Re: How can you get remote access to laptops behind a NAT/firewall?
Once upon a time, Thomas Cameron said: > I suppose I could set up the laptops so that they log into the VPN > at boot, that would do the same thing and the staff on the Linux > laptops wouldn't have to do anything manual. But I don't want to > chew up that VPN bandwidth if I don't have to. If you do it as an independent network, separate IP block and no default route, there's almost no bandwidth being chewed when not in use (just keep-alives). That's probably the route I'd go - a system connection so it's always available (doesn't require user interaction, can work when user locks themselves out even :) ). -- Chris Adams -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How can you get remote access to laptops behind a NAT/firewall?
On 12/21/23 14:39, Chris Adams wrote: Once upon a time, Thomas Cameron said: So my question is, is there any sort of software which is similar to Quick Assist we can install on our Linux laptops so that the Linux team sysadmins can get access to laptops? I've seen folks on this list talk about TeamViewer and AnyDesk, but both of those seem to be paid solutions. Is there any sort of F/OSS solution? In essence, these solutions are functionally like using a VPN. The computer keeps an open connection to a server whenever it can, and that connection can then be used to allow the server to access the computer. So you could set up a separate "management" VPN system, like OpenVPN, that then isolates each client connection (so one user can't access another user's computer directly across it). Don't send a default route, just use an independent RFC1918 (or IPv6 ULA) block from any other corporate networks. Yeah, I was looking at things like Nebula for a sort of background VPN for systems management, but that looks like overkill. I may wind up just having a tiny OpenVPN instance in the cloud that users can connect to so admins can ssh in or run playbooks over the VPN. I was hoping for something less manual, though. With the Windows laptops, as soon as folks authenticate to Azure AD, the helpdesk guys can just fire up a remote desktop. I'd love something that easy. I suppose I could set up the laptops so that they log into the VPN at boot, that would do the same thing and the staff on the Linux laptops wouldn't have to do anything manual. But I don't want to chew up that VPN bandwidth if I don't have to. Thomas -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How can you get remote access to laptops behind a NAT/firewall?
Once upon a time, Thomas Cameron said: > So my question is, is there any sort of software which is similar to > Quick Assist we can install on our Linux laptops so that the Linux > team sysadmins can get access to laptops? I've seen folks on this > list talk about TeamViewer and AnyDesk, but both of those seem to be > paid solutions. Is there any sort of F/OSS solution? In essence, these solutions are functionally like using a VPN. The computer keeps an open connection to a server whenever it can, and that connection can then be used to allow the server to access the computer. So you could set up a separate "management" VPN system, like OpenVPN, that then isolates each client connection (so one user can't access another user's computer directly across it). Don't send a default route, just use an independent RFC1918 (or IPv6 ULA) block from any other corporate networks. -- Chris Adams -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
How can you get remote access to laptops behind a NAT/firewall?
In my company, we're rolling out Linux laptops to my team. We're 100% remote workers, no one even lives in the same state as the headquarters. If my teammates are logged into the VPN, it's pretty easy to administer a team member's laptop - I just ask the user for the IP address and ssh in as the service account (with keys, not passwords), or run an Ansible playbook against the machine. For the Windows users (not on my team), our helpdesk uses Quick Assist, and IT can remote desktop into anyone who's logged in to the Azure Active Directory domain. Even if the person is behind a cable modem doing NAT. So my question is, is there any sort of software which is similar to Quick Assist we can install on our Linux laptops so that the Linux team sysadmins can get access to laptops? I've seen folks on this list talk about TeamViewer and AnyDesk, but both of those seem to be paid solutions. Is there any sort of F/OSS solution? I am totally OK with hosting a cloud instance as an authentication server or something like that. I also heard something about Chrome Remote Desktop. Apparently Google does session brokering, so that may be interesting, although we're not a Google shop, we're a Microsoft shop and I'm bringing Linux in. I'd much prefer a F/OSS solution, if anyone has any advice. Thanks for any advice! Thomas -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: remote access via VNC
On Thu, 31 May 2012 22:31:11 +0700 Khemara Lyn lin...@wicam.com.kh wrote: Thanks, It is far better than i thought. i would love to try the ssh tunnel and access by VNC to the display 0 also. Please forgive me for the poor suggestion. I thought i could help; in fact, i learn new thing from that :). x11vnc may be a better fit for some of these uses. It can be set up to do things like 'connect to the existing session if present or start a new one if you want', and to do password authentication etc nicely. It also supports various tunnels and little details like a command to run when your vnc session drops (eg to screenlock) Finally if you run either with the noVNC websocket proxy you can set it all up to work in a modern web browser over SSL with no plugins and other bits needed. Alan -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On 05/29/2012 09:22 PM, Tommy Pham wrote: On Tue, May 29, 2012 at 1:01 PM, Andrew Haley a...@redhat.com wrote: On 05/29/2012 06:26 PM, Tommy Pham wrote: Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? I don't get the problem. You don't have to be logged in on the console, or anything like that. You just have to be able to start a vnc server, and you can do that via ssh. What else do you want to do? I have no problems doing the major of the work needed via ssh and command line. However, there are a few things that requires the GUI, specifically Oracle, for me to do a few things. Setting the autologin would allow me to VNC into the system, especially when the system is rebooted. But I can do it already. I log in to the system via ssh and start the vnc server. Then I create an ssh tunnel, and connect to the VNC server I just started. VNC goes through SSH. However, that poses a security risk for me. Basically, I'm looking for something similar to MS Windows' RDP. Whether the user is logged or not, anyone with the right access can RDP in. IIRC, the old original VNC server used to do that on Windows. I haven't used VNC server in about 10~ years. What's the problem with what I just described? Andrew. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
Hello, Have you tried with vino? I prefer it than a separate VNC server with a separate display. With Vino, I can log in locally to my desktop at office; i would lock the screen when i leave my office and when i arrive home i would connect to the same desktop/display i left off at office with a normal VNC client (RealVNC for windows). Just do: yum install vino vino-passwd vino-preferences HTH Regards, Khem On 05/31/2012 03:17 PM, Andrew Haley wrote: On 05/29/2012 09:22 PM, Tommy Pham wrote: On Tue, May 29, 2012 at 1:01 PM, Andrew Haleya...@redhat.com wrote: On 05/29/2012 06:26 PM, Tommy Pham wrote: Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? I don't get the problem. You don't have to be logged in on the console, or anything like that. You just have to be able to start a vnc server, and you can do that via ssh. What else do you want to do? I have no problems doing the major of the work needed via ssh and command line. However, there are a few things that requires the GUI, specifically Oracle, for me to do a few things. Setting the autologin would allow me to VNC into the system, especially when the system is rebooted. But I can do it already. I log in to the system via ssh and start the vnc server. Then I create an ssh tunnel, and connect to the VNC server I just started. VNC goes through SSH. However, that poses a security risk for me. Basically, I'm looking for something similar to MS Windows' RDP. Whether the user is logged or not, anyone with the right access can RDP in. IIRC, the old original VNC server used to do that on Windows. I haven't used VNC server in about 10~ years. What's the problem with what I just described? Andrew. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
