Secure, remote administration of a Linux computer from within Windows

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Yesterday I wrote about using SSH to securely connect to a Mac from a Windows PC. At the time, I suggested that the advice should be equally applicable to a Linux system, or even to a Windows Server with an SSH server installed and I’ve since tested it with a Linux machine (running Fedora Core 5).

The Linux process is almost identical to my original post for Mac OS X, except that:

  • The sshd_config file is found in /etc/ssh.
  • SSH is enabled in the firewall using the system-config-securitylevel command.
  • The SSH deamon is restarted using the service sshd restart command.
  • GNOME includes a VNC server called vino, which needs to be enabled (users of other graphical environments will need to choose an alternative VNC server).

(Also… RTFM… I spent a lot of time trying to work out why I couldn’t connect, only to find that I’d neglected to place the public key in ~/.ssh/authorized_keys).

Falko Timme has written an excellent tutorial on key-based SSH logins with PuTTY which outlines all the key steps (in fact, if I knew that existed then I wouldn’t have spent so much time writing up the process here!) but Jeremy Mates’ OpenSSH public key authentication article includes a useful troubleshooting guide for public key authentication problems.

VNC is all very well for forwarding the entire desktop, but X11 forwarding can be used to run individual X applications on the Windows machine. Because Microsoft Windows doesn’t include an X Window server, it is necessary to download an X11 port for Windows – I used XMing. Once XMing (and the XMing fonts) were installed and running, I edited my PuTTY connection to enable X11 forwarding and ensured that the sshd_config file on the Linux box included X11Forwarding yes (that was the default on my Fedora Core 5 installation) and could launch an xapplication from within the PuTTY terminal window with xapplicationname & (e.g. xeyes &) (I found this information at the Linux Documentation Project). XEyes is nothing special, so how about running a Linux application on the Windows desktop… try mozilla & or gimp & – it feels “wrong” but it’s also pretty impressive and oh so “right” at the same time!

Using XMing to run X11 applications on a Windows XP machine

Secure, remote administration of a Mac OS X computer from within Windows

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In a recent post about multimedia file format conversions, ripping DVDs, playback and more, I linked to a number of Mark Pilgrim’s “How To” articles; however there was one which wasn’t relevant to that particular post – how to use your Mac from anywhere (although it is intended for remote control of a Mac the advice should be equally applicable to a Linux system, or even to a Windows Server with an SSH server installed).

A few months back, I blogged about using creating an SSL VPN to access my network but Mark’s video explains how to open a single firewall port and use SSH to provide a secure tunnel through which other protocols (in this case VNC) can be run for remote administration of a single computer. I tried it earlier and it’s very straightforward. Best of all, the software involved is all freely available under open source licensing agreements!

I recommend downloading Mark Pilgrim’s video for a full explanation but the notes below explain what is involved (some of the Unix concepts may be unfamiliar to those more used to a graphical environment and my quick introduction to Linux for Windows administrators might be useful):

