[Freeflyer]

Hey all,

I'm going to be away from home for a few months, but would like to be able to ssh into my home server occasionally if there are any problems. I'd like to be able to use either vnc or remote desktop so that I have a graphical view of the system for doing things like installing updates etc.

Can you suggest the best way of going about this, setting up an ssh tunnel and getting into my machine securely.

Cheers,

J.

[albook]

Turn on "Remote login" on your server at home. Then open and forward tcp port 22 through your network to your server. Then you can use SSH to access it from anywhere.

You can also use an SSH tunnel to secure your VNC connection:
1. Run OSXvnc on the server and set it to "Only allow local connections".
2. Create the SSH tunnel "ssh -l username domain -L 5900:127.0.0.1:5900" (where 'domain' is the domain name or ip address to your home server).
3. Use a VNC client and connect to "localhost"

[Freeflyer]

Originally Posted by albook

Turn on "Remote login" on your server at home. Then open and forward tcp port 22 through your network to your server. Then you can use SSH to access it from anywhere.

You can also use an SSH tunnel to secure your VNC connection:
1. Run OSXvnc on the server and set it to "Only allow local connections".
2. Create the SSH tunnel "ssh -l username domain -L 5900:127.0.0.1:5900" (where 'domain' is the domain name or ip address to your home server).
3. Use a VNC client and connect to "localhost"

Thanks very much for that, I'll try it out in the next couple of days.

Cheers,

J.

[Freeflyer]

Originally Posted by albook

Turn on "Remote login" on your server at home. Then open and forward tcp port 22 through your network to your server. Then you can use SSH to access it from anywhere.

You can also use an SSH tunnel to secure your VNC connection:
1. Run OSXvnc on the server and set it to "Only allow local connections".
2. Create the SSH tunnel "ssh -l username domain -L 5900:127.0.0.1:5900" (where 'domain' is the domain name or ip address to your home server).
3. Use a VNC client and connect to "localhost"

Thanks very much for that, I'll try it out in the next couple of days.

Cheers,

J.

[Freeflyer]

Thanks Albook, that worked beautifully. Now I'm just figuring out how to set up ssh tunnel manager to do the same thing.

Cheers,

J.

[badtz]

[QUOTE=albook]2. Create the SSH tunnel "ssh -l username domain -L 5900:127.0.0.1:5900" (where 'domain' is the domain name or ip address to your home server).
QUOTE]


is there a GUI program that will do that command? [also, how would you turn it off when done?]

thanks

[legacyb4]

Don't forget to lock down SSH server with some basic precautions:

AllowUsers/DenyUsers in /etc/sshd_config
Disable Password Authentication
Enable Public Key (if possible)

Cheers.

[CharlesS]

Originally Posted by legacyb4

Disable Password Authentication

That's not good enough - the PasswordAuthentication setting gets overridden no matter what you set it to, unless you uncomment this line:

Code:
#UsePAM no

[Gavin]

You mentioned that the machine is a server so this may have already thought of this stuff, but it can't hurt:

unless you have a static IP address you should look into dyndns.

make sure the machine is set to turn itself back on after a power outage.

you may also want to allow outside access to your router - this is a security risk, but what if you need to open a port you hadn't thought of? Some routers let you do this and can restrict access. Probly a bad idea but something to think about.

Are your phone/cable/power bills payed? Might be hard to get the power back on if you are out of town and they pull your chain.

Make sure to try it a couple of times from a friends house. See if you can really do everything you want to.

Did you leave the iron on?

[Freeflyer]

Thanks for the extra replies. Very helpful.

Badtz: Yes there's a gui for this, it's called ssh tunnel manager, and I have just set it up to manage the tunnel for this. Neat app.

Gavin: Yep, I have dyndns running, the machine is set for restarts, bills are up to date (my wife will be at home) and I've made sure the iron is off. Good thoughts, thanks. Hadn't thought of the router, will look into that.

Legacy: why would you disable the password, don't you want password protection otherwise how are you able to log in and prove you're the correct user? Maybe I'm missing something on that one.

Cheers,

J.

[CharlesS]

Originally Posted by Freeflyer

Legacy: why would you disable the password, don't you want password protection otherwise how are you able to log in and prove you're the correct user? Maybe I'm missing something on that one.

It means that instead of typing an 8-character password, you'd have a private key instead. The key can be 1024, 2048, or even 4096 bits long, as opposed to an 8-char password which would only be 64 bits. Plus, if you have password authentication turned on, anyone can just keep guessing and brute force attack the password. Good luck doing that with a 4096-bit key...