Am 31.05.2012 11:19, schrieb Khemara Lyn: Hello, Have you tried with vino? I prefer it than a separate VNC server with a separate display. With Vino, I can log in locally to my desktop at office; i would lock the screen when i leave my office and when i arrive home i would connect to the same desktop/display i left off at office with a normal VNC client (RealVNC for windows). you recognized that it was solved yesterday? :-) vino, vncserver and others can not provide Whether the user is logged or not, anyone with the right access can RDP in. IIRC, the old original VNC server used to do that on Windows. this can only be done with xvnc sahring display 0 _ example to show the big difference * i connect via ssh to our admin-server in the LAN * type wol workstation (/etc/ethers is your friend) * my workstation is powered on and boots to kdm login * vnc.sh workstation creates a ssh-tunnel and connects to display 0 this way i can power off my machine completly and control it from remote like with physical access signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Thu, May 31, 2012 at 1:17 AM, Andrew Haley a...@redhat.com wrote: On 05/29/2012 09:22 PM, Tommy Pham wrote: On Tue, May 29, 2012 at 1:01 PM, Andrew Haley a...@redhat.com wrote: On 05/29/2012 06:26 PM, Tommy Pham wrote: Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? I don't get the problem. You don't have to be logged in on the console, or anything like that. You just have to be able to start a vnc server, and you can do that via ssh. What else do you want to do? I have no problems doing the major of the work needed via ssh and command line. However, there are a few things that requires the GUI, specifically Oracle, for me to do a few things. Setting the autologin would allow me to VNC into the system, especially when the system is rebooted. But I can do it already. I log in to the system via ssh and start the vnc server. Then I create an ssh tunnel, and connect to the VNC server I just started. VNC goes through SSH. However, that poses a security risk for me. Basically, I'm looking for something similar to MS Windows' RDP. Whether the user is logged or not, anyone with the right access can RDP in. IIRC, the old original VNC server used to do that on Windows. I haven't used VNC server in about 10~ years. What's the problem with what I just described? Andrew. Hi Andrew, There's no problem really except that it's an additional manual step I'd like to avoid. Regards, Tommy -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On 05/31/2012 01:36 PM, Tommy Pham wrote: There's no problem really except that it's an additional manual step I'd like to avoid. Oh, I *see*. I thought you couldn't connect. :-) Andrew. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
Thanks, It is far better than i thought. i would love to try the ssh tunnel and access by VNC to the display 0 also. Please forgive me for the poor suggestion. I thought i could help; in fact, i learn new thing from that :). Regards, Khem On 05/31/2012 04:25 PM, Reindl Harald wrote: Am 31.05.2012 11:19, schrieb Khemara Lyn: Hello, Have you tried with vino? I prefer it than a separate VNC server with a separate display. With Vino, I can log in locally to my desktop at office; i would lock the screen when i leave my office and when i arrive home i would connect to the same desktop/display i left off at office with a normal VNC client (RealVNC for windows). you recognized that it was solved yesterday? :-) vino, vncserver and others can not provide Whether the user is logged or not, anyone with the right access can RDP in. IIRC, the old original VNC server used to do that on Windows. this can only be done with xvnc sahring display 0 _ example to show the big difference * i connect via ssh to our admin-server in the LAN * type wol workstation (/etc/ethers is your friend) * my workstation is powered on and boots to kdm login * vnc.sh workstation creates a ssh-tunnel and connects to display 0 this way i can power off my machine completly and control it from remote like with physical access -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Tue, May 29, 2012 at 1:53 PM, Rick Stevens ri...@alldigital.com wrote: On 05/29/2012 01:26 PM, Rick Stevens wrote: On 05/29/2012 12:00 PM, Tommy Pham wrote: On Tue, May 29, 2012 at 11:18 AM, Rick Stevensri...@alldigital.com wrote: On 05/29/2012 10:26 AM, Tommy Pham wrote: Hi, Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? You could share the display in the X configs, e.g.: cat /etc/X11/xorg.conf.d/00-system-setup-vnc.conf # This file is to share the root screen via VNC Section Module   Load vnc EndSection Section Screen   Identifier Screen0   Device Videocard0   Option SecurityTypes VncAuth   Option UserPasswdVerifier VncAuth   Option passwordfile /root/.vnc/passwd EndSection You may have to refresh the display after connecting when the user login screen is shown. I have to on occasion...something with the way the login mechanism (gdmgreeter?) updates the screen. Hi Rick, I just tried it why your suggested configuration but I'm still unable to access via VNC. [root@fedora17 ~]# find / -type f -name 'passwd' /sys/fs/selinux/class/passwd/perms/passwd find: `/run/user/dlp/gvfs': Permission denied /usr/share/bash-completion/completions/passwd /usr/bin/passwd /etc/pam.d/passwd /etc/passwd I've rebooted the system with no effect. If you look, you'll see that I used a password file, /root/.vnc/passwd to hold the VNC passwords. You must create that file using vncpasswd on the VNC server and give the root user a password. When you authenticate VNC, you must give the root user's VNC password. You don't need to use the authentication, I guess (I always do). I also believe that, for selinux to like it, you have to change the SELinux context of the file: [root@golem4 .vnc]# ls -lZ /root/.vnc/passwd -rw---. root root unconfined_u:object_r:admin_home_t:s0 /root/.vnc/passwd To access the machines, I have been using vncviewer over an SSH tunnel: # vpnc -via golem4 golem4 Whoops! Sorry, that should read: # vncviewer -via golem4 golem4 (yes, I use vpnc a lot, hence my mistake) I get a dialog box asking for root's VNC password. I put it in and the desktop shows up. You probably want to look at the /var/log/Xorg.0.log file on the VNC server machine to verify that the vnc module is actually being loaded. -- - Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - When you don't know what to do, walk fast and look worried. - Hi Rick, I still can't seem to get this right :(. This is what I have. [root@ogx280 init.d]# rpm -qa|grep -i vnc gtk-vnc2-0.5.0-2.fc17.i686 gtk-vnc-0.5.0-2.fc17.i686 gvnc-0.5.0-2.fc17.i686 tigervnc-license-1.1.0-5.fc17.noarch libvncserver-0.9.8.2-4.fc17.i686 tigervnc-server-minimal-1.1.0-5.fc17.i686 gtk-vnc-python-0.5.0-2.fc17.i686 x11vnc-0.9.13-3.fc17.i686 [root@ogx280 init.d]# netstat -tapnv Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:30000.0.0.0:* LISTEN 1387/mysqld tcp0 0 127.0.0.1:250.0.0.0:* LISTEN 1461/sendmail: acce tcp0 0 0.0.0.0:82220.0.0.0:* LISTEN 1716/httpd tcp0 0 0.0.0.0:25962 0.0.0.0:* LISTEN 664/rpc.statd tcp0 0 0.0.0.0:83330.0.0.0:* LISTEN 1716/httpd tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 604/rpcbind tcp0 0 0.0.0.0:81810.0.0.0:* LISTEN 1716/httpd tcp0 0 192.168.122.1:530.0.0.0:* LISTEN 1415/dnsmasq tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 616/sshd tcp0248 10.167.28.248:22155.64.180.69:59101 ESTABLISHED 1892/sshd: root@pts tcp6 0 0 :::111 :::* LISTEN 604/rpcbind tcp6 0 0 :::1521 :::* LISTEN 1508/tnslsnr tcp6 0 0 :::22 :::* LISTEN 616/sshd tcp6 0 0 :::39638:::* LISTEN 664/rpc.statd tcp6 0 0 :::631 :::* LISTEN 1/systemd [root@ogx280 init.d]# chkconfig Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. ceph0:off 1:off 2:off 3:off 4:off 5:off 6:off dbora 0:off 1:off 2:off 3:on4:on5:on6:off ebtables0:off 1:off 2:off 3:off 4:off 5:off 6:off iscsi 0:off 1:off 2:off 3:on4:on5:on6:off iscsid
Re: remote access via VNC
Am 30.05.2012 22:33, schrieb Tommy Pham: I still can't seem to get this right :(. This is what I have. [root@ogx280 init.d]# rpm -qa|grep -i vnc gtk-vnc2-0.5.0-2.fc17.i686 gtk-vnc-0.5.0-2.fc17.i686 gvnc-0.5.0-2.fc17.i686 tigervnc-license-1.1.0-5.fc17.noarch libvncserver-0.9.8.2-4.fc17.i686 tigervnc-server-minimal-1.1.0-5.fc17.i686 gtk-vnc-python-0.5.0-2.fc17.i686 x11vnc-0.9.13-3.fc17.i686 you are missing tigervnc-server-module! no idea what x11vnc is but this are my vnc-related packages while tigervnc is the client to connect to remote-machines [root@srv-rhsoft:~]$ rpm -qa | grep vnc tigervnc-license-1.1.0-3.fc16.noarch tigervnc-server-module-1.1.0-3.fc16.x86_64 tigervnc-1.1.0-3.fc16.x86_64 /usr/bin/vncpasswd for create /root/.vnc/passwd is contained in tigervnc-server-minimal which can even be uninstalled after all works! http://rpm.pbone.net/index.php3/stat/4/idpl/17378318/dir/fedora_16/com/tigervnc-server-minimal-1.1.0-3.fc16.x86_64.rpm.html well, this is a F16 link / system, but i am using this config since years on several machines while iptables is blocking the vnc-port and connect is done with a shell-script creating a ssh-tunnel and fire up vncviewer with the needed params ___ [root@srv-rhsoft:~]$ cat /etc/X11/xorg.conf.d/02-vnc.conf Section Module Loadvnc EndSection Section Screen Identifier Screen0 Option passwordFile /root/.vnc/passwd EndSection ___ Name : tigervnc-server-module Architektur : x86_64 Version: 1.1.0 Ausgabe: 3.fc16 Größe : 606 k Repo: installed Zusammenfassung : TigerVNC module to Xorg URL: http://www.tigervnc.com Lizenz : GPLv2+ Beschreibung : This package contains libvnc.so module to X server, allowing others : to access the desktop on your machine. signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Wed, May 30, 2012 at 1:42 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 30.05.2012 22:33, schrieb Tommy Pham: I still can't seem to get this right :(. This is what I have. [root@ogx280 init.d]# rpm -qa|grep -i vnc gtk-vnc2-0.5.0-2.fc17.i686 gtk-vnc-0.5.0-2.fc17.i686 gvnc-0.5.0-2.fc17.i686 tigervnc-license-1.1.0-5.fc17.noarch libvncserver-0.9.8.2-4.fc17.i686 tigervnc-server-minimal-1.1.0-5.fc17.i686 gtk-vnc-python-0.5.0-2.fc17.i686 x11vnc-0.9.13-3.fc17.i686 you are missing tigervnc-server-module! no idea what x11vnc is but this are my vnc-related packages while tigervnc is the client to connect to remote-machines [root@srv-rhsoft:~]$ rpm -qa | grep vnc tigervnc-license-1.1.0-3.fc16.noarch tigervnc-server-module-1.1.0-3.fc16.x86_64 tigervnc-1.1.0-3.fc16.x86_64 /usr/bin/vncpasswd for create /root/.vnc/passwd is contained in tigervnc-server-minimal which can even be uninstalled after all works! http://rpm.pbone.net/index.php3/stat/4/idpl/17378318/dir/fedora_16/com/tigervnc-server-minimal-1.1.0-3.fc16.x86_64.rpm.html well, this is a F16 link / system, but i am using this config since years on several machines while iptables is blocking the vnc-port and connect is done with a shell-script creating a ssh-tunnel and fire up vncviewer with the needed params ___ [root@srv-rhsoft:~]$ cat /etc/X11/xorg.conf.d/02-vnc.conf Section Module Load vnc EndSection Section Screen Identifier Screen0 Option passwordFile /root/.vnc/passwd EndSection ___ Name : tigervnc-server-module Architektur : x86_64 Version : 1.1.0 Ausgabe : 3.fc16 Größe : 606 k Repo : installed Zusammenfassung : TigerVNC module to Xorg URL : http://www.tigervnc.com Lizenz : GPLv2+ Beschreibung : This package contains libvnc.so module to X server, allowing others : to access the desktop on your machine. Hi, I just installed that package prior to your response and rebooted. Still no luck :( [root@ogx280 ~]# rpm -qa|grep -i vnc gtk-vnc2-0.5.0-2.fc17.i686 gtk-vnc-0.5.0-2.fc17.i686 gvnc-0.5.0-2.fc17.i686 tigervnc-license-1.1.0-5.fc17.noarch libvncserver-0.9.8.2-4.fc17.i686 tigervnc-server-1.1.0-5.fc17.i686 tigervnc-server-minimal-1.1.0-5.fc17.i686 gtk-vnc-python-0.5.0-2.fc17.i686 x11vnc-0.9.13-3.fc17.i686 [root@ogx280 ~]# cat /etc/X11/xorg.conf.d/00-system-setup-vnc.conf # This file is to share the root screen via VNC Section Module Load vnc EndSection Section Screen Identifier Screen0 Device Videocard0 Option SecurityTypes VncAuth Option UserPasswdVerifier VncAuth # Option passwordfile /root/.vnc/passwd EndSection [root@ogx280 ~]# ls /lib/systemd/system/*vnc* /lib/systemd/system/vncserver@.service [root@ogx280 multi-user.target.wants]# ll /etc/systemd/system/multi-user.target.wants/*vnc* lrwxrwxrwx. 1 root root 38 May 30 14:09 /etc/systemd/system/multi-user.target.wants/vncserver@:0.service - /lib/systemd/system/vncserver@.service [root@ogx280 multi-user.target.wants]# cat /etc/systemd/system/multi-user.target.wants/vncserver@:0.service # The vncserver service unit file # # Quick HowTo: # 1. Copy this file to /etc/systemd/system/vncserver@:display.service # 2. Edit USER and vncserver parameters appropriately # (runuser -l USER -c /usr/bin/vncserver %i -arg1 -arg2) # 3. Run `systemctl daemon-reload` # # DO NOT RUN THIS SERVICE if your local area network is # untrusted! For a secure way of using VNC, you should # limit connections to the local host and then tunnel from # the machine you want to view VNC on (host A) to the machine # whose VNC output you want to view (host B) # # [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB # # this will open a connection on port 590N of your hostA to hostB's port 590M # (in fact, it ssh-connects to hostB and then connects to localhost (on hostB). # See the ssh man page for details on port forwarding) # # You can then point a VNC client on hostA at vncdisplay N of localhost and with # the help of ssh, you end up seeing what hostB makes available on port 590M # # Use -nolisten tcp to prevent X connections to your VNC server via TCP. # # Use -localhost to prevent remote VNC clients connecting except when # doing so through a secure tunnel. See the -via option in the # `man vncviewer' manual page. [Unit] Description=Remote desktop service (VNC) After=syslog.target network.target [Service] Type=forking # Clean any existing files in /tmp/.X11-unix environment ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i /dev/null 21 || :' ExecStart=/sbin/runuser -l root -c /usr/bin/vncserver %i ExecStop=/sbin/runuser -l root -c /usr/bin/vncserver -kill %i [Install] WantedBy=multi-user.target -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines:
Re: remote access via VNC
Am 30.05.2012 23:32, schrieb Tommy Pham: Name : tigervnc-server-module Architektur : x86_64 Version: 1.1.0 Ausgabe: 3.fc16 Größe : 606 k Repo: installed Zusammenfassung : TigerVNC module to Xorg URL: http://www.tigervnc.com Lizenz : GPLv2+ Beschreibung : This package contains libvnc.so module to X server, allowing others : to access the desktop on your machine. I just installed that package prior to your response and rebooted. Still no luck :( [root@ogx280 ~]# rpm -qa|grep -i vnc gtk-vnc2-0.5.0-2.fc17.i686 gtk-vnc-0.5.0-2.fc17.i686 gvnc-0.5.0-2.fc17.i686 tigervnc-license-1.1.0-5.fc17.noarch libvncserver-0.9.8.2-4.fc17.i686 tigervnc-server-1.1.0-5.fc17.i686 tigervnc-server-minimal-1.1.0-5.fc17.i686 gtk-vnc-python-0.5.0-2.fc17.i686 x11vnc-0.9.13-3.fc17.i686 where did you? i see no tigervnc-server-module in your list tigervnc-server-module != tigervnc-server-minimal the vncserver-stuff i stripped of your reply has nothing to do with vnc-access to display 0, this is a totally different topic because it starts a whole session and give you no access to the same screen as on the local machine like xvnc does there is no need to reboot, this is no kernel-update :-) killall X will restart X11 again my only installed packages: [harry@srv-rhsoft:~]$ rpm -qa | grep vnc tigervnc-1.1.0-3.fc16.x86_64 tigervnc-server-module-1.1.0-3.fc16.x86_64 tigervnc-license-1.1.0-3.fc16.noarch my configuration: [root@srv-rhsoft:~]$ cat /etc/X11/xorg.conf.d/02-vnc.conf Section Module Loadvnc EndSection Section Screen Identifier Screen0 Option passwordFile /root/.vnc/passwd EndSection [root@srv-rhsoft:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l | grep 5900 tcp0 0 0.0.0.0:59000.0.0.0:* LISTEN 19650/X signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Wed, May 30, 2012 at 2:54 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 30.05.2012 23:32, schrieb Tommy Pham: Name : tigervnc-server-module Architektur : x86_64 Version : 1.1.0 Ausgabe : 3.fc16 Größe : 606 k Repo : installed Zusammenfassung : TigerVNC module to Xorg URL : http://www.tigervnc.com Lizenz : GPLv2+ Beschreibung : This package contains libvnc.so module to X server, allowing others : to access the desktop on your machine. I just installed that package prior to your response and rebooted. Still no luck :( [root@ogx280 ~]# rpm -qa|grep -i vnc gtk-vnc2-0.5.0-2.fc17.i686 gtk-vnc-0.5.0-2.fc17.i686 gvnc-0.5.0-2.fc17.i686 tigervnc-license-1.1.0-5.fc17.noarch libvncserver-0.9.8.2-4.fc17.i686 tigervnc-server-1.1.0-5.fc17.i686 tigervnc-server-minimal-1.1.0-5.fc17.i686 gtk-vnc-python-0.5.0-2.fc17.i686 x11vnc-0.9.13-3.fc17.i686 where did you? i see no tigervnc-server-module in your list tigervnc-server-module != tigervnc-server-minimal the vncserver-stuff i stripped of your reply has nothing to do with vnc-access to display 0, this is a totally different topic because it starts a whole session and give you no access to the same screen as on the local machine like xvnc does there is no need to reboot, this is no kernel-update :-) killall X will restart X11 again my only installed packages: [harry@srv-rhsoft:~]$ rpm -qa | grep vnc tigervnc-1.1.0-3.fc16.x86_64 tigervnc-server-module-1.1.0-3.fc16.x86_64 tigervnc-license-1.1.0-3.fc16.noarch my configuration: [root@srv-rhsoft:~]$ cat /etc/X11/xorg.conf.d/02-vnc.conf Section Module Load vnc EndSection Section Screen Identifier Screen0 Option passwordFile /root/.vnc/passwd EndSection [root@srv-rhsoft:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l | grep 5900 tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 19650/X Don't know how I missed the module when I did yum search vnc. Adding that package fixed it for me. Thank your for time. :) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
Am 31.05.2012 00:10, schrieb Tommy Pham: On Wed, May 30, 2012 at 2:54 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 30.05.2012 23:32, schrieb Tommy Pham: Name : tigervnc-server-module Architektur : x86_64 Version: 1.1.0 Ausgabe: 3.fc16 Größe : 606 k Repo: installed Zusammenfassung : TigerVNC module to Xorg URL: http://www.tigervnc.com Lizenz : GPLv2+ Beschreibung : This package contains libvnc.so module to X server, allowing others : to access the desktop on your machine. I just installed that package prior to your response and rebooted. Still no luck :( where did you? i see no tigervnc-server-module in your list tigervnc-server-module != tigervnc-server-minimal Don't know how I missed the module when I did yum search vnc. Adding that package fixed it for me. Thank your for time. :) the main question is where you missed my post about the package replying I just installed that package prior to your response but who cares, now it works :-) signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Wed, May 30, 2012 at 3:20 PM, Reindl Harald h.rei...@thelounge.net wrote: the main question is where you missed my post about the package replying I just installed that package prior to your response but who cares, now it works :-) Sorry, I meant I just installed the tigervnc package. It's been a long day :). Thanks again to you and Rick. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