  1. Download and install the PuTTY, PuTTYgen, Pageant and Plink SSH utilities on a Windows PC.
  2. Using puttygen, generate a public/private key pair and protect it with a passphrase. Save the private key to a file on the Windows PC and copy the public key to the remote computer (e.g. within a text file transmitted via e-mail or FTP).
  3. On the Mac, open a terminal session (either using the OS X Terminal application or an alternative such as iTerm) and enter the following commands from the home (~) directory:
    • mkdir .ssh (this was already present on my machine as I already had the SSH server running).
    • chmod 700 .ssh (again, I didn’t need to do this).
    • chmod 600 publickeyfilename (the default permission set is 640).
    • mv publickeyfilename .ssh/authorized_keys
    • sudo nano /etc/sshd_config (non-admin users may need to su - to an admin account first as explained in my earlier post about running sudo as a standard user) and make the following edits:
      • Allow SSHtunnelling (also known as TCP forwarding or port forwarding) by changing #AllowTcpForwarding yes to AllowTcpForwarding yes
      • (Optionally) Prevent the use of usernames and passwords for login (the public/private key pair and passphrase will provide the security for the connection) by changing #PasswordAuthentication yes to PasswordAuthentication no
      • (OS X 10.4 only) Disable pluggable authentication modules by changing #UsePAM no to UsePAM no
    • Exit nano and save the changes to /etc/sshd_config (exit to the original shell if su was previously used to escalate privileges).
    • Generate an SSH key fingerprint (to prevent man-in-the-middle attacks) using ssh-keygen -l -f /etc/ssh_host_rsa_key.pub and make a note of the fingerprint.
  4. Open TCP port 22 on any firewalls/routers between the Windows and Macintosh computers and enable port forwarding to the appropriate internal IP address (it may be necessary to apply a static IP address to the Mac but I prefer to use a DHCP reservation).
  5. If the external IP address for the network is not static (mine is) then use a dynamic DNS service to assign a DNS name so that it may be located on the Internet.
  6. Within the OS X System Preferences, Open Sharing and enable Remote Login (restart the service if it is already running in order to pick up the changes made earlier to /etc/sshd_config). Because password authentication has been disabled, remote login (SSH) will only be possible from a machine with the appropriate private key.
  7. Although OS X includes Apple Remote Desktop, which is a VNC server, alternatives such as Vine Server (OSXvnc) offer additional functionality. In particular, VNC is insecure by default; however by selecting to only allow local connections (require SSH) and start the system server (i.e. run as a service, rather than in the context of a particular user), it is possible to run a secure VNC server each time the system is restarted.
  8. At this stage, it should be possible to create an SSH tunnel to the Mac. On the Windows PC, run pageant which is a PuTTY helper application (SSH agent) to cache the passphrase for the private key, which adds a level of security if the PC is compromised but which would also become a nuisance if it needed to be repetitively entered. Add a key using the private key file generated in step 2 and enter the passphrase that was used when created the key.
  9. Next, run putty and enter:
    • The hostname/ipaddress in the basic session options.
    • The auto-login username for the Macintosh for the connection data.
    • The privatekeyfilename for SSH authentication.
    • A new forwarded source port of 5900 and destination of localhost:5900 for SSH port forwarding.
  10. Save the session with an appropriate sessionname and open the connection. On the first connection, the host key will be unknown; however the reported key can be compared with the one generated earlier to ensure that the host is the intended target computer. Assuming that all is well and the connection is allowed to continue, then a Welcome to Darwin! greeting should be displayed, along with a shell prompt.
    • If the connection fails and there is a prompt for the private key then Pageant is not correctly configured.
    • If there is a prompt for a password then /etc/sshd_config was not correctly edited.
  11. Unless command line interaction with the Mac is required, the PuTTY window can be minimised. In order to create the SSH tunnel automatically at login, a startup shortcut can be created with the target of "%programfiles%\PuTTY\pageant.exe" privatekeyfilename -c "%programfiles%\PuTTY\plink.exe" sessionname
  12. Finally, a graphical connection may be initiated with a VNC viewer such as UltraVNC. The connection should be made to localhost; however because localhost:5900 has been defined as the forwarded port in the SSH tunnel, the request is securely transferred to the VNC server on the Mac.

It’s worth noting that when I originally tried to test this configuration from a remote network I was unable to get past my employer’s firewall; however there are plenty of unsecured wireless networks around which I could use to test the connection!

Note that the original information that provided inspiration for writing this post is licensed under a creative commons attribution sharealike 2.5 license and consequently so is the information contained in this post.

It’s time to practice safe computing – whatever the operating system

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I recently switched my primary home computer to a Mac but I also use Windows and Linux. I don’t consider myself to be a member of the Mac community, or the Linux community, or the Windows community – because (based on many forum posts and blog comments that I read) all of these “communities” are full of people with bigoted views that generally boil down to “my OS is better than your OS” or “Duh… but why would you want to use that?”.

