# HOWTO: A simple, quick way for remote desktops

## darkphoenix16

Hello, I have been using Gentoo for....lets see....around two years now.  I've always wanted to post to the forums but I never had time due to school, or thats what I am going to say anyways   :Confused:  .  Now that I am done school I would like to *try* and help others out...so here it goes.

I have used these forums greatly and have come across people trying to set up remote desktops and having trouble.  This is what I do, it's probably not the best way but it works well.

A few notes on my setup:

I have four computers at home.  One is used as a router/firewall.  The router has port forwarding all set up so that each computer has its own "ssh" port.  For simplicity lets say they are 4444 for the computer with IP A, 5555 for the computer with IP B, and 6666 for the computer with IP C.  Computer A wants to be able to hold remote sessions from computers B and C.  Heres how I did it.

You will need to have gdm and ssh

Step 1: Set up SSH

Assuming that the router is set up properly (If you are having trouble with your software router I HIGHLY reccommend you trying out coyote linux just for that putpose), we must place SSH on computers A, B, and C. Thankfully this is generally an easy task as we simply use portage.  

```
emerge openssh
```

If the other computers don't have portage you're own your own!  :Smile: 

There are a few config files we must set up on computers A, B, and B.  

```

/etc/ssh/ssh_config

#Uncomment the following lines and set to yes

#ForwardAgent no

#ForwardX11

```

```

/etc/ssh/sshd_config

#Uncomment and set the desired ssh port

#Port 22

#Uncomment and set to yes

#X11Forwarding no

```

Then we start up the services. On each computer:

```

rc-update add sshd default

/etc/init.d/sshd start

```

Step 2: Connect to the machine

First, as in my situation, I will assume the computers are on a router/firewall.

As computer A is the computer we are on and computers B and C are our ginnue-pigs:

```

ssh ip -l username -p port -X -C

```

ip is the IP of the ROUTER

username is the user account on the computer you wish to connect to, not the router, but from computer B or C

port is the port you have set up on the router to forward to the port on either computer B or C.  Obviouslly the username and port must belong to the same computer!

X enables X11 support

C gives us compression.

If you don't have a router and are simply connecting directly to the machine you simply use that machines ip address and port.

Note that you may get error messages about security when accessing different ports for ssh on the same machine.  I don't know much about this (maybe someone reading this does?), but my quick hack is to simple delete the known_hosts file in the .ssh directory of your home.

```

rm ~/.ssh/known_hosts

```

If you have successfully connected, test out an X app.

```

/usr/X11R6/bin/xcalc

```

If the calculator comes up we are in business!

Step 3: Starting a remote session

Now, as GNOME has there nifty nested gdm session thingamabob, we might as well use this rather than something that requires more work.  You don;t need to use the GNOME desktop, just gdm.  For instance, I use XFCE4 with the minimum number of gnome related packages requied to have gdm run.  The following command will set up a remote session.

```

gdmflexiserver -n

```

And thats it. You should have a remote desktop in front of your eyes. Pretty simple eh?  Ive looked around before I posted this and I didn't see a similar post.  If there is one, well...sorry!

Any comments?

----------

## tscolari

just a question whats the diference betwen openssh and ssh?

there are the both for emerge

----------

## ajtidball

 *tscolari wrote:*   

> just a question whats the diference betwen openssh and ssh?
> 
> there are the both for emerge

 

This says it better than I can   :Razz: 

http://www.openssh.com/

----------

## zaiyon

one question, I have got a message without X, my "allround" server, who is my primary ssh daemon too, I usually connect to my workstation over it... so how can I get X11 to be forwardet through that non-X11 machine? I tried your howto way, but it does not work like this. do you have any idea for me?

----------

## ian!

Moved from N&S.

----------

## darkphoenix16

Im not sure I understand 100%.

If you wanted to forward a X server app you would need an xserver on your server.  If you are trying to use X11 apps on another non-X11 machine I would recommend tight vnc.

Just emerge tightvnc and use the vncserver script.  Right off that bat it won't be secure but you can tunnel it using ssh.  There are plenty of tutorials on this.

----------

## zaiyon

thanks for the answer, but thats not what I meant. I really want X11, no VNC, and forwarding works just fine, my problem is that I connect to my workstation from the server from the outside, so that means to me:

somewhere... :

$ ssh -XC myserver.mydomain

$ ssh -XC myworkstation

but I want to have X11 forwarding from myworkstation to somewhere, not on the server.... so it just has to be delivered - not used... is this somehow possible?

