remote access linux. Linux GUI remote access methods. Using VNC Server and Client in Ubuntu
5. Move the Button bar and the Location bar with the mouse.
6. Resize panels using special resize handles on window borders.
7. Run the vi command in the right pane.
8.
In the left view pane, open the applet by pressing the keys
9. On the bottom panel, use the compiler and other command line tools.
10. Select the Setting Save View Profile option to save the profile.
11. Enter a name for the profile, and then select the Save window size in profile option. After that, you need to click on the Save button to save the settings.
6. test questions
1. What programs are called file managers?
2. What information is displayed in Konqueror's viewport?
3. How to create a new window with Konqueror?
4. List management tasks file system that can be solved with the file manager?
5. List the standard features of KDE.
6. What is a component of the KDE desktop?
7. Name the functions of the desktop panel.
8. How do I get online help?
9. What features does the KDE Control Center provide?
Literature 1,3,4
Lab #9 Linux Remote Access
The purpose of the work: To get acquainted in practice with the means of remote control in the Linux operating system. Gain experience and skills in managing remote access
Lesson plan
4. Using theoretical information, study the purpose and rules of working with the ssh service.
5. Install as needed software(ssh, sshd, putty).
6. Provide ssh access to your computer. Grant permissions and a password for remote control of your computer to a neighboring - counter-clockwise - computer.
7. Establish a remote connection to a remote computer. The clockwise neighbor computer acts as the Remote. That is, you must manage remotely the right computer, and provide the ability to remotely control your computer to your left computer.
8. To make a report.
Brief theoretical information
1. Protocols remote access: telnet and ssh
The UNIX operating system was originally developed as an Internet server. Tools for working with the Network are built directly into the core of this operating system, and all the necessary software for organizing a server is included in the distribution. A UNIX system handles all network protocols (especially TCP/IP) better than any other operating system for the Intel platform. No wonder they say that UNIX is designed for the network, like a bird for flight. All the qualities listed above also apply to the Linux OS. There are many areas where Linux servers are used: WWW servers, FTP servers, mailers, gateways. That's why remote control A Linux server is of great importance.
The two protocols used for remote access to Linux are telnet and SSH. Telnet is an Internet data line protocol that allows
computer to function as a terminal running on a remote computer. The telnet protocol was originally developed for the ARPAnet and is an important part of the TCP/IP communications protocol.
There are three main problems with using telnet, making it a poor security choice for modern systems:
The default telnet daemons have a few vulnerabilities discovered over the years, and there are probably a few more that still exist.
Telnet does not encrypt any data that is sent over an established connection (including passwords), and thus it becomes possible for the connection to be eavesdropped and the password used later for malicious purposes.
The lack of an authentication system in telnet gives no guarantee that a connection established between two remote hosts will not be interrupted in the middle.
Use of the telnet protocol is undesirable on systems where security is important, such as the public Internet. Telnet sessions do not support data encryption. This means that anyone who has access to any router, switch or gateway on the network between two remote computers connected
telnet session, can intercept passing packets and easily get the login and password to access the system (or take possession of any other information exchanged between these computers) using any public utility like tcpdump and Ethereal.
SSH - (Secure Shell) - a network protocol that allows you to remotely control a computer and transfer files. It is similar in functionality to the telnet protocol, but uses encryption algorithms for transmitted information.
The shortcomings of telnet led to the very rapid abandonment of this protocol in favor of the more secure and functional SSH protocol. SSH provides all those functionality, which were presented in telnet, with the addition of spectacular encoding to prevent the interception of data such as logins and passwords. The public key authentication system introduced in the SSH protocol ensures that the remote computer is really who it claims to be.
Since using the telnet protocol for remote control is not a security issue, laboratory work consider only remote control via SSH.
At the moment, there are two versions of the SSH protocol: Description of the technology of the SSH-1 protocol:
First, the client sends a request to the server to establish an SSH connection and create a new session. The connection will be accepted by the server if it accepts messages of this kind and is ready to open a new communication session. After that, the client and server exchange information about which protocol versions they support. The connection will be continued if a match between the protocols is found and confirmation is received that both parties are ready to continue the connection using this protocol. Immediately after that, the server sends the permanent public and temporary server keys to the client. The client uses these keys to encrypt the session key. Even though the temporary key is sent in plain text, the session key is still secure. The session key is then encrypted with the server's temporary key and public key, and thus only the server can decrypt it. At this point, both the client and the server have the session key and are therefore ready for a secure encrypted packet transmission session.
Server authentication occurs based on its ability to decrypt the session key, which is encrypted with the server's public key. Client authentication can occur in a variety of ways, including DSA, RSA, OpenPGP, or
by password. The session continues as long as both the client and server are able to authenticate each other. An established connection via the SSH-1 protocol allows you to protect the transmitted data with a strong encryption algorithm, data integrity check and compression.
Description of SSH-2 protocol technology:
Both protocols essentially do the same thing, but the SSH-2 protocol makes it more elegant, more secure, and more flexible. The main difference between the protocols is that the SSH-2 protocol shares all the functions of the SSH protocol between three protocols, while the SSH-1 protocol is one single and indivisible protocol. By modulating the functions of the SSH protocol in three protocols - the transport layer protocol, the authentication protocol, and the connection protocol, makes the SSH-2 protocol the most flexible and powerful mechanism for creating secure tunnels. Below is a brief description and purpose of each of the three protocols that make up the SSH-2 protocol:
Transport layer protocol - provides the ability to encrypt and compress transmitted data, and also implements a data integrity control system.
Connection protocol - allows clients to establish a multi-threaded connection through the original SSH tunnel, thus reducing the load that client processes create.
Authentication protocol - the authentication protocol is separate from the transport layer protocol, as it is not always necessary to use an authentication system. In case authentication is required, the process is protected by the original secure channel established via the transport layer protocol.
It should be noted that the SSH protocol does not solve all network security problems. It only focuses on making applications such as terminal emulators work safely. Using implementations of the SSH protocol on servers and client applications helps protect data only in transit. The SSH protocol is in no way a substitute for firewalls, intrusion detection systems, network scanners, authentication systems, or other tools to protect Information Systems and networks from attacks.
The SSH server is the sshd daemon, which runs on a UNIX machine.
OpenSSH, PuTTY, SecureCRT, SFTPPlus, TeraTerm, etc. are currently used as an SSH client. In the laboratory practice, the most common OpenSSH will be used to connect a Linux client and PuTTY to connect a Windows client.
