Active Topics
-
Error after installing Leste on sdcard (18)
to Maemo 7 / Leste by Maemish - 12 hrs, 22 mins ago -
Maemo 20th Anniversary (4)
to Brainstorm by teroyk - 2 days, 7 hrs ago -
Nokia Booklet 3G (RX-75) Drivers (64)
to Alternatives by teroyk - 2 days, 7 hrs ago -
Porting apps to Leste (46)
to Maemo 7 / Leste by teroyk - 4 days, 11 hrs ago - more...
| The Following User Says Thank You to jldiaz For This Useful Post: | ||
 |
|
2008-04-07
, 18:47
|
|
Posts: 4,930 |
Thanked: 2,272 times |
Joined on Oct 2007
|
#22
|
Originally Posted by cmdowns
Paths starting with / are absolute paths; to give a relative path, use a path without the leading slash:
Okay, since everyone has been helpful I feel like I must come clean about one really dumb mistake I made. The reason I couldn't find x11vnc in xterm was simply because I didn't really understand how to change directories. I was working under the (wrong) assumption that if I was in root (/) I could cd to /usr, and then once in /usr I could simply enter "cd /bin", expecting that to drop me into cd/usr/bin.
Now I realize that was totally wrong. Of course telling xterm to cd /bin, it's going to change the directory to /bin. I'm sure there must be a way to cd [current dir]/[desired dir] without having to enter the full path. I just don't know what it is yet.
Code:
cd /usr cd bin
Code:
cd .
Code:
cd ../share
So when I was setting up the SSH before, I was doing so as so:
ssh -L5901:localhost:5900 [name]@[XP.server's.actual.IP]
Warm colors designate data interpreted by ssh; cool colors designate data interpreted by sshd. (The ssh server, running on the machine you want to control.)
Code:
ssh -Llocalport:forwardhost:forwardport user@remotehost
ssh makes a connection to remotehost[/code], telling it your username is user (this controls what password to accept, and what UID processes you run will be, if you're doing that...). It sets itself up listening on localport, and forwards any connections made there through a tunnel to the remote machine, which will then try to make a connection to forwardport on forwardhost.
Now you can skip this paragraph, if you don't care; it's just an example of how you might use some of these options; stuff relevant to the specific case under consideration is later: Suppose you have a LAN behind a NAT, with one computer exposed as a DMZ; further suppose that you (from out in the internet somewhere) want to access one of the other machines on the LAN. You can't get to it directly, but you can ssh into the DMZ. You can do
Code:
ssh -Llocalport:insecure.host.lan:forwardport DMZlogin@NAT's.WAN.side.IP
So to forward traffic from port 5901 (local) to 5900 on your XP box, you want:
Code:
ssh -L5901:127.0.0.1:5900 XP_username@NAT's.WAN.side.IP
It appears that my VNC session (nokia client to XP server) was not going through the SSH. Is this correct? In order to send the VNC through the SSH, I need to specify the an IP of 127.0.0.1:1?
This is much, much simpler, because VNC only deals with two machines; the client and the server. You use
Code:
servername:display or port
servername is the server to connect to; since we want to connect to the near end of the tunnel, that'll be 127.0.0.1
Now the standard way of specifying a VNC display is with the display number; these start at 0. The actual port numbers used are allocated starting from 5900 for display 0, and go up as expected. But, if you put in a number like 5901 for the display, it's "helpful" enough to know that you couldn't mean display 5901, connecting on port 5900+5901 = port 11801, but must have meant port 5901. I don't remember at what cutoff it considers a number to be large; but that doesn't really matter. Since we just opened a tunnel at port 5901, subtract 5900, and it's display 1. So we need to tell VNC Viewer to connect to 127.0.0.1:1; 127.0.0.1:5901 would work, too, but is bad form.
As in my previous post, you can wrap it all up with this shell script:
Code:
@!/bin/sh ssh -f -L5901:127.0.0.1:5900 XP_username@NAT's.WAN.side.IP sleep 10 exec vncviewer 127.0.0.1:5901
 |
|
2008-04-07
, 18:56
|
|
Posts: 100 |
Thanked: 13 times |
Joined on Mar 2008
|
#23
|
I can't believe I'm still unclear about this.
