I've got a handy tip for folks who have a desk job: Keep your personal and professional life separate by securely controlling your home computer from work (VNC over SSH). As long as you're aware of the advantages and disadvantages of this technique, it's very convenient and useful.
Edit 2006-10-8: I flubbed the ssh installation instructions. There is no "openssh" package. There is "openssh-client" and "openssh-server", both of which are necessary. You can install them both by installing the package "ssh".
Edit 2008-2-17: Changed local VNC listening port to 5901 to avoid port conflicts.
Thanks to Nicholas Fong for the original tutorial, which appears to be down at the time of this writing.
The instructions I give in this post assume that the home computer runs Ubuntu Linux and that the work computer runs Windows. If your work computer runs linux, you can use the
vncviewer commands instead of downloading Putty and Tight VNC.
SSH tunneling is a technique that allows sensitive data to pass through the larger internet without being tampered with or copied. Any sort of data can pass through the tunnel without the source and sink programs being aware of the situation.
VNC is a remote-desktop system that allows the user to view and control the desktop of a remote computer within a window on the local machine. Mouse and keystroke data is transmitted to the remote computer, and partial screen updates are transmitted back. The password used to start the session is only mildly encrypted.
If you mess this up, someone could take control over your computer without your knowledge. This happened to me. I had a very unprivileged account called "guest" (password: "guest") for roommates, parents, etc. to use to shut off my computer in case of thunderstorms, and when I installed an SSH server I forgot to consider this easily-entered account. A few days later I noticed that my network connection was a little too active, and I found and killed a process that was attempting to hack into other peoples' computers. (Linux RST-B trojan, if I recall correctly.) Didn't do any damage to my machine, but it could have used my internet connection indefinitely. So be sure to read up on securing your SSH server, or at least restrict logins to a single account... and make sure your password is very secure.
We'll set up VNC over SSH for a fictional user "Bob", and even throw in a free subdomain address for his home computer: http://sparky.no-ip.info/.
Your home computer will be set up as a server for SSH and VNC.
- Install and verify No-IP so that you can use a domain name instead of an IP address to refer to your home computer.
- Register at no-ip.com.
- Add a host in your account (Hosts/Redirects -> Add), leaving the defaults in place. If you were Bob, you'd choose the hostname "sparky" on the domain "no-ip.info", giving the home computer the address "sparky.no-ip.info".
- On your home computer, install the No-IP software, which will update No-IP's records every half hour. (On Ubuntu, the package is
- Configure No-IP by running
sudo no-ip -Cand entering your No-IP login information when prompted. Accept the default value for the update interval and other options. (Here, there's only one host, and thus no ambiguity as to which DNS entry the No-IP client is updating. I'm not clear on how the service distinguishes between different hosts.)
- If you have a webserver running on your machine, you can verify successful No-IP configuration by visting the address you set up, e.g. http://sparky.no-ip.info/.
- Start the No-IP client for the first time with the command
sudo no-ip. (By default, the client will automatically start every time your computer starts. This command is only needed if you aren't restarting any time soon.)
- Install and verify VNC server. (Ubuntu comes with remote desktop functionality right out of the box, but it will need to be configured to allow connections.)
- If you're using the Gnome display manager (if you don't know, then you are), go to System -> Preferences -> Remote Desktop.
- Under Sharing, allow other users to view your desktop and control it.
- Under Security, do not require confirmation, but do require a password. (Restricted to 8 characters, unfortunately.)
- Verify your VNC settings by running
vncviewer localhost, but do not enter the correct password. If you do, your computer will undergo VNC loopback and lock up. If you are prompted for a password, your settings are correct. Hit cancel.
- Allow incoming port 8443 on the home firewall/router to let the SSH traffic in. (Use 8443 because your workplace firewall will likely let the traffic through on that port -- some websites still use 8443 for HTTPS traffic.) The details of this are completely specific to your setup at home.
- Install and verify SSH server on the home computer.
- Install the
sshpackage, giving you both an SSH server and client. (It is a metapackage that depends on both
- Open the SSH daemon configuration file, located at /etc/ssh/sshd_config.
- Near the top of the config file, change the Port instruction from 22 to 8443.
- In the Authentication section of the config file, change the PermitRootLogin instruction from yes to no. (I may never understand why they allow remote root logins by default.)
- In the Authentication section of the config file, add the instruction
- Apply the changes by restarting the SSH server with
sudo /etc/init.d/ssh restart.
- Find your SSH fingerprint by using
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub. Write it down. The first time you log in remotely from any machine, you'll need to check this fingerprint against what Putty reports as the server's fingerprint. This is extremely important.
- Install the
You won't have to install anything on your work computer, but you will have to run some stand-alone programs.
- Download Putty and the Tight VNC stand-alone client on the work computer
- Create an ssh profile that you can reuse.
- Run putty.exe.
- Set the host name to your No-IP address or IP address. (e.g., spark.no-ip.info).
- Set the port to 8443.
- Under "Connection" -> "SSH" -> "Tunnels", add a tunnel: Set the source port to 5901, set the destination to localhost:5900, and click the "Add" button.
- Save your session: go back to the "Session" category, type "tunnel-home" in the text box under "Saved Sessions" heading, and click the "Save" button.
- On your work computer, open putty and run the "tunnel-home" profile.
- A terminal window will appear — log in using your username and password for your home computer. (If this is your first login from this machine, check to make sure the fingerprint matches. If not, don't enter your password!)
- Open VNC client and open a connection to localhost:5901.
- Prevent man-in-the-middle attacks by writing down your SSH server's signature and verifying it the first time you connect.
- Keep port 5900 closed on your firewall. The VNC service accepts 8-character passwords at most, so brute force attacks are a concern. That's why we're only allowing connections from inside the firewall (via SSH.)
- Keyloggers can monitor your keystrokes at work, including your SSH password.
- Your boss can most likely view your screen over VNC.
- VNC over SSH will eat up bandwidth. This may or may not be a concern.
- Is it overkill? If you are only concerned about "sensitive" websites, you might just want an HTTP proxy.