----------

## darkphoenix16

Interesting...So you want to first get into your server using ssh.  Then once in your server you again ssh into the workstation.  Then you finally try to use X11 apps on your workstation?

so:

some.computer $ ssh -flags myserver.mydomain  (your ssh)

some.computer.myserver $ ssh -flags myworkstation (servers ssh)

some.computer.myserver.workstation $ xcalc (workstations xcalc)

Is the above your situation?

If so can you tell me the output you get?  Maybe the X11 info is being sent to the server and not you.

In my situation I had a server too without X.  I had portforwarding setup so that when I accessed port 4444 on the server it relayed that to port 22 on the client connected to the server.  The client connected to the server had ssh set up to listen to port 22 and X11 forwarding enabled.  ssh on the server wasn't present as it wansn't necessary.  The commands I wrote (with fake ips) were:

ssh 555.555.555.555 -l phoenix -p 4444 -X -C 

where 555.555.555.555 was the address of the server and I already said what port 4444 was for.

This connected me to my client box and the server just acted as a middle man relaying information between us.  

Maybe that helps? If not Ill keep trying until you get too frustrated.  If you are getting errors on any machine post them. It makes it easier.

----------

## zaiyon

thanks, I've been too stupid to think about that solution, I could just redirect every stuff received on port 4444 from my router to my workstation, and 22 connections to my Server, that of course works, but it is kinda not the nice way.... is there no other way to.. "tunnel" the data through ssh, over the server from client to client? If you find a way, plz tell me, I'll use the portfw way since that day comes  :Wink: 

----------

## darkphoenix16

Yah, I like using strange ports like 4444 so hackers wont know where to look for entry points.  I am sure they attack known open ports like 22,21,80 so I just close them up and use other random ones.

I am not sure if there is another way to tunnel the data (other than front-ends and utilities that do the same thing.  Ill let you know if I do though.

And dont be too hard on yourself  :Razz: 

----------

## ljuti

Slightly OT, but do not ever rely on security through obscurity. Using "strange ports" won't make you any safer, because a quick port scan reveals them anyway.

Just try

```
$ nmap -v -sT localhost
```

and see the results. Your unknown-to-all-hackers port should very quickly to be general knowledge.  :Smile: 

You might as well keep that SSH binded to 22 so you don't have to mess all the configurations and apps harnessing ssh(d).

----------

## darkphoenix16

I stand corrected  :Smile: 

----------

## BlindSpy

GREAT GUIDE! I've always known abou the ssh config settings but never enough to know how to propperly set it up and use the GNOME session thing - thats just cool. Great great work. Took me about 10 minutes to read/do completely though and worked great.

----------

## nightblade

 *ljuti wrote:*   

> Slightly OT, but do not ever rely on security through obscurity. Using "strange ports" won't make you any safer, because a quick port scan reveals them anyway.
> 
> Just try
> 
> ```
> ...

 

I agree with you that changing port to the ssh daemon will not deter a determined attacker from figuring out that you have a ssh server listening (a simple netcat connection will show you a clear OpenSSH banner with version and everything).

Still, it will hide you from script kiddies that scan thousands of IP addresses looking for open well-known ports.

In the end, changing the port will not stop somebody actively try to hack you, but for sure will keep away a lot of casual observers. Not the ultimate security hack, but still useful  :Smile: 

...sorry for the slight OT

p.s.: You should add "-p 1-65535" to your nmap scan. Otherwise you will only check the ports that appear in the nmap-services file (~1600 ports, as far as I remember), and if I set my server to listen on a port that is not in that file, the nmap scan will miss it...  :Wink: 

----------

## koroumel

I have a hardware firewall/router, in which... I cannot ssh (obviously) :Laughing:  . Is this solution still useable? And by the way, if I login though GDM, and let D4X download, if I dissconnect and then reconnect, will I have to relogin? And if so, will I see the same desktop (and D4X I left running) as before? gemvnc is too slow to rely on so, will this thread be a replacement?

----------

## darkphoenix16

Hi, thanks for the good comments  :Smile:  Im glad others have gotten use out of it.

You can use this technique with a firewall/router, you just have to make sure the proper ports are open so that you can connect.

Im not to sure, but in the ssh configs you can set which X display you log in to.  If you set that one to zero, and were also logged in at home, I believe you would be able to start a program up and it also start up at home.  This way when you start an app remotely and then log out, it should still be there an progressing when you log in later as there is an instance of it at home.  Does that make sense?  Can anyone confirm this?