From this explanation:
ssh -L5901:localhost:5900 [name]@127.0.0.1:1
What I'm confused about (well one of the things I'm confused about) is, how does my nokia find the XP box without specifying the XP box's IP?
From this explanation:
Originally Posted by jldiaz
It sounds like the proper way to enter the command is as so:
When you tell to the nokia VNC client to connect to MACHINE:N, it tries to connect to port 5900+N on the specified machine. So, if you put as host your.windows.box.ip:0, it will try to connect to port 5900 of your.windows.box.ip. This connection is "straight" (it does not use the ssh tunnel at all), and it is unencrypted. Moreover, it will be rejected if in the VNC server side you specified the option -localhost (which only allows connections coming from the own windows box).
When you specify the host 127.0.0.1:1 (or localhost:1 which is the same), the VNC client will try to connect with port 5901 of localhos, i.e. of the nokia.
ssh -L5901:localhost:5900 [name]@127.0.0.1:1
What I'm confused about (well one of the things I'm confused about) is, how does my nokia find the XP box without specifying the XP box's IP?
| The Following User Says Thank You to cmdowns For This Useful Post: | ||
|
|
2008-04-07
, 19:10
|
|
Posts: 100 |
Thanked: 13 times |
Joined on Mar 2008
|
#24
|
Originally Posted by cmdowns
I posted this before I saw Benson's very educational post immediately preceding it. While I am still unclear, I'm going to study that a few more times before I ask any more questions.
I can't believe I'm still unclear about this.
From this explanation:
It sounds like the proper way to enter the command is as so:
ssh -L5901:localhost:5900 [name]@127.0.0.1:1
What I'm confused about (well one of the things I'm confused about) is, how does my nokia find the XP box without specifying the XP box's IP?
Please, talk amongst yourselves. No, really.
 |
|
2008-04-07
, 23:38
|
|
Posts: 48 |
Thanked: 40 times |
Joined on Apr 2008
@ Spain
|
#25
|
Let's try again, this way with a picture (at the end of the post). For the sake of this example, assume that the IP of your XP box is 145.32.79.12, and the IP of your Nokia is 201.24.5.32 (you don't need this information, but anyway).
You run in XP the ssh server (called sshd) and the VNC server. Each of these processes opens a port with a well-known number. For sshd, the port number is 22, for VNC it is 5900 (plus the number of the display, but let us assume that it is zero).
So, your windows machine has two open ports. If you have no firewalls, both ports would be accesible from the outside. From any computer in the world, anyone could connect to your port 22 for a ssh sesion (he would require a ssh client, such as the ssh in the nokia), or to your port 5900 for a VNC session (he would require a VNC client).
You can estabilsh both connections from your nokia. Using ssh, you can issue the command: ssh user@145.32.79.12, and this will make a connection between the ssh process in your nokia, and the port 22 of your XP machine (in which the sshd server is listening). You will be prompted for a password and then you will have access to a command-line shell which is run in your XP machine. You can control your XP machine via this shell. If you prefer to control it via its graphical interface, you can launch your VNC client and specifying the host 145.32.79.12:0 This will connect your VNC client in your nokia with the port 5900 in your XP (in which the VNC server is listening). However, doing so, the data sent through the VNC protocol is unencrypted.
But ssh has another functionality (in addition to allows us to access to a remote shell as described above). It can also create a "secure tunnel", thanks to his ability of forwarding ports. In order to use this functionality, the -L swicth is used. This switch requires three parameters (separated by colons):
That is, if, in machine A the following command is issued:
me@machineA:~$ ssh -L P1:machineC:P2 user@machineB
Then, any traffic coming to port P1 in machineA would be redirected to the sshd process in machineB, which, in turn, will forward it to port P2 of machineC. The traffic between A and B is encrypted, but between B and C is not. In our case, B and C are both the WindowsXP server, and A is the nokia.