OpenSSH (Open Secure Shell - open secure shell) - a set of programs that
providing encryption of communication sessions over computer networks using the SSH protocol. It was created under the leadership of Theo de Raadt as an open source alternative to commercial software from SSH Communications Security.
PuTTY (from TTY - teletype, English putty - putty) is a freely distributed client for SSH protocols. Originally developed for Windows, but later ported to Unix.
2. Setting up an ssh server on the server
In order for the SSH service to start working on the server, the sshd daemon must be running on it. It is advisable to add a startup command to the system boot script. The sshd daemon runs on port 22. You can run it under the xinetd/inetd superdaemon, but usually sshd starts up on its own - in standalone mode._
The sshd server configuration file is /etc/ssh/sshd_config. You can get help on its syntax with man 5 sshd_config. The openssh-server package contains a configuration file with typical settings.
To protect your computer from unwanted intrusions from the outside, it is recommended to enter the allowedadress directive in the configuration file and list, separated by a space, the IP addresses of those machines from which clients are allowed to enter. For example, for a ws2 workstation in the lab, you can allow remote connections only from the teacher's computer and the closest computer on the left:
allowed address 192.168.1.100 192.168.1.101
Example configuration file /etc/ssh/sshd_config:
# First we try to work using the SSH 2 protocol, and then,
# if that side does not support the second version, - by SSH 1 Protocol 2.1
# Key for SSH protocol version 1 HostKey /etc/openssh/ssh_host_key
# Keys for the SSH2 protocol - RSA and DSA HostKey /etc/openssh/sshjiost_.rsajtey HostKey /etc/openssh/ssh_host_dsa_key
# ssh version 1 key lifetime and size KeyRegenerationInterval 3600
# The default size is 768 bits, set 1024 ServerKeyBits 1024
# The time after which the server keys will be regenerated.
# Periodic rekeying increases the security of the system.
KeyRegenerationlnterval lh
# We prohibit the registration of the root user via ssh.
# This does not exclude the possibility of remote
# administration: just root will have to go under
# as a normal user, and then run the su command.
# But the attacker will need to steal
# not one, but two passwords: both root and normal user.
PermitRootLogin no
# Logging (uncomment if needed)
# log using syslog) #SyslogFacility AUTH
# Authentication
# Includes password authentication
# and disallows blank passwords
PasswordAuthentication yes PermitEmptyPasswords no
#StrictModes yes
# use RSA authentication
RSAAuthentication yes PubkeyAuthentication yes
# rhosts authentication - usually not used,
# so we ban it:
# user files-/.rhosts and -/.shosts will not be used
RhostsAuthentication no IgnoreRhosts yes
# DO NOT use PAM authentication
PAMAuthenticationViaKbdlnt no
# Additional time for the client to authenticate itself.
# If during this time the client was unable to enter a password,
# connection will be terminated
LoginGraceTime 2m
# Path to banner
Banner /some/path
# sftp server subsystem
Subsystem sftp /usr/libexec/openssh/sftp-server
The keys that you can run sshd with are listed in Table 9.1.
Tab. 9.1. sshd server keys. |
||
Purpose |
||
Specifies the number of bits for the server key (default 768). This option |
||
can only be used if you are using SSH protocol version 1 |
||
Debug mode (DEBUG). In this mode, the server does not go into the background |
||
mode, handles only one connection and logs in detail |
||
their actions in the system log. The debug key is especially useful for |
||
learning about the server. |
||
Just like with the previous key, the sshd server will not |
||
go to background mode. However, unlike -d, the -D option does not translate |
||
server in debug mode |
||
Send debug messages not to the system log, but to the standard one |
||
error stream |
||
Specifies an alternative configuration file instead of /etc/ssh/sshd_config |
||
Provides an unauthenticated client with an additional |
||
time to enter the password. The value 0 is interpreted as infinite |
||
expectation |
||
Specifies an alternate public key file (host key). Default |
||
key_file |
file /etc/ssh/ssh_host_key is used. This key may be needed |
|
to run sshd as an unprivileged user. Also |
||
the -h switch is often used when starting sshd from scripts that specify |
||
different settings depending on the time of day (during working and |
||
off-hours) |
||
Used if you want to run sshd through the xinetd superserver. Usually |
||
The sshd daemon is started separately when the system boots. This is related to the fact |
||
that the sshd daemon takes some time to generate the key |
||
server before it can respond to client requests. At startup |
||
through the superserver with each connection, the superserver will be restarted |
||
call sshd, which will regenerate the key. However, on modern |
||
computers, the delay is almost not noticeable. Therefore, it is quite possible |
||
run sshd and through the superserver |
||
Specifies the time after which the server key will be recreated. By |
||
The default time is 1 hour. This option can only be used with |
||
SSH protocol version 1 |
||
Specifies an alternate port that the sshd daemon will listen on |
||
instead of port 22 |
||
"Quiet mode": do not log the session. Usually logged |
||
start of authentication, result of authentication and end time |
||
Test mode. Used to check the validity of a file. |
||
configuration |
||
You can only use IP addresses in IPv4 format |
||
You can only use IP addresses in IPv6 format |
||
Remote access from a Linux client |
||
Let's start the server with CentOS Linux. Using the ps (process status) command with the C (by command name) and l (long format) keys, check if the sshd daemon is running, and with the ifconfig command
check the server address (Fig. 7.1).
Rice. 9.1. Checking the load of the sshd service and the server IP address We see that the sshd process is running. Its parent is the process
initialization with identifier 1. The server's IP address is equal to 192.168.100.3, as it was set during installation.
We boot the client machine with Alt Linux Lite. We launch a terminal on it and check the connection with the server - we type the ping 192.168.100.3 command. As can be seen from fig. 9.2 fails to establish a connection to the server immediately after downloading.
Rice. 9.2. Checking the connection with the Linux server
IP protocol setup required. Select (see Fig. 7.3) Settings - System Control Center - Network, enter the IP address 192.168.100.4 and click the "Apply" button.
Rice. 9.3. Setting up an IP interface on a Linux client
Again, we check the possibility of establishing a connection with the server. As can be seen from fig. 9.4 now the client "sees" the server.