----------

## vdboor

Hi,

I've read your tutorial, and there is one thing I have to mention; you don't need to enable ForwardX11 by default in ssh_config (the client config), just use the -X switch if you want to enable X11 forwarding for your session. There is a reason why these options are off by default:

From the ssh_config manual:

```

     ForwardAgent

             Specifies whether the connection to the authentication agent (if

             any) will be forwarded to the remote machine.  The argument must be

             ``yes'' or ``no''.  The default is ``no''.

             Agent forwarding should be enabled with caution.  Users with the

             ability to bypass file permissions on the remote host (for the

             agent's Unix-domain socket) can access the local agent through the

             forwarded connection.  An attacker cannot obtain key material from

             the agent, however they can perform operations on the keys that

             enable them to authenticate using the identities loaded into the

             agent.

     ForwardX11

             Specifies whether X11 connections will be automatically redirected

             over the secure channel and DISPLAY set.  The argument must be

             ``yes'' or ``no''.  The default is ``no''.

             X11 forwarding should be enabled with caution.  Users with the

             ability to bypass file permissions on the remote host (for the

             user's X11 authorization database) can access the local X11 display

             through the forwarded connection.  An attacker may then be able to

             perform activities such as keystroke monitoring if the

             ForwardX11Trusted option is also enabled.

```

Btw, also try "ssh -X -C" to enable some additional compression  :Wink: 

----------

## darkphoenix16

Ok, cool. thanks

----------

## CarlUman

RE ssh_config

I know you comment a full line by putting # at the start of line but I'm getting an error on some of the lines where I have # to add a comment to the end of a line.  Is there a way to put a comment on line like this...

```
ForwardAgent no      # comment here
```

Thanks

Carl

EDIT:

fixed spelling  :Surprised:  my fingers must not have been working (I'll blame it on the cold weather)

----------

## CarlUman

Bump for any ideas on my question (see previous post)

----------

## Lepaca Kliffoth

Thanks! Helped me too.

----------

## RiverRat

There is another way to do the full Gnome session remotely as well but it eludes me at the moment.  These little tricks are excellent to know but exceptionally hard to find.  Here is another one:

Log into a Linux system graphically (either w/ [xgk]DM or startx).

Goto one of the text consoles and login.

Type "startx -- :1"    (and another xsession is started)

I don't see why you couldn't login twice w/ the same user name but every program that you run twice (including gnome-session) has the potential for some serious race conditions.  That is why I use it primarily for root to login without me, and all of the crap that stays open for months at a time on my computer, having to close down and log off.  By the way you can use the command multiple times; just increment the display number (:1, :2... ) each time and see how much memory you can consume!!!

Tres

----------

## senduran

 *darkphoenix16 wrote:*   

> 
> 
> If you have successfully connected, test out an X app.
> 
> ```
> ...

 

I get this far (well, using xclock since I don't have xcalulator), but...

 *Quote:*   

> 
> 
> Step 3: Starting a remote session
> 
> Now, as GNOME has there nifty nested gdm session thingamabob, we might as well use this rather than something that requires more work.  You don;t need to use the GNOME desktop, just gdm.  For instance, I use XFCE4 with the minimum number of gnome related packages requied to have gdm run.  The following command will set up a remote session.
> ...

 

I have a working XFCE4 setup (works directly on the server, I start it up with 'startxfce4'), have installed gdm, but when I try and use gdmflexiserver -n I get a flash of a large white window and then an error window 'Cannot start new display / The X server failed. Perhaps it is not configure well.'. How do I configure it well, and/or what constitues 'the minimum number of gnome related packages requied to have gdm run'.

----------

## squeegee

Well, this is what I do, with TightVNC.

1. Start an ssh session (sshd set up to only allow authentication by key). 

2. run a startvnc script on the server, which only accepts a single connection, on localhost only, and cannot be disconnected by another user

```

#!/bin/sh

vncserver :1 -geometry 1024x768 -depth 16 -pixelformat rgb565 -localhost -nevershared -dontdisconnect

```

3. at home, run a script to set up the tunnel.

```

#1/bin/sh

ssh -2 -CL 5902:localhost:5901 [myserver].com

```

4. at home, run a script to start vncviewer (jpeg quality 4 is fine for me).

```

#1/bin/sh

vncviewer -quality 4 -encodings tight localhost:2

```

It asks for my password, and then opens the desktop.

----------