Now, once the tunnel is set up, when we launch the VNC client in the nokia, instead of specifying 145.32.79.12:0 has host:display, whe specify localhosts:1, as if a vncserver were running in the nokia in the display 1. Of course, there is not such a server. However, VNC is fooled in thinking this, so it will try to connect to port 5901 of the Nokia. In this port ssh is listening (due to the -L option), and this petition is forwaded to sshd in the XP box, which in turn translates it into a connection to the port 5900 of the XP box. Here is the VNC server, so the VNC client finds indeed an VNC server, only that (without he knowing it), it is not in the nokia, at localhost. The VNC client only talks with the local process ssh, which he takes for a VNC server.
Similarly, from the viewpoint of the VNC server in XP, a connection from a client has been received, but this connection was coming from the own XP machine (sshd process), so VNC is "thinking" that the client is running in localhost (the XP). The VNC server knows nothing about the existence of the Nokia client. The VNC server only "talks" with the local process sshd, which he takes for a VNC client.
This way, the ssh protocol is fooling the two ends of the comunication, pretending that he is the other end. The picture should make this clear. I hope so :-)
You run in XP the ssh server (called sshd) and the VNC server. Each of these processes opens a port with a well-known number. For sshd, the port number is 22, for VNC it is 5900 (plus the number of the display, but let us assume that it is zero).
So, your windows machine has two open ports. If you have no firewalls, both ports would be accesible from the outside. From any computer in the world, anyone could connect to your port 22 for a ssh sesion (he would require a ssh client, such as the ssh in the nokia), or to your port 5900 for a VNC session (he would require a VNC client).
You can estabilsh both connections from your nokia. Using ssh, you can issue the command: ssh user@145.32.79.12, and this will make a connection between the ssh process in your nokia, and the port 22 of your XP machine (in which the sshd server is listening). You will be prompted for a password and then you will have access to a command-line shell which is run in your XP machine. You can control your XP machine via this shell. If you prefer to control it via its graphical interface, you can launch your VNC client and specifying the host 145.32.79.12:0 This will connect your VNC client in your nokia with the port 5900 in your XP (in which the VNC server is listening). However, doing so, the data sent through the VNC protocol is unencrypted.
But ssh has another functionality (in addition to allows us to access to a remote shell as described above). It can also create a "secure tunnel", thanks to his ability of forwarding ports. In order to use this functionality, the -L swicth is used. This switch requires three parameters (separated by colons):
- The number of a local port; the ssh client will listen in this port (in the nokia), and any data received through this port is sent to the other end of the ssh conection (to the sshd process).
- The name (or IP) of a machine (which in our case is the XP machine, but in general it could be a third machine)
- A second port number, (which exists in the machine specified in the previous argument). The sshd process which receives the "tunneled" data from ssh, forwards this data to the machine and port specified here.
That is, if, in machine A the following command is issued:
me@machineA:~$ ssh -L P1:machineC:P2 user@machineB
Then, any traffic coming to port P1 in machineA would be redirected to the sshd process in machineB, which, in turn, will forward it to port P2 of machineC. The traffic between A and B is encrypted, but between B and C is not. In our case, B and C are both the WindowsXP server, and A is the nokia.
Now, once the tunnel is set up, when we launch the VNC client in the nokia, instead of specifying 145.32.79.12:0 has host:display, whe specify localhosts:1, as if a vncserver were running in the nokia in the display 1. Of course, there is not such a server. However, VNC is fooled in thinking this, so it will try to connect to port 5901 of the Nokia. In this port ssh is listening (due to the -L option), and this petition is forwaded to sshd in the XP box, which in turn translates it into a connection to the port 5900 of the XP box. Here is the VNC server, so the VNC client finds indeed an VNC server, only that (without he knowing it), it is not in the nokia, at localhost. The VNC client only talks with the local process ssh, which he takes for a VNC server.
Similarly, from the viewpoint of the VNC server in XP, a connection from a client has been received, but this connection was coming from the own XP machine (sshd process), so VNC is "thinking" that the client is running in localhost (the XP). The VNC server knows nothing about the existence of the Nokia client. The VNC server only "talks" with the local process sshd, which he takes for a VNC client.
