The understated usefulness of SSH, part 2.

January 11, 2009

Last time, I covered some different ways of using SSH for remote access on a LAN or over the Internet, using RSA keys for secure authentication, and how to use GNU Screen to keep a process running after disconnecting your SSH session.  This time, I’ll talk about using SSH with X11 forwarding, using VNC with SSH, and making it all run faster by adding compression and changing the cipher of your SSH session.

X11 forwarding is a feature built into X which enables you to make use of graphical applications running on a server from another computer over the network (if the server has a GUI).  This technology enables you to use graphical tools to change settings or view files on the remote computer, or to forward graphical applications to your workstation which you might not otherwise have to ability (or desire) to install.  The forwarded applications will actually be running on the server, so your local computer will have it’s processor and memory free for other things.  To use X11 forwarding in Ubuntu, just add the -X flag to your SSH command like so:

ssh -X remoteuser@<remote IP address>

Easy, huh?  Now that you’re logged into the remote computer, you can try typing “nautilus” to launch the graphical File Manager.  Notice that the files displayed are those on the remote system, and not your local machine.  You could also try running “evince” to read some PDF’s you have on the server, or “eog” to browse your photo collection remotely.  You get the idea.  I find that forwarding VirtualBox is very useful.  Doing so enables you to use or administer Virtual Machines residing on your server, without having to install any software locally, and without taking up a big chuck of your memory.

X11 forwarding is very useful for making use of specific applications, but if you need remote access to the entire desktop you can use VNC.  VNC can be run over SSH in a variety of configurations, but I’ll show you one really easy way which uses X11 forwarding.   Before this will work, VNC access needs to be enabled on the remote computer.  You will also need the xtightvncviewer package installed.  You can install it from the command line by typing “sudo aptitude install xtightvncviewer”.  Now that you know how to use X11 forwarding, you can easily set up Ubuntu’s default VNC client Vino by SSHing into the remote system (remember the -X flag) and running the command “vino-preferences”.  On the General tab, all boxes should be checked except for “Ask you for confirmation”, and of course, setting a decent password is always a good idea.  After this is all set up, you can start VNC with the command “vncviewer localhost” from an existing connection, or in a single command from your local machine like this:

ssh -X user@<IP address> vncviewer localhost

While X11 forwarding can be extremely useful, it can also be quite slow, particularly across slower network connections or over the Internet.  To speed things up, you can instruct SSH to use compression (employing the same algorithm used by gzip) by adding the -C flag to your SSH command.

ssh -C user@<IP address>

You can also opt to use a faster but less secure cipher if you are willing to sacrifice some of the SSH connection’s security in exchange for increased performance.  There are a variety of ciphers available.  The default cipher used by SSH is AES (the Advanced Encryption Standard) which is extremely secure, and is approved for top secret information by the NSA.  However, it isn’t the fastest available.  A faster and still quite secure cipher is Blowfish, which is a good compromise if AES is too slow but you still want to keep the connection secure.  An even faster, but less secure cipher is Arcfour.  Arcfour has a few known vulnerabilities, but is still being used in WEP and WPA Wi-Fi encryption, Microsoft’s RDP protocol, and a number of other cryptosystems in spite of it’s flaws.

So, to use SSH with the speedier but still secure blowfish cipher, you would type:

ssh -c blowfish-cbc user@<IP address>

If you wanted to use Arcfour:

ssh -c arcfour user@<IP address>

Therefore, to connect to the remote system using SSH with X11 forwarding enabled, plus compression and the fast arcfour cipher, use:

ssh -c arcfour -XC user@<IP address>

Well, I hope you’ve found this useful.  If you have any questions or suggestions, please feel free to comment!

Next time, I’ll finish up this series with some tips on using Bash aliases to simplify the commands involved, as well as a couple other useful things you can do with SSH.  Thanks for reading!

The understated usefulness of SSH, part 1.

December 4, 2008

SSH, or Secure SHell, is probably the most useful tool I’ve discovered since I switched to Ubuntu.  SSH enables you to remotely access other computers over a network, or over the Internet.  It is a secure replacement for TELNET, which although useful, transmits passwords in plain text.

OpenSSH is the FOSS implementation of SSH available in Ubuntu, which also includes SCP for secure copying across a network, and SFTP, a secure implementation of FTP (FTP also sends passwords in plain text).  In Ubuntu, you can go to Places > Connect to Server… to connect to another computer graphically through SSH to move files back and forth, but if you want to get the most out of SSH, you’ll need to use the command line.

First, you’ll need to have the ‘ssh’ package installed (this meta-package includes the openssh-client and openssh-server packages).   Open up a terminal and start by typing:

sudo aptitude install ssh

You’ll need to do the same on the computer you want to connect to.  Once SSH is installed on both systems, you can login remotely like this:

ssh remoteuser@<remote IP address>

You will be prompted for remoteuser’s password on the remote computer (the server).  You can omit the username if the username and password match on the client (local) and the server (remote) computers.  From here you can browse the filesystem, edit configuration files, or even SSH into a third computer (the server becomes the client for the new connection).  Disconnect from an SSH session by typing “exit”.

You can also use SFTP and SCP for moving files back and forth between computers.  SFTP functions exactly the same as FTP.  Just type:

sftp remoteuser@<remote IP address>

At the prompt, type a ‘?’ for options.  “put” is used for uploading files, and “get” is used for downloading them.