remote access via VNC
Hi, Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? Thanks, Tommy -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On 05/29/2012 10:26 AM, Tommy Pham wrote: Hi, Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? You could share the display in the X configs, e.g.: cat /etc/X11/xorg.conf.d/00-system-setup-vnc.conf # This file is to share the root screen via VNC Section Module Load vnc EndSection Section Screen Identifier Screen0 Device Videocard0 Option SecurityTypes VncAuth Option UserPasswdVerifier VncAuth Option passwordfile /root/.vnc/passwd EndSection You may have to refresh the display after connecting when the user login screen is shown. I have to on occasion...something with the way the login mechanism (gdmgreeter?) updates the screen. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- -Beware of programmers who carry screwdrivers- -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Tue, May 29, 2012 at 11:18 AM, Rick Stevens ri...@alldigital.com wrote: On 05/29/2012 10:26 AM, Tommy Pham wrote: Hi, Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? You could share the display in the X configs, e.g.: cat /etc/X11/xorg.conf.d/00-system-setup-vnc.conf # This file is to share the root screen via VNC Section Module Load vnc EndSection Section Screen Identifier Screen0 Device Videocard0 Option SecurityTypes VncAuth Option UserPasswdVerifier VncAuth Option passwordfile /root/.vnc/passwd EndSection You may have to refresh the display after connecting when the user login screen is shown. I have to on occasion...something with the way the login mechanism (gdmgreeter?) updates the screen. -- - Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Beware of programmers who carry screwdrivers - -- -- Hi Rick, I just tried it why your suggested configuration but I'm still unable to access via VNC. [root@fedora17 ~]# find / -type f -name 'passwd' /sys/fs/selinux/class/passwd/perms/passwd find: `/run/user/dlp/gvfs': Permission denied /usr/share/bash-completion/completions/passwd /usr/bin/passwd /etc/pam.d/passwd /etc/passwd I've rebooted the system with no effect. Thanks, Tommy -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On 05/29/2012 06:26 PM, Tommy Pham wrote: Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? I don't get the problem. You don't have to be logged in on the console, or anything like that. You just have to be able to start a vnc server, and you can do that via ssh. What else do you want to do? Andrew. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On Tue, May 29, 2012 at 1:01 PM, Andrew Haley a...@redhat.com wrote: On 05/29/2012 06:26 PM, Tommy Pham wrote: Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? I don't get the problem. You don't have to be logged in on the console, or anything like that. You just have to be able to start a vnc server, and you can do that via ssh. What else do you want to do? Andrew. Hi Andrew, I have no problems doing the major of the work needed via ssh and command line. However, there are a few things that requires the GUI, specifically Oracle, for me to do a few things. Setting the autologin would allow me to VNC into the system, especially when the system is rebooted. However, that poses a security risk for me. Basically, I'm looking for something similar to MS Windows' RDP. Whether the user is logged or not, anyone with the right access can RDP in. IIRC, the old original VNC server used to do that on Windows. I haven't used VNC server in about 10~ years. Thanks, Tommy -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On 05/29/2012 12:00 PM, Tommy Pham wrote: On Tue, May 29, 2012 at 11:18 AM, Rick Stevensri...@alldigital.com wrote: On 05/29/2012 10:26 AM, Tommy Pham wrote: Hi, Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? You could share the display in the X configs, e.g.: cat /etc/X11/xorg.conf.d/00-system-setup-vnc.conf # This file is to share the root screen via VNC Section Module   Load vnc EndSection Section Screen   Identifier Screen0   Device Videocard0   Option SecurityTypes VncAuth   Option UserPasswdVerifier VncAuth   Option passwordfile /root/.vnc/passwd EndSection You may have to refresh the display after connecting when the user login screen is shown. I have to on occasion...something with the way the login mechanism (gdmgreeter?) updates the screen. Hi Rick, I just tried it why your suggested configuration but I'm still unable to access via VNC. [root@fedora17 ~]# find / -type f -name 'passwd' /sys/fs/selinux/class/passwd/perms/passwd find: `/run/user/dlp/gvfs': Permission denied /usr/share/bash-completion/completions/passwd /usr/bin/passwd /etc/pam.d/passwd /etc/passwd I've rebooted the system with no effect. If you look, you'll see that I used a password file, /root/.vnc/passwd to hold the VNC passwords. You must create that file using vncpasswd on the VNC server and give the root user a password. When you authenticate VNC, you must give the root user's VNC password. You don't need to use the authentication, I guess (I always do). I also believe that, for selinux to like it, you have to change the SELinux context of the file: [root@golem4 .vnc]# ls -lZ /root/.vnc/passwd -rw---. root root unconfined_u:object_r:admin_home_t:s0 /root/.vnc/passwd To access the machines, I have been using vncviewer over an SSH tunnel: # vpnc -via golem4 golem4 I get a dialog box asking for root's VNC password. I put it in and the desktop shows up. You probably want to look at the /var/log/Xorg.0.log file on the VNC server machine to verify that the vnc module is actually being loaded. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - Death is nature's way of dropping carrier - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: remote access via VNC
On 05/29/2012 01:26 PM, Rick Stevens wrote: On 05/29/2012 12:00 PM, Tommy Pham wrote: On Tue, May 29, 2012 at 11:18 AM, Rick Stevensri...@alldigital.com wrote: On 05/29/2012 10:26 AM, Tommy Pham wrote: Hi, Is it possible to have remote access via VNC without having the user to be logged in (automatically, especially on a system reboot)? You could share the display in the X configs, e.g.: cat /etc/X11/xorg.conf.d/00-system-setup-vnc.conf # This file is to share the root screen via VNC Section Module   Load vnc EndSection Section Screen   Identifier Screen0   Device Videocard0   Option SecurityTypes VncAuth   Option UserPasswdVerifier VncAuth   Option passwordfile /root/.vnc/passwd EndSection You may have to refresh the display after connecting when the user login screen is shown. I have to on occasion...something with the way the login mechanism (gdmgreeter?) updates the screen. Hi Rick, I just tried it why your suggested configuration but I'm still unable to access via VNC. [root@fedora17 ~]# find / -type f -name 'passwd' /sys/fs/selinux/class/passwd/perms/passwd find: `/run/user/dlp/gvfs': Permission denied /usr/share/bash-completion/completions/passwd /usr/bin/passwd /etc/pam.d/passwd /etc/passwd I've rebooted the system with no effect. If you look, you'll see that I used a password file, /root/.vnc/passwd to hold the VNC passwords. You must create that file using vncpasswd on the VNC server and give the root user a password. When you authenticate VNC, you must give the root user's VNC password. You don't need to use the authentication, I guess (I always do). I also believe that, for selinux to like it, you have to change the SELinux context of the file: [root@golem4 .vnc]# ls -lZ /root/.vnc/passwd -rw---. root root unconfined_u:object_r:admin_home_t:s0 /root/.vnc/passwd To access the machines, I have been using vncviewer over an SSH tunnel: # vpnc -via golem4 golem4 Whoops! Sorry, that should read: # vncviewer -via golem4 golem4 (yes, I use vpnc a lot, hence my mistake) I get a dialog box asking for root's VNC password. I put it in and the desktop shows up. You probably want to look at the /var/log/Xorg.0.log file on the VNC server machine to verify that the vnc module is actually being loaded. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- -When you don't know what to do, walk fast and look worried. - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Remote access
