Re: Remote assistance for X
On Sun, 3 Jan 2010, Warren Block wrote: > > > > I believe a workaround for you will be: > > > >ssvncviewer -listen -rfbversion 3.7 > > > > this reverts to the previous protocol version where there is no issue. > > Confirmed, that works fine with TightVNC servers from both of the > Windows systems. Thanks! Very good. The bug fix for this is now in the the dev source tarball: http://ssvnc.sourceforge.net/dev/ssvnc-1.0.26.src.tar.gz in case you or anyone else wants to test that it works. This should work with TightVNC servers without the need for -rfbversion. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Sat, 2 Jan 2010, Karl J. Runge wrote: On Sat, 2 Jan 2010, Warren Block wrote: Proto: RFB 003.008 Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions Security-Type: 16 (rfbSecTypeTight) No authentication needed Desktop name "" ... ...and that's it. The TightVNC server shows it's connected, and the ssvncviewer console is still busy. But no graphic window. ^C on the ssvncviewer window and the TightVNC server beeps and disconnects. That's TightVNC 1.3.10 on Vista and ssvnc-1.0.22_1 on FreeBSD. This is a bug in ssvncviewer that I will fix in the next release (1.0.26) It has to do with the (silly, IMHO) TightVNC security type rfbSecTypeTight (that has nothing to do with security or encryption; it is used to enable other features!) I believe a workaround for you will be: ssvncviewer -listen -rfbversion 3.7 this reverts to the previous protocol version where there is no issue. Confirmed, that works fine with TightVNC servers from both of the Windows systems. Thanks! -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Sat, 2 Jan 2010, Warren Block wrote: > > Proto: RFB 003.008 > > Connected to RFB server, using protocol version 3.8 > Enabling TightVNC protocol extensions > Security-Type: 16 (rfbSecTypeTight) > No authentication needed > > Desktop name "" > ... > ...and that's it. The TightVNC server shows it's connected, and the > ssvncviewer console is still busy. But no graphic window. ^C on the > ssvncviewer window and the TightVNC server beeps and disconnects. > That's TightVNC 1.3.10 on Vista and ssvnc-1.0.22_1 on FreeBSD. This is a bug in ssvncviewer that I will fix in the next release (1.0.26) It has to do with the (silly, IMHO) TightVNC security type rfbSecTypeTight (that has nothing to do with security or encryption; it is used to enable other features!) I believe a workaround for you will be: ssvncviewer -listen -rfbversion 3.7 this reverts to the previous protocol version where there is no issue. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Fri, 1 Jan 2010, Warren Block wrote: > [SSL mode for x11vnc] > > I've tried it now and it does just what is needed for my setup! Very good. > Finally, a little feedback: > > On a Windows Vista system, AVG screamed that the netcat.exe from > ssvnc_windows_only-1.0.25.zip was a virus (don't think it is, just > mentioning it). Yes, that is for the little used port-knocking feature (you can delete it if it causes a persistant annoyance.) AV software tends to have a knee-jerk reaction to netcat because it is often in a rootkit. OTOH on Unix netcat/nc is often installed by default (and so SSVNC uses the system one there.) I don't feel like writing C program for Windows to do what I need from netcat.exe only to avoid the AV triggers. > The TightVNC server on that Vista machine will connect with the > FreeBSD ssvncviewer, and the ssvncviewer console window shows status > information, but no graphic window opens on the FreeBSD system. Could you show me (via this thread or private email) the ssvncviewer console window printout for when this happens? I might spot a problem. Please include all of the output from the very beginning. (BTW, if you don't know how to scroll or select all of the text in xterm feel free to ask me.) > The FreeBSD TightVNC vncviewer opens a window but has real trouble > keeping the display updated, no doubt due to Vista. Finally, the > UltraVNC server with special Vista video drivers works usably with > ssvncviewer. I've seen things like this. > Can SSL be used with a Windows VNC server? Yes. In a SSVNC Windows bundle look for an the the stunnel example provided in: Windows/util/stunnel-server.conf You run stunnel.exe on that conf file (modified to your needs), and the traffic goes thru stunnel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Fri, 1 Jan 2010, Karl J. Runge wrote: On Fri, 1 Jan 2010, Warren