PuTTY is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login.
sudo apt-get install putty
A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run Krdc. Note that PuTTY security keys are not generally compatible with SSH security keys. I was not able to get PuTTY to work with Krdc.
Connect using SSH Agent
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See this tutorial.
Setup an SSH server
Install the OpenSSH server:
sudo apt-get install openssh-server
Note: The OpenSSH server can also be installed when doing a server installation as an option from the LiveCD.
Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See these instructions.
Limit authorized SSH users
See How to limit the user accounts that can connect through SSH.
OpenSSH Public Key Authentication
See this OpenSSH Public Key Authentication Tutorial.
In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen
A prompt asks for a passphrase. If you wish to use SSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA key pair is generated and stored in the /home/user/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. The public key is id_rsa.pub and is meant to be copied to the SSH server. On the SSH server, there is a similar folder /home/user/.ssh (for whichever user is hosting the SSH server). In that folder is a file called authorized_keys2. The contents of id_rsa.pub must be copied into that authorized_keys2 file. (You can use a text editor or can concatenate the files with the cat command).
To keep keys private, they should be accessible only to user, the owner of the file. For example,
chmod 600 /home/user/.ssh/id_rsa
This makes the file only accessible to user. You could also make the entire .ssh folder accessible only to user:
chmod 700 /home/user/.ssh
Explore Your World
Tuesday, May 26, 2009
SSH
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. SSH client is installed by default in Ubuntu so you can connect to another computer that is running a SSH server.
From the command-line terminal
Install the OpenSSH client (if not already installed):
sudo apt-get install openssh-client
From the command-line Terminal type:
ssh -C@
Note: The -C option indicates compression, which speeds up transmission through the tunnel.
For example:
ssh -C joe@remote.computer.xyz
or:
ssh -C mike@192.168.1.1
or
ssh -C 192.168.1.1 -l mike
Note: -l specifies the login id.
If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:
ssh -C joe.friday@remote.computer.xyz:11022
or
ssh -C remote.computer.xyz -p 11022 -l joe.friday
If you have made a public/private key using ssh-keygen, the private key must be stored in /home/user/.ssh. The key should be accessible only to user
sudo chmod 600 /home/user/.ssh/identity
or
sudo chmod 600 /home/user/.ssh/id_rsa
To login with the key:
ssh -C remote.computer.xyz -p 11022 -l joe.friday
Note: You can run the command as a menu item, but the command must be "run in terminal."
Port forwarding through SSH
See Using SSH to Port Forward for full details.
In brief, use
ssh -C -p -L :: -l
This specifies that any communications from your computer (localhost) going out through will be transmitted securely through the the SSH tunnel port. To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
krdc vnc:/localhost:
Note that for VNC, the default is 5900. In general, a remote VNC server (such as Krfb) is also listening on the default 5900 as well. The default is 22, as discussed above. All these can be changed, however, if you desire greater security.
For me, I noticed that I had to set to be the internal LAN IP address of the remote computer (such as 192.168.1.155) instead of the remote router's IP address, which is specified in . (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then and would be the same.)
Example: For extra security, my SSH Server uses=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of = 192.168.1.155. I have set up a Krfb VNC server on this computer that is listening on = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default = 5900. My name is = joe.friday. This is my story.
ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc:/localhost:5900
If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.
Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.
From the command-line terminal
Install the OpenSSH client (if not already installed):
sudo apt-get install openssh-client
From the command-line Terminal type:
ssh -C
Note: The -C option indicates compression, which speeds up transmission through the tunnel.
For example:
ssh -C joe@remote.computer.xyz
or:
ssh -C mike@192.168.1.1
or
ssh -C 192.168.1.1 -l mike
Note: -l specifies the login id.
