Darcy Parker wrote: > Good day Patrick and Lars, > > As I am fairly new to this, I would appreciate a bit more help. I did read > the article above and a few others but I am not 100% sure that I am doing > everything correct.
Hi Darcy, Trust me, you're not the only one who has encountered this.. :) It's quite a simple solution but can be difficult to grasp at first. > I have sshd 3.4p1 OpenSSH sshd daemon installed and I have created the keys. > I can access the fw using putty from both loc and from net > Something that bothered me was the fact that when I connected from the net > all I had to do was trust the connection to be accepted then I logged on as > root provided my password and I was at the lrcfg screen. There are several ways in order to do this, since we all have our own solutions, depending on what type of internal network, operating systems we are using, you might, in the end, prefer to do it in a way other than the way I may be doing it. Personally, I prefer to portforward ssh to an internal FreeBSD box, using a normal user account and su to my Dachstein router. I avoid root + password directly to the router from the outside because of various flaws that were detected 1-2 yrs. ago, it's just a precaution that I prefer. > I looked at the sshd server system wide configuration file but did not know > what to change to prevent just anyone from logging on. Since you have an identity, dsa key that no one else should have access to it would be preferable to disable passwords altogether and only use RSAauthentication. Some of my sshd_config file looks like this: PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication no So when I log on I have to give my pass phrase and no passwords will do if that should fail, not even root login is allowed. > Also for rules in shorewall I have > > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22 > > do I add > > ACCEPT net loc tcp 22 > > I want to use the web based TightVNC client on the net to connect to the > TightVNC server on loc. Can this be accomplished using port forwarding ? If you want to portforward ssh to your internal server it would look like this, I believe, (I still use Seawall on Dachstein): DNAT net loc:<internal server> tcp ssh > I would normally type http://xxx.xxx.xxx.xxx:5800 in a web browser to > connect to the TightVNC server. Would I specify port 22 here instead of > port 5800? The ssh connection is transparent so don't have to do anything with ssh ports once you have forwarded the vnc ports with the ssh connection. When you start the vncserver on the remote machine you will see a message which would look like this: $ vncserver New 'X' desktop is my.network.domain:1 The number 1 is your first screen that will be listening on ports 5801, 5901. Do "netstat -an" and you will see that this will be confirmed. The next vncserver will be my.network.domain:2, listening on ports 5802, 5902 and so on. This depends on how your local machine is connecting to the remote machine acting as the vncserver. You will have to read the tutorial, once again, to realize what you are really trying to do, it takes some time getting used to it. What you are actually doing is using the remote server as a local screen, using the ssh tunnel to act as a secure route for the vnc connection. Take a look, once more, at the subtitle "More advanced use" - http://www.uk.research.att.com/vnc/sshvnc.html - since that example is closest to your solution. Good Luck! -- Patrick Benson Stockholm, Sweden ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html