[Tfug] SSH/SSL question...

Jim March 1.jim.march at gmail.com
Fri Mar 21 12:00:44 MST 2008 

On Thu, Mar 20, 2008 at 10:29 PM, Jeff Breadner <jeff at breadner.net> wrote:

> Jim March wrote:
> > What I need to make sure of is, is it possible for me to get in and
> > run via a Gnome desktop that is viewable identically at both ends?
> > What I have to avoid is a situation where I have one console session
> > and he has another.  Running my side as a different user is a no-go, I
> > have to do access as his user account to adjust the settings HE sees.
> > This guy is going to be new to Linux :).
>
> x11vnc (http://www.karlrunge.com/x11vnc/) will export the console login
> session via VNC (default port 5900), at whatever resolution his desktop
> is running at.  To encrypt the session, you could either ssh to another
> machine on his network and forward back the 5900 port from the machine
> you wish to control, or he could trust you to connect directly to that
> machine with ssh -n (to prevent you from getting a console on the ssh
> connection that is forwarding the VNC port back).  Something like the
> following should work:
>
> On his machine, have him log in, start a shell, and run:
>
> sudo apt-get install x11vnc (if it's not installed already)
> x11vnc -display :0
>
> On your machine:
>
> ssh -L5900:localhost:5900 -n -2 non_root_user at remote.machine
>
> then, in a different window:
>
> vncviewer localhost
>
> The VNC session you get will be his console login session, you'll both
> have control, and he can kill the session at any time by killing the
> x11vnc program.
>
> I'm assuming he's exposing his SSH port (TCP/22) directly to the
> Internet.  If he doesn't trust you to ssh -n yourself then he could
> probably give you an ssh key that is restricted to non-interactive
> shells, but that's beyond the scope of this email :)
>
> If he's realllly concerned about you having ANY unmonitored access, then
> simply trusting you to ssh -n is probably going to be inadequate because
> while you're controlling the main desktop session via VNC, you could
> start up an unmonitored SSH connection and do other stuff on the side
> without him being able to tell.  To address this, you'll either have to
> hop in through another machine on his network running SSH (one that
> doesn't have sensitive material on it, a Windows box running a live
> linux CD should suffice), or we'll have to figure out the shell-less SSH
> key thing.
>
> cheers
>  Jeff
>

Ug.  Problem: he has just one PC attached straight Ethernet to a cable
modem.  Setting up something better may be beyond him.

Is there any simpler solution?

Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20080321/963b3f2e/attachment-0002.html>

More information about the tfug mailing list