If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:
ssh -C joe.friday@remote.computer.xyz:11022
or
ssh -C remote.computer.xyz -p 11022 -l joe.friday
If you have made a public/private key using ssh-keygen, the private key must be stored in /home/user/.ssh. The key should be accessible only to user
sudo chmod 600 /home/user/.ssh/identity
or
sudo chmod 600 /home/user/.ssh/id_rsa
To login with the key:
ssh -C remote.computer.xyz -p 11022 -l joe.friday
Note: You can run the command as a menu item, but the command must be "run in terminal."
Port forwarding through SSH
See Using SSH to Port Forward for full details.
In brief, use
ssh -C
This specifies that any communications from your computer (localhost) going out through
krdc vnc:/localhost:
Note that for VNC, the default
For me, I noticed that I had to set
Example: For extra security, my SSH Server uses
ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc:/localhost:5900
If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.
Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the
Wireless
Network Manager
Network Manager has been redesigned for Intrepid Ibex and now works quite well. You should not require other network managers, and, in fact, more than one network manager can cause conflicts.
It can be accessed from the tray icon.
Manual configuration from the command-line
3 steps for WEP:
sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient
WPA is more complicated:
su
mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
echo network = { > wpa_supplicant.conf
echo ssid="SSID" >> wpa_supplicant.conf
echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
echo } >> wpa_supplicant.conf
cd /etc/network
vim interfaces
Now add after "auto eth[N] ..." & "iface eth[N] .." (press 'i'):
wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Save the file ('Esc', ':x', 'Enter') and restart your system.
Network Manager has been redesigned for Intrepid Ibex and now works quite well. You should not require other network managers, and, in fact, more than one network manager can cause conflicts.
It can be accessed from the tray icon.
Manual configuration from the command-line
3 steps for WEP:
sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient
WPA is more complicated:
su
mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
echo network = { > wpa_supplicant.conf
echo ssid="SSID" >> wpa_supplicant.conf
echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
echo } >> wpa_supplicant.conf
cd /etc/network
vim interfaces
Now add after "auto eth[N] ..." & "iface eth[N] .." (press 'i'):
wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Save the file ('Esc', ':x', 'Enter') and restart your system.
NFS Samba Sharing
NFS is the default networking protocol for network file sharing in *nix systems (including Ubuntu Linux).
Samba File Sharing
Samba is a networking protocol that allows compatibility with Windows-based networks.
· Install Samba:
sudo apt-get install samba samba-tools system-config-samba
Note: samba-tools and system-config-samba are optional.
· Modify Samba settings.
· Method 1:
System -> Administration -> Advanced -> Samba
(Note: this is available only if you installed system-config-samba.)
It is recommended that your user be a member of the sambashare group, as well.
· Method 2:
Enable File Sharing Server With User Login (Very Reliable Method)
Do the following on the machine that has the files to be shared:
· Add current user to Samba:
sudo smbpasswd -a username
(replacing username with your login username)
· Open the samba config file:
sudo nano /etc/samba/smb.conf
· Add the directories to be added (right at the end) in the following format:
[Pictures]
path = /home/username/
(Replace username with your username and with the folder you want to share)
Press CTRL+X and then Y to save.
· Restart Samba
sudo /etc/init.d/samba restart
· On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
(replace 192.168.x.x with the actual IP address of your server which is serving the folder)
· On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
(replace 192.168.x.x with the actual IP address of your server serving the folder)
Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported here. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy
Recognizing Win98 machines
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no
Integrating into Mac OS X Network
See this guide for information on integrating Ubuntu into an existing Mac OS X Appletalk network.
Samba File Sharing
Samba is a networking protocol that allows compatibility with Windows-based networks.
· Install Samba:
sudo apt-get install samba samba-tools system-config-samba
Note: samba-tools and system-config-samba are optional.
· Modify Samba settings.
· Method 1:
System -> Administration -> Advanced -> Samba
(Note: this is available only if you installed system-config-samba.)
It is recommended that your user be a member of the sambashare group, as well.