Rice. 9.4. After connecting the client to the 192.168.100 network, the connection is established Since the setting is not saved when booting from the Live-CD, set the IP address
the client needs it every time he boots Alt Linux from a Live-CD. Now we are trying to connect remotely to the server.
The ssh client program can be launched with multiple options, the format of its launch in the general case is as follows:.
ssh [switches] [switches_with_arguments] [login_name@]host.domain [command]
We will use the l key, which can be used to specify which user will be logged on to the remote machine, and the v key, which enables the display of all debugging information. We type the ssh command with the server address and these keys. As can be seen from this figure, the client and server exchanged information about which protocol versions they support (OpenSHH_4.7p1 on the client side and OpenSHH_4.3 on the server), the server sent an open RSA key, and the program asks the user for confirmation to include the server in the list known hosts.
Rice. 9.5. Obtaining a public key to encrypt data from the server.
This is an important property of the SSH protocol. It is designed to protect the user against attacks known as spoofing or "man in the middle". One of the problems with older protocols like Telnet, FTP, RSH, etc., apart from the fact that they transfer all information in clear text, is that these protocols are vulnerable to this kind of attack. An attacker who has access to an intermediate network,
can intercept your packets, store them, and then send them to the immediate destination. Even worse, it can overwrite your packages, for example by replacing ls -la mydir with rm -r mydir (delete instead of browsing), or send you a trojaned file instead of the original via your captured FTP session. The attacker can finally just redirect your connection to another computer so that you send your password to another machine. Using this technique, the attacker will be able to find out the password that protects your account and can then log in under your name for their own purposes.
SSH provides the ability to authenticate the host you are connecting to. If you have correctly verified the host, there is no way for an intermediate device to read or manipulate your packets. Successful host verification shows that the connection is end-to-end encrypted - your SSH client has established a secure connection directly with the SSH server, and no intermediate machines have access to that connection.
Since we're connecting to this machine for the first time, and SSH doesn't work with a third-party proxy like Certificate Authorities, all of the key management work is up to you. Your client displays a key fingerprint, an easy-to-read string of numbers that you can use to manually verify the key. If you answer "Yes, the fingerprint is correct", your SSH client will continue to authenticate, allowing you to enter your password and get to work.
How do you know you got the correct key? After all, if during the connection with the server the attacker intercepted your SSH connection and passed all the traffic through him, he can slip you his key instead of the real public key of the host. There are several ways to authenticate a key. For example, the owner of the system may place the fingerprint of the key on their secure web page. Alternatively, you can call the host's system administrator and verify the key over the phone (if the possibility of an intruder intercepting the telephone conversation is ruled out).
We confirm the continuation of the connection by typing yes, and we receive a message from the program that the server is included in the list of known hosts (Fig. 9.6).
Rice. 9.6. RSA check
When you answered "yes", our SSH client stored the server's key in the known_hosts file, which is actually your personal Certificate Authority - a list of the keys of all the SSH servers you work with.
Now you can connect to the server remotely. Repeat command ssh 192.168.100.3 –l root –v
and we get connection establishment information (Fig. 9.7), where the last stage of authentication is entering the password of the root user of the remote server computer.
Rice. 9.7. Debugging information for remote connection Enter the server root user password (Fig. 9.8) and enter the remote control session.
Rice. 9.8. Remote connection procedure after password entry You can now manage the server remotely. You can, for example, reboot it remotely by executing the reboot command, as shown in the following figure 9.9.
This figure shows that immediately after the reboot command, it is not possible to re-establish a remote connection - the server has not yet booted. After the connection is established, the ps command shows that two user processes are running on the server - the bash shell and the ps command itself. Both processes are started from the remote console pts/0.
We end the remote session with the logout command.
The developed laboratory setup allows you to study in detail the remote control of a Linux server. SSH configuration on the server can be done using the sshd_config configuration file. The user can get help on its syntax with the man sshd_config command. In the package openssh-server there is a configuration file with typical settings.
4. Remote access from Windows client
Not all operating systems have built-in SSH clients, UNIX has it, Windows does not. Under Windows, you can install an SSH client - PuTTY, (official server http://www.chiark.greenend.org.uk/~sgtatham/putty/). The composition of the distribution kit used
PuTTY is shown in fig. 9.10.
Fig.9.10. Composition of the PuTTY distribution.
Putty is a few separate programs designed to work with a unix server using the SSH1, SSH2, Telnet, Rlogin, Raw protocols. The program works on Windows for Intel x86 and Alpha, as well as on UNIX. Shown in fig. 9.11 a complete set of programs, under the general name PuTTY, consists of the following utilities:
- putty.hlp - help file;
- putty.exe - client for connecting to the server via telnet, ssh, raw, rlogin protocols;
- puttygen.exe - rsa/dsa key generator;
- pageant.exe - authentication agent, stores keys in memory, when using it, you do not need to manually enter a key passphrase;
- plink.exe - command line interface for putty;
- pscp.exe - secure copying of files;
- psftp.exe - Safe ftp client to copy, view, rename files, etc.
Installing putty is optional, you can just copy the files to the desired directory.
Run putty.exe and create a profile with settings for our remote server. PuTTY allows you to create profiles for different SSH servers, so you don't have to type in the settings for a specific server the next time you want to connect to it. We are now in the Sessions category (see the tree on the left in Figure 9-11). Enter the host address 192.168.100.3 in the Host Name (or IP adress) line, leave the default port number (22) and Protocol (SSH). Under the inscription Saved Sessions (saved sessions) enter the name of the profile, for example, Session with CentOS, which will help you remember which server this profile belongs to.
Fig.9.11. Creating a profile with settings in PuTTY
Then we go to the Connection -> Data category and specify in Auto-login username (see Fig. 9.12) the username under which we will connect to the SSH server - root.
Fig.9.12. Set the username of the remote host
Now back to the category Sessions, save the profile by clicking Save. The next time you start PuTTY, simply select the appropriate profile from
Saved Sessions, click Load and Open.
Now we can connect to our SSH server by simply clicking Open . When this client connects for the first time, a warning appears (see Figure 9.13)
security threat, similar to the message shown in Fig. 9.5. This is because PuTTY is not known yet. public key server host. PuTTY writes the host key for each server you connect to in the Windows registry. Each time you connect to a server, it checks that the host key provided by the server is the same one that was on the last connection. If this is not the case, you will receive a warning and have the option to terminate your connection before you type in any private information (such as a password). Since we are connecting to the server via the SSH protocol, everything said in the previous above regarding checking the server's public key for connecting a Linux client applies to this connection.