This way, the ssh protocol is fooling the two ends of the comunication, pretending that he is the other end. The picture should make this clear. I hope so :-)
__________________
--ル Diaz
--ル Diaz
|
|
2008-04-08
, 14:52
|
|
Posts: 100 |
Thanked: 13 times |
Joined on Mar 2008
|
#26
|
Hello again. I just wanted to write a quick post to say that I am still studying this thread. I appreciate all the helpful contributions and would like to specifically thank Benson and jldiaz for their amazing explanations.
I am learning a great deal here. I feel that the willingness of the folks here in forum (especially the aforementioned users) really demonstrates the true spirit of the open source philosophy and the things that made the internet great for sharing knowledge among users.
I am going to study the recent posts more closely and try to formulate some intelligent question which I will, hopefully, post tonight.
In fact, does anyone think maybe I should compile the info in this thread for a wiki entry?
Last edited by cmdowns; 2008-04-08 at 14:56. Reason: one more thought. . .
I am learning a great deal here. I feel that the willingness of the folks here in forum (especially the aforementioned users) really demonstrates the true spirit of the open source philosophy and the things that made the internet great for sharing knowledge among users.
I am going to study the recent posts more closely and try to formulate some intelligent question which I will, hopefully, post tonight.
In fact, does anyone think maybe I should compile the info in this thread for a wiki entry?
Last edited by cmdowns; 2008-04-08 at 14:56. Reason: one more thought. . .
 |
|
2008-04-08
, 16:59
|
|
Posts: 90 |
Thanked: 5 times |
Joined on Dec 2007
|
#27
|
Yes, wiki entry sounds great! There is a lot of really good info here. Thanks to everyone.
|
|
2008-04-09
, 02:54
|
|
Posts: 100 |
Thanked: 13 times |
Joined on Mar 2008
|
#28
|
Thanks again to everyone for contributing to this thread. I'm learning a lot.
Okay, what jldiaz wrote really has started to make all this info come together for me. It particularly clarifies what Benson meant when he said
The command
ssh -L5901:localhost:5900 user@my.XP.box's.IP
instructs the ssh client on my nokia to contact the sshd server on the XP box through port 22, they shake hands and use their mutual keys to identify each other and establish a secure tunnel over port 22.
The -L is the switch function that creates the secure tunnel through the process of port forwarding.
The 5901 (immediately following the -L) refers to the port on my nokia which is listening to the nokia's VNC client and sending what it gets through the nokia's port 22 to the XP box's port 22 where the sshd server's picks it up and then sends it through the XP box's port 5900 to the VNC server.
localhost (immediately following 5901: ) refers to the sshd server on the XP box that is listening through the XP box's port 22.
5900 refers to the port on my XP box where it receives info from the sshd server (the info it gets from the ssh client through port 22) and transmits that info to the VNC server on the XP machine.
user refers to the account that one wishes to access on the machine at my.XP.box's.IP.
Finally, I think I understand this.
But for some reason I can't make it work.
I can set up the ssh session. xterm takes the command, and then prompts me with the CLI prompt appropriate for the Cygwin terminal. It really seems like the session is set up appropriately.
But VNC won't do anything with 127.0.0.1:1
I can connect to the XP box's VNC server directly at my.XP.box's.IP.address But that's not what we're shooting for.
If my ssh client is listening to the VNC client on 5901, then it should be able to send the VNC info through port 22 to the sshd server which can send it through port 5900 to the VNC server.
Could this be a problem with my router? I've tried setting up port forwarding, but I can't make anything work. But that doesn't seem right. If I can connect the ssh between the nokia and the XP box on port 22, and I can connect the VNC between the nokia and the XP box on port 5901, then how could the router interfere with the nokia's port 5900 ability to talk to the nokia's port 22 to talk to the xp box's port 22 which finally sends it to the XP box's 5900.
Or could it be the router?
And if I can connect to the VNC server, directly, and insecurely, does that mean that any damn computer on the internet with a VNC client can connect to my XP box directly and insecurely? Or does it just work for me because I my nokia and XP box happen to be on the same wlan.
