ssh -R 8000:server:25 intermediary also establishes an SSH session to the intermediary computer, but it is on this machine that ssh listens to port 8000 (see Figure 9.3, “Forwarding a remote port with SSH”). Any connection established on this port will cause ssh to open a connection from the local machine on to port 25 of the server, and to bind both connections together.
In both cases, connections are made to port 25 on the server host, which pass through the SSH tunnel established between the local machine and the intermediary machine. In the first case, the entrance to the tunnel is local port 8000, and the data move towards the intermediary machine before being directed to the server on the “public” network. In the second case, the input and output in the tunnel are reversed; the entrance is port 8000 on the intermediary machine, the output is on the local host, and the data are then directed to the server. In practice, the server is usually either the local machine or the intermediary. That way SSH secures the connection from one end to the other.
Figure 9.2. Forwarding a local port with SSH
Figure 9.3. Forwarding a remote port with SSH
9.2.3. Using Remote Graphical Desktops
VNC (Virtual Network Computing) allows remote access to graphical desktops.
This tool is mostly used for technical assistance; the administrator can see the errors that the user is facing, and show them the correct course of action without having to stand by them.
First, the user must authorize sharing their session. The GNOME and KDE graphical desktop environments include, respectively, vino and krfb, which provide a graphical interface that allows sharing an existing session over VNC (found, respectively, in the menus at System → Preferences → Remote Desktop and K → Internet → Desktop Sharing). For other graphical desktop environments, the x11vnc command (from the Debian package of the same name) serves the same purpose; you can make it available to the user with an explicit icon.
When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has vinagre and tsclient for that, while KDE includes krdc (in the menu at K → Internet → Remote Desktop Client). There are other VNC clients that use the command line, such as xvnc4viewer in the Debian package of the same name. Once connected, the administrator can see what's going on, work on the machine remotely, and show the user how to proceed.
SECURITY VNC over SSH
If you want to connect by VNC, and you don't want your data sent in clear text on the network, it is possible to encapsulate the data in an SSH tunnel (see Section 9.2.2.3, “Creating Encrypted Tunnels with Port Forwarding”). You simply have to know that VNC uses port 5900 by default for the first screen (called “localhost:0”), 5901 for the second (called “localhost:1”), etc.
The ssh -L localhost:5901:localhost:5900 -N -T machine command creates a tunnel between local port 5901 in the localhost interface and port 5900 of the machine host. The first “localhost” restricts SSH to listening to only that interface on the local machine. The second “localhost” indicates the interface on the remote machine which will receive the network traffic entering in “localhost:5901”. Thus vncviewer localhost:1 will connect the VNC client to the remote screen, even though you indicate the name of the local machine.
When the VNC session is closed, remember to close the tunnel by also quitting the corresponding SSH session.
BACK TO BASICS Display manager
gdm, kdm and xdm are Display Managers. They take control of the graphical interface shortly after boot in order to provide the user a login screen. Once the user has logged in, they execute the programs needed to start a graphical work session.
VNC also works for mobile users, or company executives, who occasionally need to login from their home to access a remote desktop similar to the one they use at work. The configuration of such a service is more complicated: you first install the vnc4server package, change the configuration of the display manager to accept XDMCP Query requests (for gdm, this can be done graphically via the System → Administration → Login Screen menu and then the “Remote” tab; note that this applies only to gdm and not gdm3, which is the version installed by default in Squeeze), and finally, start the VNC server with inetd so that a session is automatically started when a user tries to login. For example, you may add this line to /etc/inetd.conf:
5950 stream tcp nowait nobody.tty /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none
Redirecting incoming connections to the display manager solves the problem of authentication, because only users with local accounts will pass the gdm login screen (or equivalent kdm, xdm, etc.). As this operation allows multiple simultaneous logins without any problem (provided the server is powerful enough), it can even be used to provide complete desktops for mobile users (or for less powerful desktop systems, configured as thin clients). Users simply login to the server's screen with vncviewer server:50, because the port used is 5950.
9.3. Managing Rights
Linux is definitely a multi-user system, so it is necessary to provide a permission system to control the set of authorized operations on files and directories, which includes all the system resources and devices (on a Unix system, any device is represented by a file or directory). This principle is common to all Unix systems, but a reminder is always useful, especially as there are some interesting and relatively unknown advanced uses.
Each file or folder has specific permissions for three categories of users:
its owner (symbolized by u as in “user”);
its owner group (symbolized by g as in “group”), representing all the members of the group;
the others (symbolized by o as in “other”).
Three types of rights can be combined:
reading (symbolized by r as in “read”);
writing (or modifying, symbolized by w as in “write”);
executing (symbolized by x as in “eXecute”).
In the case of a file, these rights are easily understood: read access allows reading the content (including copying), write access allows changing it, and execute access allows you to run it (which will only work if it's a program).
SECURITY setuid and setgid executables
Two particular rights are relevant to executable files: setuid and setgid (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have.