Remote access and VNC, the better way (Pown'd part 1.)
Many folk often need to access a home computer from Work or some remote location, myself included. If you're connecting a Windows Machine to a Windows Machine it is fairly easy. The protocol that talks between two Windows boxes is known as RDP and works well out of the box. The story is a bit different when you move to Ubuntu (or Linux in general actually). You need to use a protocol called VNC and it is not at all secure on its own.
In Ubuntu you also don't want to rely on the built in Remote Desktop feature from the Administration Menu, that is somewhat lacking in security allowing one to get p'owned... more on this later...
This post will look at connecting to your Ubuntu home computer from a remote location in a fairly secure way.
Don't trust the default
If you poke around the System menu in your Ubuntu install you'll eventually come across a the Remote Desktop option under Preferences. The first screen cap at the top is what it looks like if you click on it. In very simple Ubuntu English it gives you a pair of check boxes that once checked will allow remote connections to the desktop. I would caution against using this built in functionality and instead use x11vnc (as we'll see in a moment). Even adding a password via the Require the user to enter this password shouldn't make you feel that comfortable either. Since that password is all by itself and not associated with your login or any other passwords it would be quite easy to forget it. Besides there is some upper limit on how many characters that password can be so that should be reason enough to stay away. If you'd care for the kiss of death check the Configure network automatically to accept connections. that way you save a couple of minutes for the person hacking your IP address. In short you don't want to use the default Remote Desktop due to:
- Poor Security - Lack of complex password or association with your account.
- The Remote Desktop process (vino-server) always runs - Meaning that if anyone stumbles across your machine they will be able to connect because it is always listening for a connection. Plus even if you de-select the remote desktop options in the Preferences panel the service doesn't die until you reboot the computer. Making you think that remote access is not possible even though it might be.
- Plain Text Everything - Without tunneling through an SSH connection all of your traffic (ie passwords) will be sent un-encoded to your home machine.
Tunneling VNC through SSH the better way
As just mentioned the Ubuntu built-in VNC client lacks security. So instead of connecting via VNC directly we'll look at connecting to it via an SSH tunnel. SSH allows you to construct a secured connection between two computers in such a way that anyone looking at the traffic will be unable to decode it. In the simplest of pseudocode here is the procedure:
- Start an SSH server on your home computer listening for connections
- Connect from the remote computer to your home computer using a SSH program (Putty) and at the same time open a 'tunnel' between the remote computer and your home computer
- On the SSH command line start the VNC server
- Connect the remote computer to your home computer using a VNC viewer (TightVNC)
When you're done
- Disconnect the viewer
- Stop the VNC server on your home computer
- Disconnect your SSH session
- Don't worry about any loose ends
Software you'll need
- TightVNC on the remote machine
- Putty on the remote machine
- open-ssh on the machine you are connecting to
- x11vnc on the machine you are connecting to
Installing on your home machine - Clicking on the open-ssh link above should shell out the installer (if you're in Ubuntu) if not it's a simple: sudo apt-get install open-ssh. Once that installs you'll have a SSH server running on your computer waiting for connections, be default it will run on port 22. No further configuration (for now) is needed. Same with x11vnc. If the click doesn't work try this on the command line: sudo apt-get install x11vnc. The last two steps in this process are to find the IP address of your home machine (using something like whatismyip) and to fix your firewall/router to forward traffic from port 22 to you desktop computer. (Many different ways to do this depending on your setup)
Installing on the Remote Computer - The first thing to do is download Putty and fire it up. You'll see the screen below:
Replace the 1.1.1.1 IP address with your home IP address leaving port 22 as the default and then click on 'Tunnels'.
1. In source port type 5900
2. In Destination type localhost:5900
Leave the rest as default and click Add.
Click Open and you'll begin the connection to your home machine. You'll be asked for a login and username (use the same info that you'd use to login to your computer). Once that is done you'll be on a command line on your home computer. To start the VNC service type in:
x11vnc -safer -localhost -nopw -once -display :0
Now your home computer will start the VNC service using some better security settings (ie it will only listen for the next connection and then stop running).
Now fire up TightVNC (on the remote computer of course) and put localhost in the address and hit Connect.
If everything is setup properly you'll soon see your home computer desktop
Success!! Once finished be sure to close out the TightVNC program and to logout from your PUTTY session (type exit on the command line).
Some bonus things to consider:
- The SSH tunnel is secure enough that no one will no exactly what is being sent through it.
- Both Putty and TightVNC can be run without installing, that way you can copy them to a USB key and run them on whatever computer you like
- Secure it up even better by running SSH on a different port number
Hopefully future versions of Ubuntu will ship with a better way of doing this. I'm not complaining, just saying is all.