In our case, there are no doubts about the authenticity of the server - we press the button
Rice. 9.13. PuTTY warning on first connection to remote host
Since we saved the username under which we are connecting in the profile settings, we do not need to drive it in again, we will only specify the user's password (Fig. 9.14).
Rice. 9.14. Server remote control session
Remote connection established. On fig. Figure 9-14 shows running a few commands on a remote Linux server and then rebooting the server remotely. After a reboot, the session becomes inactive. You should close it and reconnect to the server when it boots up.
The most common connection method was considered - with password identification. If anyone knows the username and password, they can connect too. So if you have a simple password and/or are the victim of a brute-force attack, there may be problems. Alternatively, you can use the method Authentication of the user himself using public key encryption. You can use PuTTYgen to generate a private/public key pair. Then the public key will need to be transferred to the server, and the private key will need to be attached to the PuTTY profile. These procedures are detailed in the putty.hlp manual.
Thus, the developed laboratory installation allows you to study in detail the remote control of a Linux server from a Winows client.
Work order:
1) Check if running xinetd super server. If it is not running, install the super-
server from the xinetd-2.3.14-10.el5.i386.rpm package. (/usr/sbin)
2) Check, using the find command, the presence and location ssh server shhd. If sshd is not installed, install from packages
openssh-4.3p2-16.el5.i386.rpm, openssh-askpass-4.3p2-16.el5.i386.rpm; openssh-server-4.3p2-16.el5.i386.rpm. (usr/sbin)
There are a lot of programs for organizing remote access. There are paid and free programs, there are programs for different operating systems. It is clear that in this article we will not be able to consider everything at once, but we will talk about the most interesting of them, and most importantly, we will understand what is more effective for a particular task.
Radmin (shareware)
About ten years ago, Radmin was the most popular remote access program, and it still exists (www.radmin.ru) - it has not gone anywhere during this time. Let's start the review with it.
The program consists of two parts: Server and Viewer. The first one runs on the remote computer(s) and the second one runs on your computer and is used to connect to the remote machines you are about to configure. On the developer's website, you can download both the complete set and individual components. There is also a portable version of the Viewer that works without installation, and the version of Radmin Server 3.5 NTI is a special version without a tray icon, that is, a user of a remote computer will not know that Radmin is installed on it until you start managing his computer.
I will note the key features: support for Windows 8 32/64 bit, support for switching user sessions in Windows XP/Vista/7/8, compatibility with Wine (Radmin can organize remote access to a Linux PC via Wine), Telnet support, remote PC shutdown , Radmin server scanner (allows you to find all the PCs you can manage on your network), file transfer between Server and Viewer.
Conclusions:
- The functionality of the program: here is its own authentication, and support for voice chat, and the ability to transfer files. Everything is very convenient.
- Due to the fact that Server is installed on the remote computer, the presence of the user is not required, as in other similar programs. For example, you can administer remote PCs of your colleagues when they are out for lunch. Other similar programs require either the user to allow the connection, or the user to provide you with a password that is automatically generated each time you connect.
- Low system requirements, the program does not load the processor at all, which is especially important for my old laptop with an AMD processor, which heats up like an iron - it acted as a "remote" computer.
- Just starting the Server is not enough, you also need to configure it.
- Many users love TeamViewer not for its functionality, but for the fact that it doesn't require any special ports (it uses port 80 by default) and doesn't require firewall configuration. Radmin Server uses port 4899, and it will not be possible to start it without configuring a firewall.
- No mobile clients.
- Does not support other OS.
TeamViewer (freeware)
Now, probably, from the programs for remote access, TeamViewer is the most popular of all. You can download the full version from www.teamviewer.com/en and don't pay a dime. The program is absolutely free for non-commercial use.
Rice. 4. TeamViewer launched TeamViewer pleases with support for Windows, OS X, Linux, which was so lacking in Radmin. There are also mobile clients for Android, iPad/iPhone: you can control a remote computer from your iPhone. There is also a Portable version of the program for Windows, which is very useful for infrequent use of the program, and the Portable version can be run both on the “server” and on the “client”, unlike Radmin, where you can only run the client (Viewer) without installation, and the "server" part must be installed.
After starting the program, you will see the main TeamViewer window and the Computers and Contacts window (Fig. 4). If you plan to help all your relatives and colleagues at once, you can click the "Register" button, create an account, and then in this window you will see all the numerous computers that you set up.
Rice. 5. TeamViewer in action Now let's figure out which is which. If you need to connect to your computer, then you must tell the remote party your ID (in this case, 969 930 547) and password (8229). How to report, decide for yourself - you can copy and transfer these values via Skype, ICQ, email, SMS, or simply dictate by phone. This password changes each time the program is started. If the program is installed on your computer, you can make a permanent personal password, but I do not recommend: the password can be compromised and then anyone can connect to your computer.
If you need to connect to a remote computer, then you need to enter the ID of the remote side (in this case, 411108007) and click the "Connect to partner" button, after which the program will ask you to enter the password that you received from the remote side. That's all - in the window that appears, you can configure the remote computer (Fig. 5).
You probably already noticed the main difference from Radmin: you need to transfer the password to the person who sets up the computer, and in Radmin the password is specified when creating a user account. In other words, you need the presence of the user at the computer. The question is, how to organize a home office when you want to access your work computer from home, for example, at night. Everything is very simple. You need to organize TeamViewer autostart (for example, add it to the Startup group or register it in the registry in the Run key) and set a Personal Password. Please note that you cannot set a personal password if the program is not installed on your computer, but is launched without installation.
There is one more program you should be aware of: TeamViewer Host. It runs as a system service and is used for 24/7 access to a remote computer, including logging in/out. It turns out that TeamViewer Host allows you to organize a terminal server, and it supports an unlimited number of clients for one server (the number of clients is limited only by the computing capabilities of your computer). It should also be noted that to install TeamViewer Host you need administrator rights, which are not always available, so in most cases you will still use the regular TeamViewer. However, if you need to set up only one computer (or simply organize remote access to it, say from home), then TeamViewer Host is not needed. For the sake of fairness, it should be noted that if a regular TeamViewer (not Host) is running on computer A, then computers B, C, D (the number three is given as an example) can connect to it for joint administration. Another thing is that you need to coordinate the actions of administrators, since the keyboard and mouse are common, but one can configure, the rest will observe.