Based largely on Apple’s advertising though, one of the things that I did assume with Mac OS X was that I’d be secure by default. Nope. It turns out that’s not true as there is an obscure flaw in Mac OS X (surely not?!) whereby a malformed installer package can elevate its privileges in Mac OS X and become root. After running Windows for 16 years I’m used to these sort of flaws but surely His Jobsness’ wonderful creation is above such things!

Frankly I don’t care that Mac OS X is flawed. So is Linux. So is Windows. So is anything with many millions of lines of code – open or closed source – but I thought better of Apple because I believed that they would keep me safe by default. It’s well known that running Windows XP as anything less than a Power User is difficult and that’s one of the many improvements in Windows Vista. All the Linux installers that I’ve used recently suggested that I create a non-root user as well as root but the OS X installer is happy for me to breeze along and create a single administrator account without a word of further advice. I appreciate that an OS X administrator is not equal to root but nevertheless it’s a higher level of access than should be used for daily computing and because I didn’t know any better (I’m just a dumb switcher) I didn’t create a standard user account (until today).

I read a lot of Mac and Linux zealots singing the praises of their operating systems and saying how Windoze is a haven for spyware and viruses. Well, it’s time to wake up and smell the coffee – as Mac OS X gains in popularity (I heard something about the new MacBooks having a 12% share of all new laptop sales recently) then Mac users will have to start thinking about spyware, viruses and the like. Now is the time to practice safe computing – whatever the operating system – with most users running as administrators then that could quickly become a major issue.

Installing OpenOffice.org on Fedora Core 5

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Fedora logo OpenOffice logo

Installing OpenOffice.org is a fairly straightforward operation but it may involve some research for Linux newbies (I still count myself to be one) – this is what worked for me on Fedora Core 5 (after downloading the latest version of OpenOffice.org and unpacking the contents of the GZipped archive):

su –
cd RPMs
rpm -ivh *.rpm

cd desktop-integration/
rpm -ivh openoffice.org-redhat-menus-2.0.3-2.noarch.rpm

After logging out and in again (or by starting a new GUI instance from another console session using startx — :1), the icons should appear on the GNOME Applications menu (in the Office group). Note the use of the Red Hat desktop integration, which, perhaps unsurprisingly, seems to be fine on Fedora too.

Installing the Sun Java runtime environment on Fedora Core 5

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Fedora logo Java logo
It’s no secret that I’m no fan of Java applications, but its also a necessary evil that I generally need to have installed on my PC. I had a few problems getting it working on my Linux (Fedora Core 5) PC though – this is what I had to do.

The Unofficial Fedora FAQ got me started; however as I didn’t want the whole Java development kit (JDK) installed – just the Java runtime environment (JRE) I downloaded the RPM installer from the Sun Java download site.

Next, I entered the following commands:

su –
chmod +x jre-1_5_0_08-linux-i586-rpm.bin
./jre-1_5_0_08-linux-i586-rpm.bin
yum –enablerepo=jpackage-generic-nonfree install java-1.5.0-sun-compat
ln -s /usr/java/jre1.5.0_08/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/

I’m not sure why the link is from the mozilla plugins folder, not from /usr/lib/firefox-1.5.0.6/plugins/ (as I would have expected from a LinuxQuestions.org forum post on the subject) but after a browser restart, I was able to successfully test the Java installation, which was correctly identified as Sun Microsystems Inc. Java version 1.5.0_08 on Linux OS version 2.6.17-1.2174_FC5.

Getting Real Player to work on Fedora Core 5

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Fedora logo Helix logo Real logo
I really dislike RealPlayer. This dislike stems from the Windows version of the application, which seems (to me) to install unwanted components and generally act in an intrusive manner; unfortunately the BBC’s streaming audio service uses RealAudio formats (although some content is available for Windows Media) so if I want to listen to BBC radio over the Internet then I need to install this objectionable piece of software – that’s what I’ve spent the last 2 and a bit hours trying to do on my Linux (Fedora Core 5) system here in my hotel room…

Getting hold of the software is easy enough – just download the RealPlayer for Linux from the Real Networks website (there’s even an RPM package). Alternatively there’s a Mozilla-compatible plug-in for access to RealAudio and RealVideo content from within a browser, although I couldn’t seem to get it to work with my Firefox installation (having said that, I have a feeling that some of the later troubleshooting steps I followed to get the RealPlayer working might have worked for the plug-in too).