So I guess this thread can keep going if everyone's still game. I certainly won't be able to post that wiki until I work through this problem and make this work properly.
Okay, what jldiaz wrote really has started to make all this info come together for me. It particularly clarifies what Benson meant when he said
Originally Posted by Benson
If I'm getting this right (and there's probably at least 50 50 odds), then jldiaz's diagram clearly illustrates the four machines.
That's why this is so complicated; each port forwarding involves 4 machines.
The command
ssh -L5901:localhost:5900 user@my.XP.box's.IP
instructs the ssh client on my nokia to contact the sshd server on the XP box through port 22, they shake hands and use their mutual keys to identify each other and establish a secure tunnel over port 22.
The -L is the switch function that creates the secure tunnel through the process of port forwarding.
The 5901 (immediately following the -L) refers to the port on my nokia which is listening to the nokia's VNC client and sending what it gets through the nokia's port 22 to the XP box's port 22 where the sshd server's picks it up and then sends it through the XP box's port 5900 to the VNC server.
localhost (immediately following 5901: ) refers to the sshd server on the XP box that is listening through the XP box's port 22.
5900 refers to the port on my XP box where it receives info from the sshd server (the info it gets from the ssh client through port 22) and transmits that info to the VNC server on the XP machine.
user refers to the account that one wishes to access on the machine at my.XP.box's.IP.
Finally, I think I understand this.
But for some reason I can't make it work.
I can set up the ssh session. xterm takes the command, and then prompts me with the CLI prompt appropriate for the Cygwin terminal. It really seems like the session is set up appropriately.
But VNC won't do anything with 127.0.0.1:1
I can connect to the XP box's VNC server directly at my.XP.box's.IP.address But that's not what we're shooting for.
If my ssh client is listening to the VNC client on 5901, then it should be able to send the VNC info through port 22 to the sshd server which can send it through port 5900 to the VNC server.
Could this be a problem with my router? I've tried setting up port forwarding, but I can't make anything work. But that doesn't seem right. If I can connect the ssh between the nokia and the XP box on port 22, and I can connect the VNC between the nokia and the XP box on port 5901, then how could the router interfere with the nokia's port 5900 ability to talk to the nokia's port 22 to talk to the xp box's port 22 which finally sends it to the XP box's 5900.
Or could it be the router?
And if I can connect to the VNC server, directly, and insecurely, does that mean that any damn computer on the internet with a VNC client can connect to my XP box directly and insecurely? Or does it just work for me because I my nokia and XP box happen to be on the same wlan.
So I guess this thread can keep going if everyone's still game. I certainly won't be able to post that wiki until I work through this problem and make this work properly.
|
|
2008-04-09
, 03:26
|
|
Posts: 4,930 |
Thanked: 2,272 times |
Joined on Oct 2007
|
#29
|
Originally Posted by cmdowns
I think you got it.
Thanks again to everyone for contributing to this thread. I'm learning a lot.
Okay, what jldiaz wrote really has started to make all this info come together for me. It particularly clarifies what Benson meant when he said
<stuff that vaguely made sense as I skimmed it quite hastily>
Finally, I think I understand this.
But for some reason I can't make it work.
I can set up the ssh session. xterm takes the command, and then prompts me with the CLI prompt appropriate for the Cygwin terminal. It really seems like the session is set up appropriately.
But VNC won't do anything with 127.0.0.1:1
I can connect to the XP box's VNC server directly at my.XP.box's.IP.address But that's not what we're shooting for.
If my ssh client is listening to the VNC client on 5901, then it should be able to send the VNC info through port 22 to the sshd server which can send it through port 5900 to the VNC server.
Could this be a problem with my router? I've tried setting up port forwarding, but I can't make anything work. But that doesn't seem right. If I can connect the ssh between the nokia and the XP box on port 22, and I can connect the VNC between the nokia and the XP box on port 5901, then how could the router interfere with the nokia's port 5900 ability to talk to the nokia's port 22 to talk to the xp box's port 22 which finally sends it to the XP box's 5900.
