# Login my home computer from work

## c0vert

Hey, my login manager is GDM, and noticed on one of the tabs in gdmsetup, it has the screen available for remote login.  So I'm wondering how I can utilize  that so that I can log into my home computer from work.  I just want to clarify some things about it though if possible.

1) Is it secure? I have a really strong password on my linux box

2) If I log into my computer from work, I am using my home internet connection when I do stuff on my home computer correct?  Just want to make sure that I'm not using works connection, Because i find it helpful if i could emerge huge files while at work from work on my home computer, but dont want to use up company resources

Is this possible and can someone point me in the right direction?

edit: Does it have something to do with xdmcp?

----------

## ricce_n

If you just want to emerge stuff you can use ssh.

Make sure you have openssh installed (it probably is):

```
emerge -p openssh

```

Start the ssh daemon

```
/etc/init.d/sshd start

rc-update add sshd default

```

You can then use a ssh client to get a shell on your home computer, ssh won't give you any GUI just a plain terminal but that's enough for emerging.

If you want to be able to logout and disconnect from ssh and still have your apps (like emerge) running you'll need to use screen.

You use Windows on work? putty is a good ssh client for Windows:

http://www.putty.nl/

1) Yes, ssh is secure everything is encrypted.

2) Yes, you will use your home connection.

----------

## albright

you can get "graphical" apps to work with ssh;

just use ssh -X switch and enable X forwarding

(slightly risky I am told ...). Works great for using

kmail on one's home machine and avoiding email

sync problems for example.

----------

## ricce_n

 *albright wrote:*   

> you can get "graphical" apps to work with ssh;
> 
> just use ssh -X switch and enable X forwarding
> 
> (slightly risky I am told ...). Works great for using
> ...

 

For that you'll need a XServer installed on the client computer, witch you probably don't have on a Windows host @ work...

----------

## Hu

One caution with regard to allowing remote access: barring other configuration, anyone on the Internet can try to ssh into that machine.  If you are satisfied with the strength of your password, confident that your password cannot be stolen (e.g. your employer is not running a keylogger or is not interested in stealing your password), and confident that your ssh daemon will never have a remotely exploitable hole, then you are fine.  In most scenarios, these are all fine assumptions.

However, even if no one can successfully break in, there will still be noise in your logs from robots trying to guess passwords.  You can mitigate this using a tool like net-analyzer/fail2ban or by configuring your system not to accept incoming ssh connections from any hosts other than those you expect to use (e.g. the IP address of your employer's NAT device).

----------

## c0vert

Thanks a lot I'll definently be doing this.

where are the logs stored for ssh?  Or do I have to look at them using fail2ban?

ps.  Although this ssh thing is all that I need and is what I'll use.  Im still curious about there being a graphical way of doing this, because of the gdmsetup configuration.  Asking if i want to be greeted with the same login screen when logging in remotely, is that possible?

----------

## Hu

The location of your ssh logs depends upon how your system logger is configured.  Traditionally, logs are stored in /var/log, and ssh authentication messages are often written to /var/log/auth.log.

If you want to enable a GUI and you are stuck with Windows at work, you could run a VNC server on your home system, forward a port from your home system to your work system (via ssh), and then run VNC with the forwarded port.  That would let ssh encrypt the VNC traffic, as well as avoid exposing another service to the Internet at large.

----------

## c0vert

Ok Maybe I'll try that after I figure out just the SSH part.

1) I realized that, my computer is on a network right, so its ip address is 192.168.0.101, but that is clearly behind my router, so when I'm ssh'ing, how do I distinguish which computer i want to ssh to?  Do I have to ssh to my router/externel ip (64.231.x.x) and then from there ssh to 192.168.0.101.  Or is 64.231.x.x not my routers IP but just my network IP?  I'm not really sure how it works.  

2) Also, if I enable ssh on my laptop, which I looked up to be port 22, Do I then have to go to my router config page and open 22?  Or will just doing it on my laptop be suffice? (I guess I'm wary about opening it on my router but If i can make it so that it only allows connections from work, then I'll be fine)  - But then again, I don't know my work IP because I'm on an internel network.  