After downloading RealPlayer 10 for Linux, I opened a terminal session, and entered the following commands:

su –
rpm -ivh RealPlayer10GOLD.rpm
cd /usr/local/RealPlayer/postinst/
./postinst.sh

I had hoped that this would be all I needed to do, but I still couldn’t access audio from the BBC website. Following advice from a tutorial that includes information on Mozilla plugins I ran yum -y install mozplugger; however this didn’t seem to help – each time I accessed RealAudio content from the web, the Helix Player (upon which RealPlayer for Linux is based) launched and displayed the following message:

Component Missing
The player does not have the capabilities to play back this content.

This content is supported by RealPlayer.

Clicking on the details button highlighted that the player was looking for the protocol_rtsp_rdt component but googling didn’t turn up much on this. I also checked out the BBC’s audio help advice for Linux/Unix users without too much luck. One tip that may have helped (from a Linux Questions forum post) was to create a symbolic link to the RealPlayer plugins for Firefox:

ln -s /usr/local/RealPlayer/mozilla/* /usr/lib/firefox-1.5.0.6/plugins

I finally got a break when I noticed that the Real Player 10 shortcut on the Applications menu didn’t seem to do anything. Looking at the properties for the shortcut (using smeg) highlighted the command as realplay so I issued the same command from a terminal. This gave me a useful message:

/usr/local/RealPlayer/realplay.bin: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory.

Following Stanton Finley’s Fedora Core 5 installation notes, I ran yum -y install compat-libstdc++-33 after which the realplay command launched the RealPlayer Setup Assistant and I successfully played RealAudio and RealVideo test clips directly in the RealPlayer; however accessing RealAudio content from within Firefox still launched the Helix Player, complete with the Component Missing error. Not really knowing how to use MozPlugger (other than to view about:plugins), I checked the version numbers for the two players and found that Helix Player reported its version number as v1.0.6.778 (experimental) whereas RealPlayer was v10.0.8.805 (gold). Rather than upgrading Helix Player, I removed it using yum -e HelixPlayer and found that, although this also removed the RealPlayer 10 application shortcut, I could still call realplay from a shell and RealMedia content from NPR and the BBC ran successfully both within RealPlayer and Firefox.

So, that’s RealPlayer working on Fedora Core 5… not exactly painless, and probably not the best way of doing it (some of these steps may well be unnecessary) – hopefully writing these notes up will save someone else a load of time.

Installing the Macromedia Flash plug-in on a Linux client

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

If, like me, you’ve been struggling to install the Macromedia Flash plug-in for Firefox on a Linux machine (in my case it was Fedora Core 5), then you may find item 12 on the Macromedia Flash Player 7 for x86 Linux frequently asked questions useful.

For weeks now, every time I’ve accessed a page containing Flash content (like this blog, for example) Firefox has seemingly downloaded and installed the missing plug-ins but the changes haven’t been accepted. After starting a terminal session and elevating my permissions to root (su -), creating a file called /etc/yum.repos.d/macromedia-i386.repo with the following contents:

[macromedia]
name=Macromedia for i386 Linux
baseurl=http://macromedia.rediris.es/rpm/
enabled=1
gpgcheck=1
gpgkey=http://macromedia.mplug.org/FEDORA-GPG-KEY

and executing the command:

yum install flash-plugin

the Flash plug-in was installed, although it also needed a browser reset before the changes took effect.