· Method 2:
Enable File Sharing Server With User Login (Very Reliable Method)
Do the following on the machine that has the files to be shared:
· Add current user to Samba:
sudo smbpasswd -a username
(replacing username with your login username)
· Open the samba config file:
sudo nano /etc/samba/smb.conf
· Add the directories to be added (right at the end) in the following format:
[Pictures]
path = /home/username/
(Replace username with your username and
Press CTRL+X and then Y to save.
· Restart Samba
sudo /etc/init.d/samba restart
· On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
(replace 192.168.x.x with the actual IP address of your server which is serving the folder)
· On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
(replace 192.168.x.x with the actual IP address of your server serving the folder)
Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported here. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy
Recognizing Win98 machines
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no
Integrating into Mac OS X Network
See this guide for information on integrating Ubuntu into an existing Mac OS X Appletalk network.
Atheros Cards
Airport Express
Atheros Wireless cards should work automatically with the new kernel by installing the proprietary driver. At installation, after the first reboot, you will be prompted whether to use the proprietary drivers.
It should no longer be necessary to install the following package:
sudo apt-get install madwifi-tools
These instructions for the Atheros 802.11 b/g integrated card are here for reference only (or if you wish to install them manually instead):
· Download the latest 'snapshot' driver from Madwifi. When I was doing it, the version was:
madwifi-hal-0.10.5.6-current.tar.gz
· Extract the files
· Make sure your linux headers and build-essential packages are installed:
sudo apt-get install build-essential
sudo apt-get install linux-headers-$(uname -r)
· Unload any drivers already running.
sudo ifconfig ath0 down
sudo ifconfig wifi0 down
· Change to the directory where you extracted the driver.
cd
· From that directory, run the installation scripts:
cd scripts
sudo ./madwifi-unload
sudo ./find-madwifi-modules.sh $(uname -r)
cd ..
· Complete the installation by compiling the source and installing it.
sudo make
sudo make install
· Add the installed drivers to your system.
sudo modprobe ath_pci
Following this, Network Manager was able to see the wireless card and I was able to configure everything else (WEP / WPA key, etc.) from there.
Complete instructions are available at MadWifi UserDocs.
Atheros AR242x
Alternate instructions for installing the Atheros AR242x card are here.
Atheros Wireless cards should work automatically with the new kernel by installing the proprietary driver. At installation, after the first reboot, you will be prompted whether to use the proprietary drivers.
It should no longer be necessary to install the following package:
sudo apt-get install madwifi-tools
These instructions for the Atheros 802.11 b/g integrated card are here for reference only (or if you wish to install them manually instead):
· Download the latest 'snapshot' driver from Madwifi. When I was doing it, the version was:
madwifi-hal-0.10.5.6-current.tar.gz
· Extract the files
· Make sure your linux headers and build-essential packages are installed:
sudo apt-get install build-essential
sudo apt-get install linux-headers-$(uname -r)
· Unload any drivers already running.
sudo ifconfig ath0 down
sudo ifconfig wifi0 down
· Change to the directory where you extracted the driver.
cd
· From that directory, run the installation scripts:
cd scripts
sudo ./madwifi-unload
sudo ./find-madwifi-modules.sh $(uname -r)
cd ..
· Complete the installation by compiling the source and installing it.
sudo make
sudo make install
· Add the installed drivers to your system.
sudo modprobe ath_pci
Following this, Network Manager was able to see the wireless card and I was able to configure everything else (WEP / WPA key, etc.) from there.
Complete instructions are available at MadWifi UserDocs.
Atheros AR242x
Alternate instructions for installing the Atheros AR242x card are here.
Airport Express
Airport Express
Airport Express with Pulse Audio
The Airport Express (AEX) is a network device with an audio output jack that can be connected to speakers or an amplifier. You can stream audio over the network (wired or wirelessly) to (or from) this device.