And if I can connect to the VNC server, directly, and insecurely, does that mean that any damn computer on the internet with a VNC client can connect to my XP box directly and insecurely? Or does it just work for me because I my nokia and XP box happen to be on the same wlan.
The most likely explanation at the moment seems to be that your XP box's VNC is not set up right.
If that's the case, you're in luck, cause we're both running tightVNC. I should be able to point you exactly to the relevant settings:
Double-click the tightVNC logo in the system tray to bring up the config dialog. On the Administration tab, there's a box with three checkboxes:
- Disable empty passwords
- Allow loopback connections
- Allow only loopback connections
The second one must be checked. It's off by default, to spare you from VNCing into your console from your console (heap bad medicine), and resulting pointer freeze and such. But the way the ssh tunnel ends on the local machine means that the outcoming VNC connection is indeed a loopback connection, and we must allow that.
The third one blocks all normal connection; then all that can get through is screen-grabbing horrors (don't do those) and VNC tunneled connections. It's probably wise to enable this at some point, but not necessary.
Those are the only relevant options I'm aware of.
G'luck in your struggles!
| The Following User Says Thank You to Benson For This Useful Post: | ||
|
|
2008-04-09
, 09:51
|
|
Posts: 48 |
Thanked: 40 times |
Joined on Apr 2008
@ Spain
|
#30
|
Originally Posted by cmdowns
In fact, in my diagram only two machines are depicted, but you are right, each of the four processes depicted could be running in a different machine.
If I'm getting this right (and there's probably at least 50 50 odds), then jldiaz's diagram clearly illustrates the four machines.
For example, you could have two secure LANs, but an insecure WAN connecting the two LANs. You can use ssh/sshd to provide a secure tunnel through the WAN, and thus allowing a secure communication between any machine on the first LAN with any machine on the second LAN.
The following convolved example is not really neccesary, but for the sake of the completness, let me elaborate it.
Llet us assume that you have a secure LAN at your home, with two machines, with IPs: 145.24.12.10 and 145.24.12.11, The first one is a WindowsXP in which you have installed Cygwin/sshd. The second one is an old Windows98, without any ssh software installed, but with a VNC server running on display 0.
At your work, you have a secure LAN, in which it is your desktop PC, running Windows2000, with IP 220.30.140.100. You have a VNC client in this PC, but no ssh software. You would like to connect this VNC client in the Windows2000 machine, with the VNC server of your Windows98 PC, at home. However, the insecure WAN connecting the two LANs is intimidating you...
Fortunately, you have your Nokia n810 with you, in which you have a ssh client installed. You connect your n810 to the LAN of your office (and it gots the IP 220.30.140.101), and then you use the ssh in your nokia to make a tunnel to your Windows98 machine at home. Then, you connect the VNC client of your Windows2000 through this tunnel, and you got the desired and secured connection.
How could this be done? I left it as an exercise to the reader.. :-)
Originally Posted by cmdowns
Yes, you got it. You should be able to solve the above exercise.
Finally, I think I understand this.
Originally Posted by cmdowns
The only possible reason, IMHO, is that your VNC server forbides clients coming from localhost. Check the options of the server. The router cannot interfere, because, as you realized, you got the ssh/sshd connection.
But for some reason I can't make it work.
Originally Posted by cmdowns
Most likely anyone can connect to your XP box directly, unless your router is blocking port 5900. This is why is a good idea to configure your VNC server either for asking a password, or alternatively for accepting only clients coming from localhost (i.e., in our case, coming from the ssh tunnel).
And if I can connect to the VNC server, directly, and insecurely, does that mean that any damn computer on the internet with a VNC client can connect to my XP box directly and insecurely? Or does it just work for me because I my nokia and XP box happen to be on the same wlan.
__________________
--ル Diaz
--ル Diaz
Last edited by jldiaz; 2008-04-09 at 10:00.
| The Following User Says Thank You to jldiaz For This Useful Post: | ||
When you specify the host 127.0.0.1:1 (or localhost:1 which is the same), the VNC client will try to connect with port 5901 of localhos, i.e. of the nokia.
--ル Diaz