[Tfug] SSH/SSL question...

Jeff Breadner jeff at breadner.net
Thu Mar 20 22:29:24 MST 2008


Jim March wrote:
> What I need to make sure of is, is it possible for me to get in and 
> run via a Gnome desktop that is viewable identically at both ends?  
> What I have to avoid is a situation where I have one console session 
> and he has another.  Running my side as a different user is a no-go, I 
> have to do access as his user account to adjust the settings HE sees.  
> This guy is going to be new to Linux :).

x11vnc (http://www.karlrunge.com/x11vnc/) will export the console login
session via VNC (default port 5900), at whatever resolution his desktop
is running at.  To encrypt the session, you could either ssh to another
machine on his network and forward back the 5900 port from the machine
you wish to control, or he could trust you to connect directly to that
machine with ssh -n (to prevent you from getting a console on the ssh
connection that is forwarding the VNC port back).  Something like the
following should work:

On his machine, have him log in, start a shell, and run:

sudo apt-get install x11vnc (if it's not installed already)
x11vnc -display :0

On your machine:

ssh -L5900:localhost:5900 -n -2 non_root_user at remote.machine

then, in a different window:

vncviewer localhost

The VNC session you get will be his console login session, you'll both
have control, and he can kill the session at any time by killing the
x11vnc program.

I'm assuming he's exposing his SSH port (TCP/22) directly to the
Internet.  If he doesn't trust you to ssh -n yourself then he could
probably give you an ssh key that is restricted to non-interactive
shells, but that's beyond the scope of this email :)

If he's realllly concerned about you having ANY unmonitored access, then
simply trusting you to ssh -n is probably going to be inadequate because
while you're controlling the main desktop session via VNC, you could
start up an unmonitored SSH connection and do other stuff on the side
without him being able to tell.  To address this, you'll either have to
hop in through another machine on his network running SSH (one that
doesn't have sensitive material on it, a Windows box running a live
linux CD should suffice), or we'll have to figure out the shell-less SSH
key thing.

cheers
  Jeff





More information about the tfug mailing list