and his boss is perfectly legitimate to fire him form one day to the next it does even not matter if there si any firewall to pierce, it is enough taht a policy/admin says it is not allowed to fire you if you are doing it peopole like you are a real nightmare because you are enforcing other ones to break policies which you and we do not understand from outside and there is only one person who really must undertsnad them - the admin the same for recommend to setup openvpn you can do that at your home but NOT in a company why? because you are not understanding the security-implications the company may have well tested rollozts and security checks on all machines in their network and than comes some stupid boy missing any knowledge and brings a hidden machine in the network Am 14.10.2011 13:26, schrieb Marko Vojinovic: On Friday 14 October 2011 05:32:23 Scott Rouse wrote: However, every serious firewall admin should know that the firewall is a one-way barrier, protecting local users from the outside attack, and having in principle no way to protect the outside world from the local user. So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. Best, :-) Marko signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 10/14/2011 05:08 PM, Marko Vojinovic wrote: Oh, yes, you're absolutely right. Sorry for my English, it occasionally gets buggy... :-) I doubt that even a spell-checker could help me with that one. That's what I kind of figured. BTW, I'm getting some bounces on your email again. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, 2011-10-14 at 22:04 +0100, Marko Vojinovic wrote: quoteRules are made to be broken.../quote ;-) Do people not understand what that quote means? It's not that you're meant to break the rules. It's that people are expected to get caught infringing them, and suffer punishment. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, 2011-10-14 at 23:05 +0100, Marko Vojinovic wrote: Let me phrase in like this --- when some rules in some legal system seize to make actual sense, it is legitimate to challenge them. There's a big difference between calling stupidity to attention, and deliberately breaking the rules rather than working to have them changed. Worse still, encouraging someone else to break the rules, as you *have* done in this thread. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, 2011-10-14 at 23:28 +0800, Ed Greshko wrote: All I know is this If I were Marko's employer and I read his views on circumventing or flouting the rules of a company I'd start to worry. Yes. I've had to deal with sabotaging people before, and you are best rid of them, before something horrendous happens. Whether it's malicious or just plain stupid sabotage, one employees misdeeds can bring down a company, destroying everyone's lives. Or the desire to smack them one for the trouble that they're causing gets you into trouble. Just because you catch them out in one case, doesn't mean you've reined them in. It's highly likely that they're doing all sorts of things, or will do, that you won't know about. It's a poisonous environment to be forever on your guard against people who're supposed to be on your side. It's not worth the risk, or the stress. Been there, done it, several times over, and I have never seen anything to persuade me that it's worth putting up with sabotaging people. Let your competition take the poisonous person, it can only help you. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, Oct 14, 2011 at 6:13 AM, KC8LDO kc8...@arrl.net wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. What I'm thinking is using ssh to forward a port, 3389, to another computer on my own private network (also behind a firewall and NAT router) at home acting as a middle man. Then from another computer, lets say at a hotel, logging in to the same computer on my private home network and have it pass traffic bidirectionaly between the two end point computers. Is this something than can be done using ssh and if so how? I would also like to have the remote Fedora system connection to the middle man computer remain even if the remote computer is not connected. tcpproxyreflector does exactly what you want. Install it on the 3 computers and run it : - as a server at home, to get connection from the the client and console - as the client at work, to open and keep the the connection open with home - as a console on your laptop at the hotel to activate a tunnel and connect through SSH or directly on port 3389 to another computer inside the company. http://blog.magiksys.net/software/tcp-proxy-reflector Have fun Regards, Leland C. Scott KC8LDO The most reliable components are the ones you leave out. Gordon Bell, father of the minicomputer at DEC. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines -- Alain Spineux | aspineux gmail com Monitor your iT Backups | http://www.magikmon.com Free Backup front-end | http://www.magikmon.com/mksbackup Your email 100% available | http://www.emailgency.com -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 05:13:53 KC8LDO wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. What I'm thinking is using ssh to forward a port, 3389, to another computer on my own private network (also behind a firewall and NAT router) at home acting as a middle man. Then from another computer, lets say at a hotel, logging in to the same computer on my private home network and have it pass traffic bidirectionaly between the two end point computers. Is this something than can be done using ssh and if so how? I would also like to have the remote Fedora system connection to the middle man computer remain even if the remote computer is not connected. You want to look into OpenVPN. It does take some time to read the docs and set it up, but it's worth it. http://openvpn.net/index.php/open-source.html Essentially, it adds a virtual ethernet device (called tap) to each machine, and connects these into a virtual LAN. From that point on you can do whatever you want, as if the machines were next to each other in the same room, connected to an ethernet switch. It may happen that the default openvpn port is blocked by the company firewall. In that case just reconfigure your machines to use openvpn on some port that is not blocked. Other than that, openvpn will work for you all over the globe, and it is completely under your control. Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 05:32:23 Scott Rouse wrote: On Oct 14, 2011 12:13 AM, KC8LDO kc8...@arrl.net wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. There are many companies that would frown upon doing what you are proposing. I would suggest that you talk to your network/firewall admin and see if they will make an allowance for you. True, and that is usually the best option. The drawback being that you are putting yourself at mercy of the firewall admin, who might be lazy, incompetent, or ignorant (which is sometimes the case), or have a boss that is one of those things (which is the case quite often). However, every serious firewall admin should know that the firewall is a one-way barrier, protecting local users from the outside attack, and having in principle no way to protect the outside world from the local user. Or in the words of the firewall-piercing HOWTO ( http://tldp.org/HOWTO/Firewall-Piercing ): quote A firewall cannot protect a network against its own internal users, and should not even try to. /quote So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 05:13:53 KC8LDO wrote: Is there a way to use ssh to get through a firewall for remote access to a system? I have a little shell script I run on my desktop at work that has it's own copy of ssh-agent holding my home system public key info. It runs an ssh command from my desktop at work to my home system, forwarding my work system's port 22 to home, and my home system's port 22 to work. The ssh command runs in a loop, so if the connection drops (because I reboot my home system for instance), it will come back up as soon as both systems are talking again. This gives me local ssh access at home to my work system and at work to my home system, through the company firewall which blocks all incoming connections to all but company servers. Since I have ssh access, I can always run new ssh commands to forward other ports (like mail servers). The ssh connection is (in some directions) about 6 times faster than using the company VPN, and normally what I use the ssh connection for is running an NX session at home to get my desktop at work to appear on my home system screen so I can commute to work without leaving home :-). P.S. I also have my home system as secured as possible with firewall rules that only allow ssh connections that look as if they are coming from my work system (i.e. the company firewall) and ssh config rules requiring public keys as the only way to connect from the outside world. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 10/14/2011 07:26 PM, Marko Vojinovic wrote: quote A firewall cannot protect a network against its own internal users, and should not even try to. /quote So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. I've know a few *former* employees that thought doing so was legitimate. -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
RE: Remote access