Like Radmin, TeamViewer allows you to exchange files, voice and text messages, as well as remotely reboot the computer (the desired command is in the "Actions" menu, see Fig. 5, just restarting the computer is not enough - after all, then the TeamViewer communication session will not be established, reboot computer during its setup is only needed through the "Actions" menu).
Conclusions:
- Simplicity (the program is simpler than Radmin - a huge advantage for inexperienced users who will have to install it on the remote side).
- The program completely does not require installation: both on the client and on the server. Installation is optional.
- Works on port 80 (and some additional ports) so no firewall configuration is required.
- Availability of versions for other operating systems.
- Availability of mobile clients for Android, iOS and Windows phone 8 (that is, you can control the remote computer directly from your iPad).
- Possibility of organizing interactive conferences (up to 25 participants).
- Does not require administrator rights for remote access.
- The processor loads noticeably more than Radmin, my old laptop even overheated and turned off.
- Although there are mobile clients, they are not very convenient (however, this is better than nothing).
Royal TS (shareware)
Once upon a time there was such a program - mRemote. I don’t know what happened there, but the mRemote project was closed, and the developers took it and created another project - Royal TS. On the site you will find versions for Windows, OS X and iOS (can be run from iPhone and iPad).
In Royal TS, before creating a connection, you need to create a document, that is, one connection = one document. Royal TS documents are a very handy thing, they can be transferred like regular files, for example, to another admin. He will be able to open such a document and immediately connect to a remote computer without having to create a connection manually. The shareware version has a limit on the number of simultaneously open documents - ten. As for me, this is quite enough for non-commercial use of the program, so in practice you won’t even notice that you are missing something (unless, of course, you administer a huge network of computers remotely).
The first thing to say is that this program is fundamentally different from Radmin and TeamViewer. Both of these programs combine the functionality of both a server and a client (in the case of Radmin, the server and client are different programs, in the case of TeamViewer - the same program). In other words, on one of the computers you can install Radmin Server or TeamViewer, and on the other, use Radmin Viewer or TeamViewer, respectively, to connect to this remote computer. So, Royal TS is something like Radmin Viewer, that is, a program for connecting to a remote server, but the server will have to be created on its own. How you do it is your problem. Royal TS will not help you create such a server, but will only allow you to connect to it.
Rice. 6. Royal TS for Windows Among the protocols for connecting to a remote server that Royal TS supports: RDP, Telnet, SSH, Citrix, VNC. The RDP / Telnet / SSH servers themselves and others will have to be configured independently.
On the one hand, this is beyond the scope of the article, on the other hand, it would be incomplete if I did not give an example of setting up at least one of the servers that Royal TS supports. SSH / Telnet servers, I think, the reader will not be very interested. I want something graphic. Suppose we have Linux (Ubuntu or its clone) and we need to set up a VNC server. To do this, first install the VNC server with the command:
sudo apt-get install vnc4server
After that, you need to run it - for the first time without parameters:
sudo vnc4server
When running the sudo vnc4server command, you need to enter the password that will be used to connect to this VNC server. The password itself will be stored in $HOME/.vnc/passwd. I won't say a word more - there is man :). After the first launch, you need to start vnc4server by specifying the screen number:
sudo vnc4server:3
Next, in Royal TS, you need to create a new document (on the File tab), then go to the Edit tab and press the VNC button. In the window that appears (Fig. 7), you need to enter the display name (Display Name) - in our case: 3, the IP address of the VNC server and specify the port number (usually 5900). The password will be requested when connecting to the server.
Rice. 7. VNC Connection Options Conclusions:
- A universal client for connecting to a remote server using various protocols.
- There are versions for Windows, OS X and iOS.
- It is impossible to organize remote access using only Royal TS tools, additional programs are needed.
- Not suitable for remote configuration of computers of inexperienced users - they simply will not be able to configure the necessary remote access services.
Supremo: free and easy (freeware)
Let's analyze the situation. If you don't like TeamViewer or you can't use it for some reason (including the need to purchase a license for commercial use), and Radmin is also not suitable for any reason, then you will have to look for analogues. Since the article deals with simple and free programs, then it is necessary that the following program be: a) free; b) simple. This is the Supremo program, which can be downloaded from the site.
The program (Fig. 8) was created "in the image and likeness" of TeamViewer. It does not require installation, its principle of operation is the same as that of TeamViewer, even it uses the same terminology (this is me regarding the partner ID and other inscriptions in the program interface).
The computer you are setting up and the support technician's computer must be running Windows only. Various editions of Windows are supported, including Windows 7 and Windows Server 2008 R2. Nothing has been said about support for Windows 8 and Windows Server 2012 on the official website yet.
Rice. 8. Supremo program The algorithm for using it is simple: you need to run the program on both computers, then ask the remote side for its ID and password, and then click the "Connect" button. Before this, the remote side must press the "Start" button, otherwise the connection will not be allowed. Perhaps this is the only difference from TeamViewer.
To make the review more complete, let's go to the program settings (Tools -> Options). In the "Security" section (Fig. 9), you can configure the automatic launch of the program, specify a password for remote connections, and specify which IDs are allowed to connect to your computer.
Rice. 9. Supremo security optionsIn the "Connection" section (Fig. 10), you can specify the proxy server settings if it is present on your network.
Rice. 10. Supremo connection parametersIn addition to its direct purpose, namely remote control of a computer, the program can be used to exchange files. For file sharing (which is possible in two directions - both download and upload) just use drag & drop.
Conclusions:
- Easy to use.
- Does not require installation.
- Ability to transfer files.
- Chat capability.
- No firewall configuration required (using HTTPS/SSL).
- No support for OS other than Windows.
- No mobile clients.
LogMeIn (freeware)
Let's consider another useful program- LogMeIn (Fig. 11). The purpose of this program is the same as that of all the others discussed in this article - remote access. On the logmein.com website you will find several similar products, but we are primarily interested in the LogMeIn Free product. Its capabilities are quite enough for most purposes: access to a computer under Windows control or OS X, remote control and desktop browsing, copy and paste between computers, reboot function, chat, multi-monitor support, SSL/TLS intrusion detection, does not require firewall settings, does not require administrator rights of the remote computer.