(Now all I need to do is get the Java runtime environment to load…)

Installing VMware Server on Fedora Core 5

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Fedora logo VMware logoA few months back, I wrote about having converted the Windows XP installation on my company-supplied notebook PC to a virtual machine and was running it quite happily on Windows Vista using VMware Player. Unfortunately, it’s been slowing down (to the point that booting the Vista host, then the XP guest and logging in was taking me 15 minutes every day), so this week I rebuilt the host system. It’s still not the Vista/Linux dual boot setup that I originally intended, but I’m running a bit short on hard disk space and consequently I’m still using a single host operating system (this time it’s Fedora Core 5 as I couldn’t get SUSE 10 to install on my Fujitsu-Siemens Lifebook S7010D) with VMware Server (I could have used the player again but the server product has now been released and it’s free too).

I don’t know what was wrong with the original setup – although it ran well at first, performance in both the host and guest operating systems became noticeably degraded at times but I was using a combination of a beta host operating system, a 5400RPM laptop hard disk and the VMware Player (which is probably not optimised for Vista either) what I can say is that running XP under VMware Server on Fedora rocks, even though Fedora is not a supported host operating system for VMware Server.

Incidentally, virtual machine (VM) performance can be improved by moving the VM to a separate disk and a colleague, Garry Martin, also suggested that improvements can be made by binding the VMnet adapters to a separate network interface; however in this case I only have one permanent Ethernet connection and do not want to have to connect an external disk each time I load my Windows XP environment.

Despite following the relevant sections in the VMware Server administration guide, because I used a Linux workstation distribution (and an unsupported one too), the installation of VMware Server was not entirely straightforward, but I got it working eventually and this is what I had to do:

  • Download VMware Server (v1.0.1 – build 29996 – server and client components) and register for a serial number.
  • In addition to the standard Fedora components, install the following (using the pirut Package Manager, yum or an equivalent method):
    • gcc (v4.1.1-1.fc5.i386)
    • gcc-c++ (v4.1.1-1.fc5.i386)
    • kernel-devel (v2.6.17-1.2174_FC5.i686)
    • xinetd (v2:2.3.13-6.2.1.i386)
  • Elevate permissions to root (su –).
  • Run the VMware Server installer (rpm -Uvh VMware-server-1.0.1-29996.i386.rpm).
  • Before running the vmware-config.pl script, Download the VMware any-any update (I used v1.04 – thanks to Jean-Pierre Wenzel for highlighting the existence of this unofficial patch and the need to install kernel-devel).
  • Extract vmware-any-any-update104.tar.gz and then execute ./runme.pl (this will call vmware-config.pl, allowing for the acceptance of the VMware end user license agreement, configuration of networking, specification of the server console port, definition of the location of virtual machine files and entry of the VMware serial number). If the patch is working correctly then all the prompts should work at their defaults; however it may be necessary to answer the question “What is the location of the directory of C header files that match your running kernel? [/usr/src/linux/include]” with /usr/src/kernels/2.6.17-1.2174_FC5-i686/include (or another version of the kernel-devel tools). Building the vmmon module will fail if gcc and gcc-c++ are not present and the configuration script will have to be re-run if it finds that inetd or xinetd are not installed.
  • Unzip the client installer (VMware-server-linux-client-1.0.1-29996.zip)
  • Install the VMware Server Console (rpm -Uvh VMware-server-console-1.0.1-29996.i386.rpm).
  • Run the vmware-config-server-console.pl script (not vmware-config-console.pl as stated in the documentation).
  • Drop back to a standard user account (exit) and run the vmware shell script (a wrapper for the real binaries) to start up the VMware Server Console.
  • Create and run virtual machines as normal although there were a couple more points worth noting:
    • After copying virtual machine files across from the original Windows Vista installation, I needed to make some edits to the configuration to reflect changes in file names (e.g. disk locations) to Unix formats (\ to / etc.).
    • I created a group called vmware and ran chgrp vmware filename against the VM files so that any user in the vmware group could run the VMs (not just root).