-Original Message- From: users-boun...@lists.fedoraproject.org [mailto:users-boun...@lists.fedoraproject.org] On Behalf Of Marko Vojinovic Sent: vrijdag 14 oktober 2011 13:26 To: Community support for Fedora users Subject: Re: Remote access On Friday 14 October 2011 05:32:23 Scott Rouse wrote: On Oct 14, 2011 12:13 AM, KC8LDO kc8...@arrl.net wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. There are many companies that would frown upon doing what you are proposing. I would suggest that you talk to your network/firewall admin and see if they will make an allowance for you. True, and that is usually the best option. The drawback being that you are putting yourself at mercy of the firewall admin, who might be lazy, incompetent, or ignorant (which is sometimes the case), or have a boss that is one of those things (which is the case quite often). However, every serious firewall admin should know that the firewall is a one-way barrier, protecting local users from the outside attack, and having in principle no way to protect the outside world from the local user. Or in the words of the firewall-piercing HOWTO ( http://tldp.org/HOWTO/Firewall-Piercing ): quote A firewall cannot protect a network against its own internal users, and should not even try to. /quote So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. Best, :-) Marko Hi some remarks to make... Firstly, if you have a good defined and well maitained firewall, it's hard to get _IN_. One way of dealing with the problem, is installing at work (if you can) an openvpn connection towards home. Even if the company firewall very strict, they will stil allow port 80/443 going out. On those ports, you can do an openvpn-proxy. Examples on the openvpn site. OTOH. If you ask and were declined, or don't ask and they find out later, this is for most companies enough reason fon instantly been throwed out. And perhaps get a law suit against you. So i would _strongly_ suggest asking your sysadmin / networkadmin / securityadmin to open-up a port for allowing incoming VPN's. If it is for doing work from home location, they probably don't object. Better safe then sorry (and fired) Hans __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 12:42:03 Ed Greshko wrote: On 10/14/2011 07:26 PM, Marko Vojinovic wrote: quote A firewall cannot protect a network against its own internal users, and should not even try to. /quote So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. I've know a few *former* employees that thought doing so was legitimate. Legitimate != legal. A serious admin should take the time do explain the security implications to the user, and persuade him not to do what he wants to do, while providing the user with a legal alternative. Failing that, the admin has no operational control over the user piercing the firewall. The admin is actually at the mercy of user's understanding of security and compliance with the company rules that the admin cannot actually enforce in practice. Both the admin and the user (and their bosses) should be aware of that. The firewall is *not* a security measure against insiders, but only against outsiders. Legal actions against users that disobey company policies is an entirely different topic, and should be handled on a case-by-case basis. Sometimes they have merit, sometimes they don't. It is up to the OP to judge the legal consequences of his own actions. Have you ever crossed the street when the red light was on for pedestrians, in a situation when there were no vehicles in the street? Was that legitimate? Was it legal? Was the rule enforceable? Was breaking the rule possible? One should make sharp distinction between each of those questions. Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 14 October 2011 12:26, Marko Vojinovic vvma...@gmail.com wrote: However, every serious firewall admin should know that the firewall is a one-way barrier, protecting local users from the outside attack, and having in principle no way to protect the outside world from the local user. Or in the words of the firewall-piercing HOWTO ( http://tldp.org/HOWTO/Firewall-Piercing ): quote A firewall cannot protect a network against its own internal users, and should not even try to. /quote Actually, there's a difference between this (protecting the network internally) and protecting the outside world, for example I can't connect to SMTP outside our firewall right now. So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. ! Possibly read your IT policy and your employment contract carefully first. -- imalone -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, 14 Oct 2011 13:02:43 +0100 Marko Vojinovic wrote: Have you ever crossed the street when the red light was on for pedestrians, in a situation when there were no vehicles in the street? Was that legitimate? Was it legal? Was the rule enforceable? Was breaking the rule possible? One should make sharp distinction between each of those questions. Actually, crossing at an intersection with the light is nuts. There are cars coming at you from too many different directions. What you always want to do to survive as a pedestrian is to jaywalk in the middle of the block where cars are only trying to kill you in one direction at a time. The heck with legality, survival is the rule here! Now if I could only figure out how to make this analogy extend to firewalls :-). -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 12:33:25 Reindl Harald wrote: peopole like you are a real nightmare because you are enforcing other ones I am not enforcing anyone to do anything, just offering advice. to break policies which you and we do not understand from outside and there is only one person who really must undertsnad them - the admin I disagree. If there is no way to enforce a security rule, every user must be *trained* to understand it and know *why* he should uphold it. If you have ever been a parent, you certainly know that just saying that is forbidden to touch doesn't work. Rather, a real explanation *why* a child should not touch something is the only way to have the child comply with the rules. If you just restrict people by rules, it *is* legitimate for them to break the rules. If instead you teach people why they should uphold the rules, it *is* *not* legitimate for them to break those rules. Legitimacy comes from understanding, legality comes from obedience. The OP is the only one who can judge what is legal and what is legitimate in his own case. Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 14 October 2011 13:16, Marko Vojinovic vvma...@gmail.com wrote: On Friday 14 October 2011 12:33:25 Reindl Harald wrote: peopole like you are a real nightmare because you are enforcing other ones I am not enforcing anyone to do anything, just offering advice. I think the word is encouraging. If you just restrict people by rules, it *is* legitimate for them to break the rules. If instead you teach people why they should uphold the rules, it *is* *not* legitimate for them to break those rules. Legitimacy comes from understanding, legality comes from obedience. Not sure what definition of legitimate you are using here. The OP is the only one who can judge what is legal and what is legitimate in his own case. And what might get him fired (irrespective of legality). Of course you might be completely right, the administrator might say, I'm not going to set up a VPN but if you can come up with a solution then go ahead. -- imalone -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
RE: Remote access
On Fri, 2011-10-14 at 13:58 +0200, j.witvl...@mindef.nl wrote: So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through. Best, :-) Marko Quite how you come to that conclusion, I don't know. If you're refused permission, then that's the *opposite* from being legitimate to try to do so. Not only did you originally discover that it was blocked, you're being outright told that it's not allowed. In some places, flouting such rules is grounds for dismissal, perhaps on the first and only instance you get caught. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, 2011-10-14 at 13:16 +0100, Marko Vojinovic wrote: If you just restrict people by rules, it *is* legitimate for them to break the rules. Bullshit! You should look up what the word actually means. It's synonymous with: according to the rules and requirements, authorised... The opposite of: breaking the rules, legality... -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday, October 14, 2011 06:05:29 AM Marko Vojinovic wrote: On Friday 14 October 2011 05:13:53 KC8LDO wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. What I'm thinking is using ssh to forward a port, 3389, to another computer on my own private network (also behind a firewall and NAT router) at home acting as a middle man. Then from another computer, lets say at a hotel, logging in to the same computer on my private home network and have it pass traffic bidirectionaly between the two end point computers. Is this something than can be done using ssh and if so how? I would also like to have the remote Fedora system connection to the middle man computer remain even if the remote computer is not connected. You want to look into OpenVPN. It does take some time to read the docs and set it up, but it's worth it. http://openvpn.net/index.php/open-source.html Essentially, it adds a virtual ethernet device (called tap) to each machine, and connects these into a virtual LAN. From that point on you can do whatever you want, as if the machines were next to each other in the same room, connected to an ethernet switch. It may happen that the default openvpn port is blocked by the company firewall. In that case just reconfigure your machines to use openvpn on some port that is not blocked. Other than that, openvpn will work for you all over the globe, and it is completely under your control. Best, :-) Marko Please talk with your manager and your sysadmin. A good sysadmin will look at the firewall logs, will see something strange, will report it up to the chain of command, to his boss. If the sysadmin doesn't, he should lose his job. If you do something, behind the companies back, the company can't trust you. If a company can't trust you, they have to design you out of the company. They have to get rid of you. I've worked remotely for a number of companies. In each case, the company, and the sysadmin, wanted me to vpn in. They helped me. They arranged which VPN I was to use and what I could access. They also insured their security wasn't compromised. If you bypassed security at a company where I worked, you would be discovered. You would be fired. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 10/14/2011 10:40 PM, Tim wrote: On Fri, 2011-10-14 at 13:16 +0100, Marko Vojinovic wrote: If you just restrict people by rules, it *is* legitimate for them to break the rules. Bullshit! You should look up what the word actually means. It's synonymous with: according to the rules and requirements, authorised... The opposite of: breaking the rules, legality... All I know is this If I were Marko's employer and I read his views on circumventing or flouting the rules of a company I'd start to worry. -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday, October 14, 2011 10:25:59 AM Rick Sewill wrote: On Friday, October 14, 2011 06:05:29 AM Marko Vojinovic wrote: On Friday 14 October 2011 05:13:53 KC8LDO wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. What I'm thinking is using ssh to forward a port, 3389, to another computer on my own private network (also behind a firewall and NAT router) at home acting as a middle man. Then from another computer, lets say at a hotel, logging in to the same computer on my private home network and have it pass traffic bidirectionaly between the two end point computers. Is this something than can be done using ssh and if so how? I would also like to have the remote Fedora system connection to the middle man computer remain even if the remote computer is not connected. You want to look into OpenVPN. It does take some time to read the docs and set it up, but it's worth it. http://openvpn.net/index.php/open-source.html Essentially, it adds a virtual ethernet device (called tap) to each machine, and connects these into a virtual LAN. From that point on you can do whatever you want, as if the machines were next to each other in the same room, connected to an ethernet switch. It may happen that the default openvpn port is blocked by the company firewall. In that case just reconfigure your machines to use openvpn on some port that is not blocked. Other than that, openvpn will work for you all over the globe, and it is completely under your control. Best, :-) Marko Please talk with your manager and your sysadmin. A good sysadmin will look at the firewall logs, will see something strange, will report it up to the chain of command, to his boss. If the sysadmin doesn't, he should lose his job. If you do something, behind the companies back, the company can't trust you. If a company can't trust you, they have to design you out of the company. They have to get rid of you. I've worked remotely for a number of companies. In each case, the company, and the sysadmin, wanted me to vpn in. They helped me. They arranged which VPN I was to use and what I could access. They also insured their security wasn't compromised. If you bypassed security at a company where I worked, you would be discovered. You would be fired. I should add, in each case, the company provided me with the laptop to use. The company insured the laptop had the firewall and virus software they wanted. The sysadmin managed the laptop; either remotely or I brought the laptop in. I was to use that laptop for work, and nothing else. I was not to use any other PC for accessing work, only that laptop. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Sat, Oct 15, 2011 at 01:03:49AM +1030, Tim wrote: Quite how you come to that conclusion, I don't know. If you're refused permission, then that's the *opposite* from being legitimate to try to do so. Not only did you originally discover that it was blocked, you're being outright told that it's not allowed. In some places, flouting such rules is grounds for dismissal, perhaps on the first and only instance you get caught. Indeed, in some places, it's grounds for criminal conviction: http://en.wikipedia.org/wiki/Randal_Schwartz#Intel_case (although the Wiki doesn't mention it, one of his felonies was making a private back door into his place of work). -- No matter how many dust sheets you use, you will get paint on the carpet. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 10/14/2011 08:28 AM, Ed Greshko wrote: All I know is this If I were Marko's employer and I read his views on circumventing or flouting the rules of a company I'd start to worry. I'd be looking for his replacement. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Remote Access
Some time ago I was the on call admin for a critical system at a certain large company. I wanted to fix problems from home. I checked with three different guys in the computer security department before implementing anything. I wouldn't want to do someting that would get me fired or charged with a crime. The computer security guys were somewhat arrogant, they basically said if you can figure out a way around our firewalls, go ahead, but we won't create a hole for you. A couple of days later I had the remote access going and I showed them how it worked. They were amazed, but just shrugged and said cool!, Can I have a copy of that script? Again - check around, don't do something that would get you in trouble. In this economic climate don't take a chance and lose your job! These days, I'm working for a small company and I make the policies, so I'm ok. notes: office computer setup create script on your office computer to check home website for special file (trigger file) if not exists sleep 5 minutes if exists ssh to home computer. ssh command uses options to open a reverse tunnel on a special port home computer setup copy the public key from the office computer to .ssh/authorized-keys activate from home create special file start trying to access the special port. You can open multiple windows on that port. One window may have to run a keep alive program. BP -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote Access
On 10/14/2011 11:50 AM, Bill Perry wrote: The computer security guys were somewhat arrogant, they basically said if you can figure out a way around our firewalls, go ahead, but we won't create a hole for you. A couple of days later I had the remote access going and I showed them how it worked. They were amazed, but just shrugged and said cool!, Can I have a copy of that script? That doesn't come across as arrogant to me. It sounds more like, We aren't allowed to help you, but we're not going to try to stop you either. And, I just figured out the correct response to anybody who thinks it's legitimate to do something like this because I think I need it even after being told that it's against company policy: What *was* your username? clickedy-click! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 16:28:17 Ed Greshko wrote: All I know is this If I were Marko's employer and I read his views on circumventing or flouting the rules of a company I'd start to worry. Oh, I understand you completely! :-) The opinion that I have comes from the experience of being on both sides of the fence --- at times, I was the client needing some access, and other times I was the admin being asked to provide such sort of things. The point is that when someone asks me to change firewall rules to allow him some type of access, I take it very seriously into consideration. If there are no security threats, I would typically grant access. If there are security issues, I would invest some effort into helping the client to achieve his goal in a different manner, and/or help him understand why his wish is a Bad Idea from a security standpoint, and I would not stop until I was sure he understood. If I don't do that, I run the risk that he is going to provide himself access behind my back, and that would be even worse. OTOH, whenever I was in a position of a client asking for something, I expected nothing less from my admin. If I ask for, say, a firewall rule to grant me some access to something, admin's reply it's against the rules is not enough. I go on to ask which rule, why, how, for what purpose, etc., and if the admin has good answers, I get persuaded to give up on my request for access. But quite often, the admin doesn't have a valid response to which rules, why are those rules in place and what could happen if someone disobeys that rule. If I am not persuaded that the rule actually makes sense, I go on to challenge it in one way or another. Quite often I found out that such rules are a consequence of someone's incompetence or a relict from the past, and that they are completely useless and artificial (a typical case is when the company burocracy doesn't keep up with technological development). In such cases, as well as when the admin insults my intelligence with an answer of type it's too complicated for you to understand why..., I come to the conclusion that the rule can be ignored. Once I even got caught ignoring one of the rules, and when audited by my boss, I presented arguments for my defense that eventually led to removing the offending rule from the terms of service and company policy (it was about allowing access for p2p communication, torrent in particular). I wasn't even punished in any way. The rule was just plain stupid and unnecessary. The point is that I am not some hippie, ignorant of security or other policies that are enforced on the users, I just don't want to blindly uphold the rules without any sanity. :-) Best, :-) Marko P.S. quoteRules are made to be broken.../quote ;-) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 14:02:25 Ian Malone wrote: On 14 October 2011 13:16, Marko Vojinovic vvma...