Personally, I liked the functions of copying and pasting data between computers, as well as the reboot function: in the process of setting up a computer, it sometimes needs to be rebooted, after which the remote access session will be automatically restored, which is very convenient.
Unlike the Free version, the Pro version supports PC-to-computer file transfer, HD video, drag-and-drop between PCs, and a few other features that are hardly worth paying almost 53 euros a year for - that's how much the Pro version costs. A comparison of the two versions, as well as the OS X version, can be read at: https://secure.logmein.com/comparisonchart/comparisonFPP.aspx.
Rice. 11. LogMeIn Main WindowThe way you work with this program is slightly different from TeamViewer and similar programs. It's a little more complicated, but apparently that's how the LogMeIn developers determine who uses the program and for what purposes. In the main window, select "from a Mac or PC" and then you will see the sequence of actions that you need to perform in order to give another user access to this computer (Fig. 12). Grandpa and grandma will definitely get confused and not appreciated. You can’t do without registering on logmein.com, although it is free, it is completely unnecessary in terms of convenience.
Rice. 12. How to connect to this PC There is, however, a simpler way - anonymous access through a browser. Quite an interesting feature, which is not found in other similar programs. The bottom line is this: a user who wants you to set up his computer creates an invitation link, then sends it to you in any convenient way (via email, Skype, and so on). The invitation link is valid for a certain time (the time is set by the remote user), even if someone peeps the link, he is unlikely to be able to use it after the expiration date.
Let's take a look at how to create an invitation and how to use it. The Desktop Sharing section displays the current prompts. By clicking the "Send invitation" button, you can generate the same link. The invitation creation wizard allows you to define the duration of the invitation and how the invitation will be sent (can be sent via e-mail link, or you can just get the link and send it manually).
Rice. 13. Manage a remote computer through a browser Then this link must be sent to the person who will be setting up the computer. When he copies it to the browser and opens it, he will see a screen similar to the one in fig. 13. To continue, you need to click the "Continue" button. After that, the user who sent the link will receive two requests in sequence. The first request is a request to allow access to the guest, the second request is to grant access rights (Fig. 20). The guest can either fully control the computer, or only view the desktop without control.
Conclusions:
- Does not require administrator rights.
- Does not require firewall configuration.
- Ability to use a browser for remote control.
- mobile clients.
- A somewhat unusual way of working.
Mosh (mobile shell): a good alternative for SSH
Mosh can also be used for remote access to the console (that is, you can remotely execute commands and see their result). The main advantage of Mosh over SSH is the ability to roam, that is, change the network on the client machine, which is useful on the road when the network can change (now it is cellular, in a few minutes - Wi-Fi, while the IP changes, but the connection remains). Frequently traveling admins will appreciate this. But there is one big drawback: Mosh will not connect to a regular SSH server, which means that Mosh will have to be installed on the server. But Mosh does not work as a daemon, like SSH, but as a regular program, that is, root access is not needed to run it. Mosh is available for many Linux and BSD distributions, OS X, iOS (as part of the popular iSSH client), and Android.
UltraVNC/RealVNC
VNC (Virtual Network Computing) is a system for remote access to a computer desktop using the RFB (Remote FrameBuffer) protocol. It was previously shown how to organize a VNC server on Linux; on Windows, such a server can be created using the UltraVNC or RealVNC programs. UltraVNC is similar to RealVNC but has additional features such as encrypting the connection between the client and the server, the Java Viewer module (access to a remote PC through a Java-enabled browser), and others. While RealVNC has a VNC Viewer plugin for Google Chrome so there is no need for Java Viewer. As already noted, the programs are largely similar, so in this article we will only consider UltraVNC.
When installing UltraVNC, it is possible to install both a VNC server and a VNC client. On your computer, if you do not need remote access to it, you can not install the VNC server. When installing the VNC server, it will be possible to configure it to run as a system service, but this requires admin rights. The RFB protocol that VNC uses usually uses ports 5900-5906. Therefore, to connect via VNC, you need to configure a firewall, otherwise it will "kill" the connection.
The UltraVNC Viewer program is used to connect to the VNC server. The program is universal and you can use it to connect to any VNC server, not just the one running UltraVNC Server. Similarly, you can connect to a server created by the UltraVNC Server program with the RoyalTS program or any other VNC client.
A few words about how it all works. First, launch the UltraVNC Edit Settings program and on the Security tab set a password to access the VNC server, then you need to launch the UltraVNC Server program. After that, on another computer, we launch UltraVNC Viewer (Fig. 14) and enter the IP of the computer on which the VNC server is installed, and click the Connect button.
Rice. 14. UltraVNC Viewer Conclusions:
- You need admin rights, you need to configure the firewall.
- The same protocol can be used to control Windows, OS X and Linux, but these are not the advantages of a specific program, but of VNC itself.
SSH access
SSH remains a classic of remote access. It would seem, what else can you think of? Well, for example, what if you have a lot of remote machines? Prescribe aliases for each? There are special utilities that allow you to quickly switch between machines. One such manager in Linux is Gnome Connection Manager. The program is very convenient, highly recommended. Windows uses AutoPuTTY for this purpose, a wrapper for the popular PuTTY SSH/Telnet client, which can be downloaded from http://www.r4dius.net/autoputty/. There is a similar SSH connection manager for OS X -Shuttle . For mobile platforms, you can use mobile SSH clients - Prompt (iOS) and ConnectBot (Android). You can easily find links and screenshots on the Web.
Ammyy Admin (freeware)
Ammyy Admin is another program for remote desktop access. The program is good because it is absolutely free, it is not demanding on resources at all (the executable file generally takes a ridiculous 700 Kb), it allows you to organize both regular remote access to the desktop and a connection in the style of a remote office, does not require installing and changing firewall settings. You can find the rest of the program's features on the developers' website.
AnywhereTS (freeware)
Allows you to convert computers into thin clients. The main purpose of this program is by no means remote access for reasons of technical support, as in all previously described programs, although it can also be used for this. AnywareTS allows you to give a second life to old computers that will be used as thin clients - connect to a server that will run programs that are physically impossible to run on old PCs. Detailed information about this program can be found on the developer's website.
Remote access in Windows 8
This review would not be complete if we did not consider the capabilities of the OS itself. On the "server" (that is, on the computer to which remote access is planned), you need to perform the following steps:
- Run SystemPropertiesRemote.exe.
- Enable the "Allow remote assistance connections to this computer" checkbox.