These capabilities require the newest version 0.9.15 of Pulse Audio and Pulse Audio Volume Control 0.98, as well as pulseaudio-module-raop (for Airport Express). Instead of (or after) installing the default 0.9.14 packages from the Jaunty repositories, obtain them by adding the repositories from this Launchpad site:
deb http://ppa.launchpad.net/themuso/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/themuso/ppa/ubuntu jaunty main
then download the GPG key here
and save it as themuso.gpg.
then install the repository key and update:
sudo apt-key add themuso.gpg
sudo apt-get update
then install:
sudo apt-get install pulseaudio pavucontrol paprefs padevchooser pulseaudio-module-raop
Then configure Pulse Audio:
Menu -> Settings -> PulseAudio Preferences Sound Audio preferences -> Network Access
and check both:
Make discoverable network sound devices available locally
Make discoverable Apple Airtunes devices available locally
Note: Make sure your firewall is not blocking ports 5353, 5000, and 6000.
My AEX is discovered, but I got no sound through it until I selected it as the default sink (output) from the PulseAudio Device Chooser.
K menu -> Multimedia -> PulseAudio Device Chooser -> Manager -> Devices -> Sinks
I then noted the name of my Airport Express device to be raop.Base-Station-e60157.local, so I entered that as the sink:
PulseAudio Device Chooser -> Default sink -> Other -> raop.Base-Station-e60157.local
Now, any devices (or multimedia players) setup to play through PulseAudio will play through the stereo attached to the Airport Express.
Airport Express with Pulse Audio
The Airport Express (AEX) is a network device with an audio output jack that can be connected to speakers or an amplifier. You can stream audio over the network (wired or wirelessly) to (or from) this device.
These capabilities require the newest version 0.9.15 of Pulse Audio and Pulse Audio Volume Control 0.98, as well as pulseaudio-module-raop (for Airport Express). Instead of (or after) installing the default 0.9.14 packages from the Jaunty repositories, obtain them by adding the repositories from this Launchpad site:
deb http://ppa.launchpad.net/themuso/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/themuso/ppa/ubuntu jaunty main
then download the GPG key here
and save it as themuso.gpg.
then install the repository key and update:
sudo apt-key add themuso.gpg
sudo apt-get update
then install:
sudo apt-get install pulseaudio pavucontrol paprefs padevchooser pulseaudio-module-raop
Then configure Pulse Audio:
Menu -> Settings -> PulseAudio Preferences Sound Audio preferences -> Network Access
and check both:
Make discoverable network sound devices available locally
Make discoverable Apple Airtunes devices available locally
Note: Make sure your firewall is not blocking ports 5353, 5000, and 6000.
My AEX is discovered, but I got no sound through it until I selected it as the default sink (output) from the PulseAudio Device Chooser.
K menu -> Multimedia -> PulseAudio Device Chooser -> Manager -> Devices -> Sinks
I then noted the name of my Airport Express device to be raop.Base-Station-e60157.local, so I entered that as the sink:
PulseAudio Device Chooser -> Default sink -> Other -> raop.Base-Station-e60157.local
Now, any devices (or multimedia players) setup to play through PulseAudio will play through the stereo attached to the Airport Express.
Mounting NTFS Partitions (with read/write privileges
Find out the name of your ntfs partition:
sudo fdisk -l
Method 1: In this example, the NTFS drive is listed by fdisk as /dev/sda2, but yours may differ.
Make a mount point for the drive:
sudo mkdir /media/WindowsNTFS
Edit fstab:
sudo nano /etc/fstab
Comment out the automatically added lines by Ubuntu installation:
#/dev/sda2 auto nouser,atime,noauto,rw,nodev,noexec,nosuid 0 0
#/dev/sda2 /mnt auto user,atime,noauto,rw,nodev,noexec,nosuid 0 0
and instead add the line:
/dev/sda2 /mnt/WindowsNTFS ntfs-3g quiet,defaults,rw 0 0
Note: There are many ways to mount the drive, depending on your needs. The fstab file controls this process. See How to edit and understand fstab and Intro to using fstab.