@gmail.com wrote: If you just restrict people by rules, it *is* legitimate for them to break the rules. If instead you teach people why they should uphold the rules, it *is* *not* legitimate for them to break those rules. Legitimacy comes from understanding, legality comes from obedience. Not sure what definition of legitimate you are using here. Yes, it appears to be a problem for some people in this thread. Let me phrase in like this --- when some rules in some legal system seize to make actual sense, it is legitimate to challenge them. Think political revolutions, the fact that they are often completely illegal by the laws of the countries where they happen, but can be quite legitimate, if they change the governing system for a better one. Think factory workers' strikes, the fact that they were illegal up to some point in the past, but were quite legitimate due to poor working conditions of the workers. Think software patents, the fact that they are legal in US, and the legitimacy of the social/political/etc. movement against the laws which allow them. From my POV, a legitimate behavior is the behavior that *makes* *sense* in a reasonable way, while it can be against all the rules and laws currently in force, in a given context. So, if someone fails to explain to me why I am not allowed ssh access to my work computer (and I *will* listen and understand reasonable explanations), then ignoring the rule makes sense, and is therefore legitimate. This is the way I understand the word legitimate, and the point I wanted to get across. Best, :-) Marko P.S. All wikipedia articles about legitimacy talk about some specific topics (birth without marriage, political authorities, etc.), and unfortunately I didn't find any article or definition that is generic enough... Also, I didn't bother to search beyond wikipedia. My explanation above should be clear enough. ;-) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 10/14/2011 03:05 PM, Marko Vojinovic wrote: Let me phrase in like this --- when some rules in some legal system seize to make actual sense, it is legitimate to challenge them. This made absolutely no sense at all until I suddenly realized that the word you meant was cease. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote Access
On Fri October 14 2011, Joe Zeff wrote: [snip] And, I just figured out the correct response to anybody who thinks it's legitimate to do something like this because I think I need it even after being told that it's against company policy: What *was* your username? clickedy-click! Hehe...reminds me of an old BOFH story! :D -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote Access
Joe Zeff writes: On 10/14/2011 11:50 AM, Bill Perry wrote: The computer security guys were somewhat arrogant, they basically said if you can figure out a way around our firewalls, go ahead, but we won't create a hole for you. A couple of days later I had the remote access going and I showed them how it worked. They were amazed, but just shrugged and said cool!, Can I have a copy of that script? That doesn't come across as arrogant to me. It sounds more like, We aren't allowed to help you, but we're not going to try to stop you either. And, I just figured out the correct response to anybody who thinks it's legitimate to do something like this because I think I need it even after being told that it's against company policy: What *was* your username? clickedy-click! Yes. One of my managers was fired for doing that. Shame, he was a nice guy. pgpp8hM9mG3uF.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote Access
On 10/14/2011 04:17 PM, John Aldrich wrote: On Fri October 14 2011, Joe Zeff wrote: [snip] And, I just figured out the correct response to anybody who thinks it's legitimate to do something like this because I think I need it even after being told that it's against company policy: What *was* your username? clickedy-click! Hehe...reminds me of an old BOFH story! :D I'm glad somebody still reads the classics. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Friday 14 October 2011 23:18:17 Joe Zeff wrote: On 10/14/2011 03:05 PM, Marko Vojinovic wrote: Let me phrase in like this --- when some rules in some legal system seize to make actual sense, it is legitimate to challenge them. This made absolutely no sense at all until I suddenly realized that the word you meant was cease. Oh, yes, you're absolutely right. Sorry for my English, it occasionally gets buggy... :-) I doubt that even a spell-checker could help me with that one. ;-) Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On 10/15/2011 02:21 AM, Joe Zeff wrote: On 10/14/2011 08:28 AM, Ed Greshko wrote: All I know is this If I were Marko's employer and I read his views on circumventing or flouting the rules of a company I'd start to worry. I'd be looking for his replacement. :-) -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Fri, Oct 14, 2011 at 11:05:49PM +0100, Marko Vojinovic wrote: Yes, it appears to be a problem for some people in this thread. And, if you'll pardon my mentioning it, you... Let me phrase in like this --- when some rules in some legal system seize to make actual sense, it is legitimate to challenge them. We've already seen the correction from seize to cease. Think political revolutions, ... ... Think factory workers' strikes, ... ... Think software patents, ... With all due respect, you're comparing apples to oranges. All of your examples are of inequities, protests against injustice, etc. In this case, we're talking about the right of an individual, or a company, to define the acceptable use of their owned material assets. Their rules may be misguided, uninformed, assinine, or obsolete. But they *are* their rules, and thoroughly legal. Your use of their equipment, services, and resources as an employee are totally governed by them. You, as an enlightened employee, may use any means acceptable at your organization to direct, inform, and educate them in more appropriate rules and guidelines. You categorically do not have the right to unilaterally decide to change or circumvent those rules and guidelines. You have two choices if they refuse to recognize your view--submit to their direction, or quit. If you decide on a third choice--circumvention of their rules and guidelines--you may get away with it for some amount of time, even indefinitely. But make no mistake about it. You Are Wrong, and anything from summary termination to legal action should not be unexpected. This is not a matter of civil rights, or correcting a social wrong. It's a matter of you wanting to use their equipment and services in a way they've seen fit to deny you. Violate that decision unilaterally at your peril. Cheers, -- Dave Ihnat dih...@dminet.com -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Remote access
Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. What I'm thinking is using ssh to forward a port, 3389, to another computer on my own private network (also behind a firewall and NAT router) at home acting as a middle man. Then from another computer, lets say at a hotel, logging in to the same computer on my private home network and have it pass traffic bidirectionaly between the two end point computers. Is this something than can be done using ssh and if so how? I would also like to have the remote Fedora system connection to the middle man computer remain even if the remote computer is not connected. Regards, Leland C. Scott KC8LDO The most reliable components are the ones you leave out. Gordon Bell, father of the minicomputer at DEC. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Remote access
On Oct 14, 2011 12:13 AM, KC8LDO kc8...@arrl.net wrote: Is there a way to use ssh to get through a firewall for remote access to a system? The situation I'm looking at is a Fedora system sitting behind a company firewall, which I have no control over, that I wish to gain access to by logging into it over the Internet from a remote computer. In other words the connection is initiated from outside of the firewalled company network. What I'm thinking is using ssh to forward a port, 3389, to another computer on my own private network (also behind a firewall and NAT router) at home acting as a middle man. Then from another computer, lets say at a hotel, logging in to the same computer on my private home network and have it pass traffic bidirectionaly between the two end point computers. Is this something than can be done using ssh and if so how? I would also like to have the remote Fedora system connection to the middle man computer remain even if the remote computer is not connected. Regards, Leland C. Scott KC8LDO The most reliable components are the ones you leave out. Gordon Bell, father of the minicomputer at DEC. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines There are many companies that would frown upon doing what you are proposing. I would suggest that you talk to your network/firewall admin and see if they will make an allowance for you. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