Block wrote: Here are some examples that should work, I provide "prompt>" to indicate which machine the command is run on (and I skip your -c preference): supportee_host> ssh -t -N -f -L 5500:localhost:5500 $supporter_host && \ x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0 which should be the same as: supportee_host> x11vnc -display :0 -proxy ssh://$supporter_host \ -connect_or_exit localhost:0 -rfbport 0 i.e. x11vnc has a built-in -proxy that already does what you want it to do; it runs ssh(1) for you: http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-proxy Note how I use -connect_or_exit instead of -connect to try to avoid problems if the connection fails: http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-connect_or_exit I also use the '-rfbport 0' described there to prevent x11vnc from listening for any connections (which I think is what you want.) Aside: Originally I thought you could ssh into supportee_host, for anyone looking to do that here is the analogous command: supporter_host> ssh -t -N -f -R 5500:localhost:5500 $supportee_host \ x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0 Yes. In fact, I first tried the x11vnc_ssh script and it worked great. The only catch is that it needs ssh access into the supportee machine. [SSL mode for x11vnc] That looks more elegant. Are the security and speed comparable to ssh? Speed shouldn't be a problem; I believe both ssh and 'x11vnc -ssl' use OpenSSL for encrypting the session traffic. If a machine is *really* slow the choice of encryption cipher may be noticable (I don't see a big effect even on a 300MHz test machine I have.) I've tried it now and it does just what is needed for my setup! Finally, a little feedback: On a Windows Vista system, AVG screamed that the netcat.exe from ssvnc_windows_only-1.0.25.zip was a virus (don't think it is, just mentioning it). The TightVNC server on that Vista machine will connect with the FreeBSD ssvncviewer, and the ssvncviewer console window shows status information, but no graphic window opens on the FreeBSD system. The FreeBSD TightVNC vncviewer opens a window but has real trouble keeping the display updated, no doubt due to Vista. Finally, the UltraVNC server with special Vista video drivers works usably with ssvncviewer. Can SSL be used with a Windows VNC server? x11vnc talking to ssvnc-gui works noticeably better than all of those combinations. Thanks for your work and your help! -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Fri, 1 Jan 2010, Warren Block wrote: > > ssh -t -c blowfish -N -f -L 5500:$supporterhost:5500 $supporterhost && \ > x11vnc -display :0 -localhost -connect localhost -ncache 10 I think that will work, but I believe (for extra safety/clarity if nothing else) you really want: -L 5500:localhost:5500 in the ssh command. Note that for -L the ending host:port part is relative to the *sshd* (ssh-server) side. So, if I understand what you want, you might as well use localhost:5500 instead of $supporterhost:5500. Also, if $supporterhost is that of an internet firewall/router doing port forwarding, $supporterhost might not resolve properly on the "supporterhost", or leak back out to the internet in a weird way. Symmetrically: for -R the ending host:port part is relative to the ssh (ssh-client) side. Here are some examples that should work, I provide "prompt>" to indicate which machine the command is run on (and I skip your -c preference): supportee_host> ssh -t -N -f -L 5500:localhost:5500 $supporter_host && \ x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0 which should be the same as: supportee_host> x11vnc -display :0 -proxy ssh://$supporter_host \ -connect_or_exit localhost:0 -rfbport 0 i.e. x11vnc has a built-in -proxy that already does what you want it to do; it runs ssh(1) for you: http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-proxy Note how I use -connect_or_exit instead of -connect to try to avoid problems if the connection fails: http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-connect_or_exit I also use the '-rfbport 0' described there to prevent x11vnc from listening for any connections (which I think is what you want.) Aside: Originally I thought you could ssh into supportee_host, for anyone looking to do that here is the analogous command: supporter_host> ssh -t -N -f -R 5500:localhost:5500 $supportee_host \ x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0 In all cases supporter_host is running: supporter_host> vncviewer -listen 0 (or ssvncviewer -listen 0 if you have SSVNC) > ... > That looks more elegant. Are the security and speed comparable to ssh? Speed shouldn't be a problem; I believe both ssh and 'x11vnc -ssl' use OpenSSL for encrypting the session traffic. If a machine is *really* slow the choice of encryption cipher may be noticable (I don't see a big effect even on a 300MHz test machine I have.) Security-wise, of course 'ssh' is used much more than 'x11vnc -ssl'. For both ssh and 'x11vnc -ssl' if the certificate/key is not verified by an external means one is susceptible to man-in-the-middle-attack. However w/o verification at least both are safe against passive network sniffing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Fri, 1 Jan 2010, Karl J. Runge wrote: remotehost="lightning" cmd="x11vnc -display :0 -localhost -connect localhost -ncache" ssh -t -c blowfish -R 5500:$remotehost:5500 localhost "$cmd" I think you mean: ssh -t -c blowfish -R 5500:localhost:5500 $remotehost "$cmd" right? You want to ssh to $remotehost and have the 5500 traffic go through ssh to localhost:5500, no? The use of '-R 5500:$remotehost:5500' implies a unencrypted leg going over the network (which may or may not be acceptable to you, i.e. inside your LAN, but I'm not sure.) [Having spent some time today fighting my own firewall, I'm reconsidering the use of relative names like "remote".] Ideally, the supportee will start x11vnc and the ssh tunnel on their system and not need to open port 22 on their firewall.. So maybe: ssh -t -c blowfish -N -f -L 5500:$supporterhost:5500 $supporterhost && \ x11vnc -display :0 -localhost -connect localhost -ncache 10 There are some ways to emulate UltraVNC single click with x11vnc: http://www.karlrunge.com/x11vnc/faq.html#faq-singleclick and SSL encrypted connections are described at the end of that FAQ. The ssvnc GUI wrapper (but not the bare ssvncviewer) can establish the SSL tunnel for you. That looks more elegant. Are the security and speed comparable to ssh? However, since you have ssh access to the supportee machine, I suggest using that. The test machine is inside my LAN now, but once it goes out into the wild, it will probably be behind a consumer-grade firewall with very few incoming ports open. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Remote assistance for X
> remotehost="lightning" > cmd="x11vnc -display :0 -localhost -connect localhost -ncache" > ssh -t -c blowfish -R 5500:$remotehost:5500 localhost "$cmd" I think you mean: ssh -t -c blowfish -R 5500:localhost:5500 $remotehost "$cmd" right? You want to ssh to $remotehost and have the 5500 traffic go through ssh to localhost:5500, no? The use of '-R 5500:$remotehost:5500' implies a unencrypted leg going over the network (which may or may not be acceptable to you, i.e. inside your LAN, but I'm not sure.) BTW, to help flush out problems testing in your LAN, there is an easter-egg in ssvncviewer to only listen on localhost. E.g.: ssvncviewer -env VNCVIEWER_LISTEN_LOCALHOST=1 -listen 0 > Ultravnc (http://www.uvnc.com/) has a slick setup where you give the > Windows user a binary to run, and it calls back to the support site. > No setup needed the client's part. I don't know how much of that is > encrypted. I don't think any of it is encrypted unless you setup the UltraVNC DSM plugin. There are some ways to emulate UltraVNC single click with x11vnc: http://www.karlrunge.com/x11vnc/faq.html#faq-singleclick and SSL encrypted connections are described at the end of that FAQ. The ssvnc GUI wrapper (but not the bare ssvncviewer) can establish the SSL tunnel for you. However, since you have ssh access to the supportee machine, I suggest using that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
On Fri, 1 Jan 2010, Brahim LARCHET wrote: Le 01/01/2010 18:45, Matthew Seaman a ?crit : x2x sounds like it fits the bill: http://www.freebsd.org/cgi/man.cgi?query=x2x&manpath=FreeBSD+Ports+7.0-RELEASE Synergy can do this too http://synergy2.sourceforge.net http://synergy2.sourceforge.net/faq.html#faq5 Those both sound more like software KVMs rather than remote control. An example of what I'm up against, from a couple of days ago: Them: It popped up a window that says error. Me: I'm going to need a bit more detail. Them: It was blue. Me: ... Okay. What did it say? Them: I can't read that small type, and anyway there's another window in front of it that's kind of fuzzy. Me: Okay, which window is active is called "focus", and well, it