Using SCP is similar to using the “cp” command in a terminal.

Download files from the remote computer:

scp remoteuser@<remote IP address>:/path/to/file /local/destination/

Or, upload files to the remote computer:

scp /local/path/to/file remoteuser@<remote IP address>:/remote/destination

Or, move files from one remote computer to another remote computer:

scp userA@<remote IP A>:/path/to/file userB@<remote IP B>:/path/to/destination

Just as you can use SSH to log in to a computer on a LAN, you can also use it to connect to a computer across the Internet.  This involves three additional steps:  Using secure authentication, getting the correct IP address, and setting up Port Forwarding.

Setting up your server for SSH access from any Internet connection is quite useful.  The bad news, is that you are also making your computer fully accessible to anyone with your password and to EVERYONE with the ability to crack it.  This should concern you, because even if there is nothing valuable on your computer, an attacker can use your network as a springboard to attack other computer systems, effectively leaving your fingerprints at the crime scene. The solution is to turn off password authentication, and log in automatically with an RSA key instead.  This step is essential for anyone who will be setting up port forwarding for SSH connections.

Very strong security using RSA Key based authentication is easy to set up and it only takes a few minutes.   You will be generating a RSA key on the computer you want to SSH from (the client), and passing the key to the computer you’ll be SSHing into (the server), which essentially makes your local computer the key to access your server.  After you’ve passed your key to the server you can turn off password authentication, keeping unwanted guests out of your server.  I’ve used this excellent post from Tombuntu.com as a quick reference for a while now, and I’m going to recommend you click the link for the instructions.

To connect to a computer running on your home network, you will also need to know your (external) IP address.  The problem lies in the reality that most ISP’s change the IP address of your Internet connection regularly.  Now, if there is someone at the remote computer, you can instruct them to go to http://www.whatsmyip.org/, and to instant message or email the IP address back to you, which makes things quite simple.  Obviously, this isn’t the most ideal system.  An easier way to set things up would be to use a Dynamic DNS service such as DynDNS.  This service attaches a static URL to your dynamic IP address.  The server keeps the URL up to date by listening to a device on your network which updates the server with your current IP address every minute or so.  Many home routers provide DynDNS support out of the box.  You can also set up a computer on your network to provide this service with these instructions.

The last requirement for enabling SSH connections over the Internet, is to have your home router (AKA residential gateway) forward the SSH port (port 22 by default) to the proper computer on your home network.  If you don’t already know, outsiders on the Internet see your entire network as one IP address:  The external address of your router, assigned by your ISP.  When you try to connect to this address, the router takes the incoming connection (a connection always comes in on a particular port) and forwards that port to the appropriate computer on your network.  You need to make sure this is set up to work correctly before hand.  Instructions for configuring your particular router, and further information about port forwarding can be found on the exceptionally useful website portforward.com.

So, now you can securely SSH into your server from elsewhere.  A problem you may experience, is that if you execute a time consuming command, such as compiling software or wget-ing an iso, and disconnect your session, the program stops immediately.  A great solution to this problem is GNU Screen (Thanks to Aaron Toponce for pointing out this great app).  Screen is a tool that starts a new, resumable command line inside the current one.  Once you are connected to the remote computer, type “screen” to start the program.  Inside screen, you can start downloading that iso with wget, and then press Ctrl+a, and then ‘d’ to disconnect the session.  You can type “exit” to disconnect from the SSH session, if you’d like.  The iso will keep downloading.  At a later point, you can SSH back in, and type “screen -r” to resume your previous session.

Well, that’s it for today.  Next time I’ll cover running GUI (graphical user interface) applications remotely with SSH and X11 forwarding, using compression, and some other useful stuff.

If you have any other useful SSH tips I haven’t mentioned here, feel free to comment.

Dell’s New Mini 9 – I want one.

September 13, 2008

Dag, this thing looks cool.  Small enough to comfortably stick in a backpack, and with a solid state drive so I don’t need to worry about it getting knocked around a little bit.  They start priced at $349.

Not to mention, it comes preloaded with Ubuntu!   Dell will be including all the audio and video codecs you will need for playing any kind of media, and all the hardware is obviously fully supported.  This takes care of the two biggest challenges that come with using Ubuntu.  Mmm, sweet Wifi.  I wonder if it comes preloaded with Ubuntu Netbook Remix?

When I get mine, I’ll definitely need to get the webcam add-on for making video calls over the internet.  I’ll also consider upping the RAM to 1GB, and possibly the solid state drive to 8 GB.

I expect that I would mostly use it for browsing the internet and VOIP video calling through Skype, but I’ll also be running applications off my server through ssh with X11 forwarding.

For those that haven’t used X11 forwarding before, it’s an amazing technology.  For example, I keep all of my documents and pictures on my server, but I can run the media viewing software through my network or even across the internet, allowing me to read my documents or view my photos without the software or media installed on the computer I’m sitting in front of.  And since none of it resides on the laptop, I don’t need the space to store it, or the processing power to run it – the server handles all of that.  For more on how to use X11 forwarding over ssh, I’ll be covering the topic in an upcoming post.  You can even play games using this method!  Of course, performance is dependent on how fast your network connection is.

If you want to read more about this excellent device, or build your own, click this link to go to the Dell site.

Update: According to the Canonical Blog, the Inspiron Mini 9 does not use the Ubuntu Netbook Remix launcher, but has it’s own custom launcher, visible here.