A secure way of connecting to a linux (ubuntu) box remotely is the use of SSH.

FROM A REMOTE MACHINE connecting SSH to a SSH SERVER

From the command-line terminal

Install the OpenSSH client (if not already installed):

sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C @

Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz

or:

ssh -C mike@192.168.1.1

or

ssh -C 192.168.1.1 -l mike

Note: -l specifies the login id.




If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022

or

ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/user/.ssh. The key should be accessible only to user

sudo chmod 600 /home/user/.ssh/identity

or

sudo chmod 600 /home/user/.ssh/id_rsa 

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

SETUP an SSH SERVER

Install the OpenSSH server:

sudo apt-get install openssh-server

Note: The OpenSSH server can also be installed when doing a server installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See these instructions.

Limit authorized SSH users



See Limit the user accounts that can connect through OpenSSH remotely







OpenSSH Public Key Authentication



See this OpenSSH Public Key Authentication Tutorial.



In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:

ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/user/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)



The private key must only be accessible (and should be read-only) to user, the owner of the file:

chmod 600 /home/user/.ssh/id_rsa

You could also make the entire .ssh folder accessible only to user:

chmod 700 /home/user/.ssh

Copy the public key ( /home/user/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/serveruser/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:

ssh-copy-id serveruser@remoteserver.computer.xyz

The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/user/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/serveruser/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as serveruser (the touch command creates an empty file):

mkdir ~/.ssh


cd ~/.ssh


touch authorized_keys

Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is serveruser.):

cd ~/.ssh


chown serveruser id_rsa.pub


cat authorized_keys id_rsa.pub >> authorized_keys

Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:

sudo nano /etc/ssh/sshd_config

Uncomment the line (i.e. remove the # at the beginning of the line):

#AuthorizedKeysFile %h/.ssh/authorized_keys

Remove the ability to login to the OpenSSH server using password authentication:

 sudo nano /etc/ssh/sshd_config

Change the line

#PasswordAuthentication yes

to

PasswordAuthentication no

Restart the OpenSSH server:

sudo /etc/init.d/ssh restart

Now you can connect securely with an SSH tunnel without requiring a password, logging in as serveruser.

ssh -l serveruser -L 5900:127.0.0.1:5900 remoteserver.computer.xyz -p 22

Connect with SSH and start an application with a single command



If you have created an OpenSSH key pair (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:

ssh -f -l serveruser -L 5900:127.0.0.1:5900 remoteserver.computer.xyz -p 22 sleep 5; krdc vnc://127.0.0.1::5900

Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.



Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.



Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.







Automate SSH connections that require a password



This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the OpenSSH key pair methods described above, instead. This method is listed here for reference.



Terminal interactions (such as the SSH password challenge) can be automated using the expect utility. Install:

sudo apt-get install expect

If, for example, your SSH client ID is clientuserID, yourpassword is not#1sostrong, and the remote SSH server is remoteserver.computer.xyz (using the default SSH port of 22), then use this command to start the SSH tunnel:

expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. 5900 and 5901 are the ports to be used on either side of the tunnel (port 5900 is used for VNC, for example). See Port forwarding through SSH for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).