Some configuration items may have been carried out in a slightly different sequence as I tried various advice and encountered a number of issues before I got everything working but the image below shows the end result:

Windows XP in VMware Server running on Fedora Core 5

So far, the only issue I have found is with the guest operating system clock (which is not keeping time). This could be because I originally installed VMware Tools from a Windows version of the Virtual Server beta – I’ll install the correct version next week to see if it makes any difference. In any case, performance is very good – in fact, when running full screen, it would be very difficult to tell that the Windows XP guest is not running on native hardware.

Forum evangelism

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

This example forum post history was stolen from James O’Neill. Given the comments I get whenever I write about Macs (like the prospect buying a Mac and installing an operating system that’s not OS X on it), it seemed kind of relevant:

A: I’m thinking of getting a new computer.
B: I’ve got a Mac, you should get one too.
C: Macs are pretty, but Windows is more flexible.
D: Windoze is evil man. Look at all the money M$ makes. You should get Linux [gives list of distributions].
B: Linux is hard. My granny can use a Mac, and she’s been dead for 10 years.
D: If she can’t build a kernel she shouldn’t have a computer, tree hugger.
C: Have you looked at Windows XP-Dead Grandparent Edition? It’s got lots of features [lists them. All of them].
E: Yeah, but that’s the problem XP DGE is so bloated. It’s been downhill since Windows 3.0, and we didn’t get viruses in those days.
D: And those features are just a cover for Micro$oft to steal your brain.
C: [Gives feature by feature justification, explains 15 years of changes in viruses. Denies brain stealing rumour. Misses meal].
A: None of you have given me a reason to choose one OS over another.
F-Z: WE DON’T CARE!
K: Why do you need a computer? In my day we did everything in the darkroom – computers are just cheating.
J: Hey, I’m new here and I’m not sure if this is the right place – does anyone have a recipe for pancakes?
L: Grab yourself a 3174 and run it green screen to an OS/390 host. If you’re short of cash then AS/400s are going for about £129 on eBay. Those fancy Mac things are really based on RS6000 technology anyway. Apple steal everything just like M$.
X: Nah – OS/390 hasn’t cut it since they renamed it Z/OS…

Sound familiar to anyone?

Running another operating system on a Mac

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Since Apple switched to using Intel processors for certain Macintosh models, I’ve been excited by the possibility of running Windows on a Mac. Some say its sacrilege. I say it’s sensible. I love the Apple hardware, but am not a fan of the software, which (in my opinion) is proprietary and expensive. I also know Windows very well (including how to keep it secure). Ideally, I’d have a Mac Mini, dual-booting a major Linux distribution and Windows XP.

There have been various reports of people who have managed to write an EFI boot loader for Windows on a “MacIntel”, as well as reports of those who have turned their systems into an unbootable and unsupported heap of PC components in the process; but Apple provided me with a nice birthday present earlier this month by announcing Boot Camp – software to allow dual-booting of OS X and Windows XP, including driver support.

I’m not quite ready to switch yet – Boot Camp is still a beta and the final release will be included in the next version of OS X (meaning I’ll have to shell out another wad of cash to upgrade to OS X Leopard before I can use a release version of the Boot Camp technology). I’m also wary of first generation MacIntel hardware and would like to see support for Windows XP Media Center Edition, so guess I’ll be watching this space for a little longer.

In the meantime, these links provide really useful information on the progress of Windows on a Mac:

For Mac users who fancy using Linux, there are some PowerPC Linux distros (like Yellow Dog Linux) and if you’re not convinced as to why you might want to use them (after all, isn’t OS X just another Unix operating system anyway?) I recommend Giles Turnbull’s article entitled why install Linux on your Mac? Then there’s the Mactel-Linux project to adapt Linux to MacIntel hardware as well as reports that Red Hat plan to include Intel-based Mac support in Fedora and a variety of sites claiming to have other distros working too. Whilst it sounds a bit of a mess (chain-loading LILO via NTLDR), there’s also a triple-boot solution (OS X/XP/Linux) using Boot Camp (from the OnMac guys).

Finally, for those who want to play this the other way around and run OS X on a PC, there’s the OSx86 project.