Thanks

----------

## Hu

Based on what you said, I am going to assume your router is doing NAT.  Thus, it has the public IP address (64.231.x.x) that your ISP issued to your subscriber account.  The router is then issuing private addresses (192.168.0.x) to your computers.  To allow you to ssh from work to your home system, you need to point the work ssh client at your router and have the router configured to forward that port to your internal host.  How to do this varies by router, so I cannot say how to do it without knowing more.  I can say that you will need to configure the router first.  That is, you cannot ssh to the router and configure it.  At least, I hope you cannot.  If you can configure it from the outside, that is a huge hole and the device should be returned immediately.  If you cannot determine how to do port forwarding from the router documentation, post a description of it here and someone may be able to explain how to do it.

You need to configure the router to forward a port to the internal host.  This could be considered "opening a port on the router."  If you do not, then the router will send the incoming request to the DMZ host, or if no such host exists, drop it.

Once you have the router configured to forward a port to the internal system, you need to have the internal host running sshd (obviously) and have it allow connections from your work system.  If you want to restrict access to come only from your work system, you will need to know the public IP address of your employer's NAT device.  The quick and dirty way to do this is to make your system deny+log all incoming requests, go to work, and make a request.  Come back home and check your logs for where the request came from.  If you got multiple hits and you cannot distinguish the right one, repeat as necessary.  This whole process can be greatly simplified if you have access to the corporate VPN, so that you can establish a VPN connection to work and remotely order a system there to poke your home system.

If you are still unclear on how to make this work, let us know.

----------

## bunder

 *ricce_n wrote:*   

> For that you'll need a XServer installed on the client computer, witch you probably don't have on a Windows host @ work...

 

exceed ftw.   :Laughing: 

----------

## c0vert

I'll check it out

----------

## c0vert

I just tried to do this

```

laptop ~ # /etc/init.d/sshd start

 * Caching service dependencies ...                                       [ ok ]

 * Starting eth0

 *   You are using a deprecated configuration syntax for eth0

 *   You are advised to read /etc/conf.d/net.example and upgrade it accordingly

 *   Bringing up eth0

 *     dhcp

 *       Running dhcpcd ...

Error, dhcpStart: interface eth0 is not Ethernet or 802.2 Token Ring

                                                                          [ !! ]

 * ERROR:  cannot start sshd as net.eth0 could not start

```

Im using eth1 not eth0, but It automatically seems to be trying with eth0, is there a way i can fix this?

----------

## SiberianSniper

hmm, I'm not too sure, might be a problem with your /etc/conf.d/net

Easy but crude solution? :  rm /etc/init.d/net.eth0

----------

## c0vert

Sweet it works, but, What did this do exactly

```

rm /etc/init.d/net.eth0

```

And will I have to put it back when I want to use eth0 or something.

----------

## SiberianSniper

If there's a net.eth0 file present, then anything else depending on "net" seems to depend on net.eth0.  However, by deleting it, I guess they now depend on net.eth1, which is the one you're actually using.  If you need net.eth0 back, that's as simple as

```
ln -s net.lo net.eth0
```

----------

## c0vert

great thanks for the explanation

----------

## ferg

If you do decide to go down the X forwarding (over SSH of course), then I can heartily recommend Cygwin X as a decent X Window environment for Windows.

Also as two trivial points to improve security, configure key authentication on your box, and then disable non-key authentication logins, and secondly shift your SSH port to a non-standard high port.

Both of these take very little time to do, but do improve security.

The second also reduces the amount of fake logins done by script kiddies scanning your SSH ports.  

Cheers

ferg

----------

## cpaasche

I have taken a bit of a different tack on logging into my home system.  My firewall allows no incoming connections so I use reverse SSH.  I have a shell account on a very trusted system & the admin allows port forwarding.  sshd on the target box is set to kill the established outgoing connection to the middle system if two attempts are made with the wrong credentials so I can fat finger my password once.  That takes care of the script kiddies & scanners.

I like the fact that my firewall settings still allows no incoming connections & if someone tries twice unsuccessfully on the middle box, my box tears down the outgoing connnection.  I just have to decide that I want the connection up before I leave the house.

1. From target box.  

```
user@destination$ ssh -R 10000:localhost:22 middleuser@middle
```

Don't replace localhost in the code above.  Do replace middleuser & middle with your credentials & the name of the middle box.

2. From the remote box.

```
user@notebook$ ssh user@middle
```

3. After logging in to the shell account.

```
user@middle$ ssh user@localhost -p 10000
```

Don't replace localhost in the code above.

It's all here at the Gentoo Reverse SSH Wiki

----------

