cat ~/bin/rsyncp
#!/usr/bin/expect
eval spawn rsync $argv
expect  "*?assword:" { send "secretstuffr"}
expect eof

You can then use rsyncp in another script, like this:

for h in foo bar ; do
  rsyncp -av --progress srcdir/ $h:dstdir/
done

And before you add a comment saying use ssh keys or keychain, this is totally insecure, I agree with you! Key based authentication is disabled on the target server, and I’m still trying to resolve the politics around this at my current company, and sshpass seems broken <sigh>

ssh – fix long login times – disable Kerberos

23-Jun-2011 Posted by Sonia Hamilton under
No Comments

If ssh logins are taking a long time (but are ultimately successful), it may be because Kerberos (gssapi) is being attempted as an authentication method, and the destination is incorrectly configured (often seems to be CentOS or RHEL):

% ssh -v foo
...
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
                                                     ^^^^^^^^^^^^^^^

Quick fix: disable Kerberos on the client:

% cat ~/.ssh/config
...
GSSAPIAuthentication no

Of course the problem could also be DNS or other network issues. Thanks to Waiting for SSH login prompt.

Next Page »