In this example, I indicated that the file system was an ntfs-3g filesystem, so did not use the auto option (which detects the filesystem automatically). I used rw to specify read/write privileges for all users, but umask=0 and umask=000 are accepted by some kernels.
Method 2: Edit fstab:
sudo nano /etc/fstab
When Ubuntu installation finishes, it mounts all ntfs partitions automatically with ntfsprogs, adding a line similar to the following to fstab:
UUID=8466268666267956 /media/sda1 ntfs defaults,gid=46 0 1
Change this line to:
UUID=8466268666267956 /media/sda1 ntfs-3g defaults,nls=utf8,locale=zh_CN.UTF-8,rw,gid=46 0 1
In this example, I have a Chinese-language Windows installation on my first partition, so I set the locale parameter (locale=zh_CN.UTF-8) so that my Chinese documents can display correctly. Setting rw (same as umask=0 or umask=000) lets me read/write the partition without sudo. gid=46 specifies that the drive will belong to the group of hot-pluggable devices (plugdev) and is not necessary unless your ntfs drive is a hot-pluggable one (such as an external USB drive). nls=utf8 is the default and is optional for most ntfs users, but there are other options for Chinese (and other specialized character-set users).
Mounting FAT32 Partitions
Follow the above instructions, but use vfat instead of ntfs-3g.
In other words, if you have made a mount point directory /mnt/WindowsFAT32 and your FAT32 drive is /dev/sda3, then edit the /etc/fstab file to include the line:
/dev/sda3 /mnt/WindowsFAT32 vfat quiet,defaults,rw 0 0
sudo fdisk -l
Method 1: In this example, the NTFS drive is listed by fdisk as /dev/sda2, but yours may differ.
Make a mount point for the drive:
sudo mkdir /media/WindowsNTFS
Edit fstab:
sudo nano /etc/fstab
Comment out the automatically added lines by Ubuntu installation:
#/dev/sda2 auto nouser,atime,noauto,rw,nodev,noexec,nosuid 0 0
#/dev/sda2 /mnt auto user,atime,noauto,rw,nodev,noexec,nosuid 0 0
and instead add the line:
/dev/sda2 /mnt/WindowsNTFS ntfs-3g quiet,defaults,rw 0 0
Note: There are many ways to mount the drive, depending on your needs. The fstab file controls this process. See How to edit and understand fstab and Intro to using fstab.
In this example, I indicated that the file system was an ntfs-3g filesystem, so did not use the auto option (which detects the filesystem automatically). I used rw to specify read/write privileges for all users, but umask=0 and umask=000 are accepted by some kernels.
Method 2: Edit fstab:
sudo nano /etc/fstab
When Ubuntu installation finishes, it mounts all ntfs partitions automatically with ntfsprogs, adding a line similar to the following to fstab:
UUID=8466268666267956 /media/sda1 ntfs defaults,gid=46 0 1
Change this line to:
UUID=8466268666267956 /media/sda1 ntfs-3g defaults,nls=utf8,locale=zh_CN.UTF-8,rw,gid=46 0 1
In this example, I have a Chinese-language Windows installation on my first partition, so I set the locale parameter (locale=zh_CN.UTF-8) so that my Chinese documents can display correctly. Setting rw (same as umask=0 or umask=000) lets me read/write the partition without sudo. gid=46 specifies that the drive will belong to the group of hot-pluggable devices (plugdev) and is not necessary unless your ntfs drive is a hot-pluggable one (such as an external USB drive). nls=utf8 is the default and is optional for most ntfs users, but there are other options for Chinese (and other specialized character-set users).
Mounting FAT32 Partitions
Follow the above instructions, but use vfat instead of ntfs-3g.
In other words, if you have made a mount point directory /mnt/WindowsFAT32 and your FAT32 drive is /dev/sda3, then edit the /etc/fstab file to include the line:
/dev/sda3 /mnt/WindowsFAT32 vfat quiet,defaults,rw 0 0
Subscribe to:
Posts (Atom)