doesn't matter. Click on the title bar and drag that window out of the way. Them: What's a title bar? Me: That... er, bar at the top, with the, well, title on it. Them: When you say click, do you mean the left or right mouse button? Ultravnc (http://www.uvnc.com/) has a slick setup where you give the Windows user a binary to run, and it calls back to the support site. No setup needed the client's part. I don't know how much of that is encrypted. The shared session is important to be able to show the users how to do things in their own inevitably-customized session. Right now, I can run ssvncviewer -listen on the support system, then run this on the "supportee" system: ... remotehost="lightning" cmd="x11vnc -display :0 -localhost -connect localhost -ncache" ssh -t -c blowfish -R 5500:$remotehost:5500 localhost "$cmd" That works, and I think it meets the specs. Reversing connection combined with a remote tunnel is making me dizzy. And this is all on the LAN for testing, so allowing this in through the firewall will add more complexity. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
Le 01/01/2010 18:45, Matthew Seaman a écrit : > Warren Block wrote: >> A remote computer used by relatives is running FreeBSD and X. I'd >> like to find a method to work with the remote desktop to help them >> solve problems and maintain the system. >> >> The remote user's existing desktop should be shared, rather than >> creating a new session. >> >> Traffic and passwords should be encrypted. >> >> The remote system could be on dialup, so faster is better. >> >> The remote system should initiate the connection so there's no need >> for the remote users to change firewall settings. Also no security >> concern when the software isn't being used. >> >> So far, ssvnc and x11vnc look to be the only combination that meets >> the requirements. Are there others? > > x2x sounds like it fits the bill: > > http://www.freebsd.org/cgi/man.cgi?query=x2x&manpath=FreeBSD+Ports+7.0-RELEASE > > > The home page for x2x is at http://x2x.dottedmag.net/ but it seems to > be having a few problems at the moment. > > Note that this sends X protocol traffic across the net without > encryption, an > action that is at least as bad, and in fact, probably rather worse > than using > an unencrypted rsh or telnet session. Best to wrap everything in a > SSH or ipsec > tunnel. > > Cheers, > > Matthew Synergy can do this too http://synergy2.sourceforge.net http://synergy2.sourceforge.net/faq.html#faq5 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Remote assistance for X
Warren Block wrote: A remote computer used by relatives is running FreeBSD and X. I'd like to find a method to work with the remote desktop to help them solve problems and maintain the system. The remote user's existing desktop should be shared, rather than creating a new session. Traffic and passwords should be encrypted. The remote system could be on dialup, so faster is better. The remote system should initiate the connection so there's no need for the remote users to change firewall settings. Also no security concern when the software isn't being used. So far, ssvnc and x11vnc look to be the only combination that meets the requirements. Are there others? x2x sounds like it fits the bill: http://www.freebsd.org/cgi/man.cgi?query=x2x&manpath=FreeBSD+Ports+7.0-RELEASE The home page for x2x is at http://x2x.dottedmag.net/ but it seems to be having a few problems at the moment. Note that this sends X protocol traffic across the net without encryption, an action that is at least as bad, and in fact, probably rather worse than using an unencrypted rsh or telnet session. Best to wrap everything in a SSH or ipsec tunnel. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Remote assistance for X
A remote computer used by relatives is running FreeBSD and X. I'd like to find a method to work with the remote desktop to help them solve problems and maintain the system. The remote user's existing desktop should be shared, rather than creating a new session. Traffic and passwords should be encrypted. The remote system could be on dialup, so faster is better. The remote system should initiate the connection so there's no need for the remote users to change firewall settings. Also no security concern when the software isn't being used. So far, ssvnc and x11vnc look to be the only combination that meets the requirements. Are there others? -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