- Turn on the "Allow remote connections to this computer" and click the "Apply" button.
- If you use power saving mode, you need to configure the computer so that it never goes into sleep mode.
On your computer, use the Remote Desktop Connection application to connect to a remote computer.
Rice. 15. Remote access permissionGoogle Hangouts: Screen Sharing and Video Conferencing
As a last resort, you can use the new service from Google - Hangouts. It allows you to arrange video calls, during which users can share their screen with each other. If you wish, you can familiarize yourself with this service.
Instead of a conclusion
There are a lot of programs for remote access. As I have hopefully shown, the most familiar tool is not always the most effective. It is necessary to build on the conditions of a specific task, target platforms and other factors. I hope now I have finally cleared up the whole picture of remote access in your head. All suggestions and wishes can be sent to [email protected]
Samba is an effective way not only to organize the interaction of computers running Windows and Linux, but also in networks consisting of only Linux machines, it allows you to quickly share resources. The Samba configuration file can be enormously long and take into account many options, but in most cases, much less configuration is enough.
If we want to share ourselves and have access to files on other computers, then we need to install three packages:
sudo aptitude install samba smbclient smbfs
Create a backup copy of /etc/samba/smb.conf:
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.backup
Now let's open the /etc/samba/smb.conf file for editing:
sudo nano /etc/samba/smb.conf
Clean up and paste something like this:
workgroup = home
netbiosname=linux--server
server string = linux_file_server
security = user
browseable=yes
path=/home/download
comment = download
readonly=No
path = /home/torrent
comment = torrent
readonly=No
path = /home/virtdiver/hdisk
comment = hdisk_250G
readonly=No
work group- this is the network name, must be the same for all computers.
netbios name - sets the NetBIOS name by which the Samba server will be accessible. By default, the first part of the computer's domain name is used.
server string- a description of the computer, an analogue of a similar value in Windows.
security- defines access to shared directories.
security = USER- The client must first log in with an existing username and password. Note that the name of the requested resource will not be sent to the server until the server has authenticated the client. This is why guest accounts do not work in USER mode, preventing the server from converting unidentified users into guests.
security = SHARE- When clients join a resource with security = SHARE they do not need to log in with a valid username and password. Instead, clients send authentication information (passwords) to a specific resource when they want to access that resource. In SHARE mode, the user is not required to send his name, only the password.
security = SERVER - In this mode, Samba will try to determine if the user/password pair is valid by passing it to another SMB server, such as NT. If that fails, security = USER will work.
security=ADS- In this mode, Samba runs as a member of an AD domain.
security = DOMAIN- In this mode, Samba will try to resolve the username and password by passing them to the primary or backup domain controllers of Windows NT, i.e. will do the same as a Windows NT server would do.
Note:I checked with the share and user parameters, in both cases there were no problems either when connecting to Windows 7 or when connecting from a machine running Linux, but I managed to connect from a PDA under WM 6.1 only in user mode.
browseable- whether you want to make available all subdirectories of the shared directory. This option can also be used on a per-shared directory basis.
path- path to the shared folder. In this particular example, the torrent folder (for uploading torrent files for the rtorrent program), download (for downloading downloaded rtorrent files) and the hdisk folder in which my external hard drive is mounted will be shared.
comment- comment.
readonly- only for reading. Note that Samba can restrict user rights, but cannot extend system-defined rights. That is, if the shared directory does not have write permissions for everyone on the system itself, Samba will not be able to allow third-party users to write to it. However, if the directory has permissions of 777, then by setting the readonly = Yes parameter you can restrict write access for users connecting from the network.
guest ok = Yes- add if you want to make access without authorization. (In mode
security = USER will not work, see above)
Grant permissions to folders:
sudo chmod 777 /home/torrent/ and similarly for others.
After completing the configuration, run the command:
testparm
it will automatically check the configuration file. After that, restart Samba:
sudo /etc/init.d/samba restart
sudo smbpasswd -a virtdiver # add user to samba
In Linux, we mount network folders like this:
sudo smbmount //192.168.1.33/hdisk/ /home/virtdiver/hdisk/ -o rw,iocharset=utf8,usermame=virtdiver,password=pass
sudo smbmount //linux--server/hdisk/ ~/hdisk/ -o rw,iocharset=utf8,usermame=virtdiver,password=pass
unmount:
sudo smbumount ~/hdisk
Entering three such lines is inconvenient, so we write a script.
touch samba.sh
nano samba.sh
write to the file:
#!/bin/bash
echo "Mount //192.168.1.33/hdisk/"
sudo smbmount //192.168.1.33/hdisk/ /home/virtdiver/hdisk/ -o rw,iocharset=utf8,usermame=virtdiver
echo "Mount //192.168.1.33/torrent/"
sudo smbmount //192.168.1.33/torrent/ /home/virtdiver/torrent/ -o rw,iocharset=utf8,usermame=virtdiver
echo "Mount //192.168.1.33/download/"
sudo smbmount //192.168.1.33/download/ /home/virtdiver/download/ -o rw,iocharset=utf8,usermame=virtdiver
We give the right to execute:
sudo chmod 755 samba.sh
launch.
The RUVDS technical support service is regularly contacted about the GUI and remote access to it on Linux virtual servers, despite the fact that there are a lot of materials on the Internet covering this problem. Therefore, for our users, we decided to collect everything on this topic in one article.
You can also forward RDP traffic through an SSH tunnel. To do this, you need to fix the xrdp configuration file:
$ vi /etc/xrdp/xrdp.ini
Add the following line to the section: address=127.0.0.1
$ systemctl restart xrdp
You can check that everything is correct like this:
$ nmap -p 3389 Starting Nmap 6.47 (http://nmap.org) at 2016-10-04 13:07 MSK Nmap scan report for unspecified.mtw.ru () Host is up (0.0087s latency). PORT STATE SERVICE 3389/tcp closed ms-wbt-server
Then if you are using cygwin or mingw, linux or mac os:
ssh [email protected]-L 3389:localhost:3389
If PuTTY:
Launch PuTTY. In the tree menu on the left, Connection → SSH → Tunnels. Next, add a new Forwarded Port (Source port: 3389, Destination: localhost:3389). Click Add.
