[ale] Q: X-Window System login from iMac

joshy joshy at mindspring.com
Fri Feb 16 04:25:44 EST 2001 

> > I can post more info on my setup if anyone wants it.
> 
> That would be great!

Sorry this took so long. It's been a busy week at work.

Here's my setup:

I have a computer at work called smithers. It's behind a firewall
and is only accessable through SSH from my home ADSL connection.
At home I have ADSL into a Linksys firewall router. On the other
side of the router is my Linux box, joshy, and my 802.11b wireless ethernet
hub. Connected to that is my iBook, Mr. T.

Here's my dilemma:

I want to work from home. This involves running Netscape, Xemacs, and
some xterms on smithers (at work) from my computer at home. I could do
normal xhosting over an ssh connection but this is problematic for two
reasons. 1) I can xhost to joshy but not Mr. T because there's no good X 
implementation for the Mac, so I can't sit in the living room 
and work. 2) my ADSL connection cuts out every now and then causing 
xemacs and netscape to crash, losing my work unless I save every 5 
minutes. (in which case I might as well use Windows :)

Here's my solution:

Run VNC on simthers. Run the VNC client on Mr. T. When the connection
goes out everything is still running on the server when I reconnect
a few seconds later. So far so good. But I can only get in through SSH
and there is no good SSH for Mac, especially one that supports tunneling.
So I use joshy, the linux box, as an intermediary. VNC works on port 5900
plus the connection number. Meaning the first connection is 5901, the
second is 5902, etc. I run vnc on smithers:5901, portmap 5902 on joshy to 5901 
on smithers, then connect to 5902 on joshy and it goes through. Here's
the break down:


1) smithers, work linux box: start vnc on the default port (5901), setting the screen to 
something that will fit on my 800x600 ibook screen.

   vncserver -geometry 795x580;

2) joshy, home linux box: start ssh remapping from incoming VNC port 2 (5902), to
port 1 on smithers (5901)

ssh -n -f -g -L 5902:smithers:5901 smithers sleep 10000000

-n redirects stdin from devnull. helps when running stuff in the background.

-f makes ssh go into the background

-g  allows remote hosts to connect to forwarded ports. 
 By default only programs on joshy can connect to joshy's forwarded ports.
 With this anyone on the local network can use the outbound connection.

-L 5902:smithers:5901 == -L localport:host:hostport
 This means take localport 5901 and map it to remote host smithers

smithers 
 the second smithers is the name of the machine to connect to. it's
 the same as the host we are mapping in this case, but you could use ssh
 to tunnel to an outside service as well.

sleep 1000000
 ssh works by running a command on the remote computer and doing the port
mapping along side of it. ssh will quit doing the mapping when the command
quits, so either you keep a shell running all the time or do this sleep command
to keep the connection open. I hope they add a 'remap-only' option in the
next version so that we don't need this hack.


3) Start VNC on Mr.T, the ibook. Connect to joshy:2, which is VNC speak for port 5902.

Notes:

I had already set up the public keys so that I can log in without a password.
If you don't have this set up doing the mapping is more problematic since you'll
probably have to keep your shell open while it's running. If anyone has a way
around this I'd love to see it.

In terms of security everything is ssh'ed and behind a firewall except for 
the Airport connection. Someone within 150ft could snoop on my network. I can turn
on WEP encryption but that has recently been proven to have flaws too. Fortunately
my traffic with VNC is a bunch of compressed bitmap differences, not plain text, so
it is much harder to spy on the connection. And once OS X comes out even the
Airport part of my network will be encryptable.

Other advantages of VNC include readonly access, meaning someone can watch your
desktop but not move the mouse or type anything. This is great for doing demos
conference call.  There is also a Java applet version. This let's you set up a 
webpage for anyone to go to and view your desktop without installing software.


Hope this info is useful to others. It's still kind of a hack and I'd like to see a 
better interface for doing crazy VPN things in Linux, but this shows the power of ssh 
and port remapping.

- joshy


-- 
joshyBlog
http://marinacci.org/~joshy/
catch up your joshy's thoughts, feelings, and links.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list