VNC
Client:For example, let's put this DE:
$ apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E $ echo "deb http://packages.x2go.org/debian jessie main" > /etc/apt/sources.list.d/x2go .list $ echo "deb-src http://packages.x2go.org/debian jessie main" >> /etc/apt/sources.list.d/x2go.list $ apt-get update $ apt-get install x2go- keyring && apt-get update $ apt-get install x2goserver x2goserver-xsession
The output of the following command should show that x2go is ready to go:
$ systemctl status x2goserver ● x2goserver.service - LSB: Start and stop the X2Go daemon Loaded: loaded (/etc/init.d/x2goserver) Active: active (running) since Tue 2016-10-11 22:05:51 MSK; 30 minutes ago...
And now the important point, you won’t be able to connect without this fix! You need to find the line "mesg n" in the .profile file and replace it with "tty -s && mesg n".
$vi.profile
The following command will display the path to the startfluxbox executable, which will be needed when setting up the client:
$ whereis startfluxbox
Server installation on Ubuntu:
$ apt-get install xfce4 xfce4-terminal $ add-apt-repository ppa:x2go/stable $ apt-get update $ apt-get install x2goserver x2goserver-xsession
$vi.profile
Server installation on CentOS:
$ yum install epel-release $ yum install x2goserver x2goserver-xsession
The Linux client is installed from the above repositories with the following command:
$ apt-get install x2goclient
For Windows - download, install, run. The same link above has a client for OS X.
We start the client:
In the session settings, specify: in the Host field - the IP of your server, in the Login field - root, leave the port as it is, session type - the GUI that was installed.
As you can see, there is an option for key authentication. In general, a lot of things. See for yourself. And the sound can be output through PulseAudio.
After clicking Ok, you will see these charming little things that you need to click on to be prompted to enter a password and connect to the selected session:
Note: Please note that your favorite FluxBox is not in the list, so you have to write the path to it manually.
An important feature of x2go is the ability to run any graphical application without installing DE at all. To do this, in the session settings, you need to select the single application item in the session type section and select the application to run or enter the path to the program to be launched.
In this case, the software installation on the server will look like this. In the case of Ubuntu:
$ add-apt-repository ppa:x2go/stable $ apt-get update $ apt-get install x2goserver x2goserver-xsession
And now the important point, you won’t be able to connect without this fix! You need to find the line “mesg n || true" and replace it with "tty -s && mesg n".
$ vi .profile $ apt-get install firefox xterm
And by setting up the session as shown below, it will be possible to launch the browser on remote server, and on your machine a window will open showing it:
Or so; then just a terminal window will open:
Below you can see a screenshot of the current session status window. Buttons marked with orange numbers:
- "Suspend session" - after clicking this button, the connection will be terminated, but the session will remain and will wait for reconnection. All applications you run on the server will continue to work;
- "Terminate session" - after clicking, the connection to the server will be terminated, and the applications you launched on the server will be terminated.
teamviewer
The last way to remote desktop access.Installation on Ubuntu:
$ apt-get update $ apt-get install lubuntu-desktop $ reboot $ dpkg --add-architecture i386 $ apt-get update $ wget http://download.teamviewer.com/download/teamviewer_i386.deb $ dpkg -i teamviewer_i386 .deb $ apt-get -f install $ teamviewer --passwd
Installation on Debian:
$ apt-get update $ apt-get install lxde lightdm $ reboot $ dpkg --add-architecture i386 $ apt-get update $ wget http://download.teamviewer.com/download/teamviewer_i386.deb $ dpkg -i teamviewer_i386. deb $ apt-get -f install $ teamviewer --passwd
Installation on CentOS:
$ yum groupinstall "X Window system" $ yum install epel-release $ yum install fluxbox xterm lightdm $ systemctl set-default graphical.target $ reboot $ curl -o TeamViewer_Linux_PubKey.asc -Lk http://www.teamviewer.com/link /?url=354858 $ rpm --import TeamViewer_Linux_PubKey.asc $ curl -LOk http://download.teamviewer.com/download/teamviewer.i686.rpm $ yum install teamviewer.i686.rpm $ teamviewer --passwd
It is also necessary to accept the TeamViewer's license agreement, this can be done using the "Emergency Mode", or by adding the following lines to the end of the /opt/teamviewer/config/global.conf file:
$ echo " EulaAccepted = 1" >> /opt/teamviewer/config/global.conf $ echo " EulaAcceptedRevision = 6" >> /opt/teamviewer/config/global.conf $ teamviewer --daemon restart
The following command will show the status of the TeamViewer daemon and the nine-digit TeamViewer ID required to connect:
$ teamviewer --info
After launching the client downloaded here, you need to enter the TeamViewer ID in the Partner UD field and click on the "Connect to partner" button. Next, TeamViewer will ask for a password: .
Instead of a conclusion
That seems to be all. We hope that this article will help users of linux servers in setting up a comfortable and convenient environment for them.It can be considered as an act of aggression, but sometimes it is simply necessary.
There are cases when users use remote sessions for a machine already in use (sounds unusual, but it is the place to be for organizing work with multiple desktops). Most users do not know exactly when they will need this functionality.
Experienced Unix users often talk about SSH and the command line as tools for accessing the graphical desktop, but there are separate applications for this purpose.
Techradar has tested the VNC system and its features in many clients. However, there are other protocols and types of remote desktop access. The growing popularity of such clients lies in the support of several transfer protocols, so no matter what type of server you use and the target machine, you will find a suitable solution.
The researchers adhered to the principle of fair evaluation of different protocols. For example, NoMachine NX supports VNC connections, but it was tested in conjunction with its own NX server, which is quite reasonable.
The TightVNC client has not been tested because it is very similar to the TigerVNC implementation. Both products share the same codebase, but TigerVNC has a few extra features.
How was the testing
A key element of an effective remote desktop client is a fast response to the operations it performs. The ideal interface won't be as good if you have to wait two minutes for each keystroke registration.
The test tested the ability to remotely play the Armegatron game. In this undemanding OpenGL game, it takes a fraction of a second to update the screen. The results can be somewhat subjective, but this method has proven to be very effective in demonstrating customer responsiveness.
Clients have been tested with local computer with a 4-core processor and 16 gigabytes of memory on a gigabit LAN under Ubuntu 14.04.3. The servers used were the X11 VNC server and the official NX server for NX clients. RDP-based functionality is supported by some products but has not been tested in practice.
The clients themselves worked for virtual machine with a 2-core Core i7 process, 4GB of RAM and Fedora 23.
