Solved Remote desktop access options

R

Randall Le-Fevre

I'm making progress with my migration from Debian to FreeBSD (10.1-RELEASE), but have encountered another stumbling point.

With my Debian infrastructure I have a container (jail) that runs X2Go (with Fluxbox, rox-filer, rxvt, rtorrent, and every other application I need). I connect to it both internally and externally (because it's automagically tunnelled through SSH) and it's where I do all my work at home. It looks like there's no FreeBSD package or port of X2Go and the NX libraries it depends upon have long since disappeared.

It looks like my options are:
1. figure out Gentoo or Slackware in a jail and run X2Go, or;
2. try to build X2Go and the NX dependencies myself, or;
3. suffer with the lagg of VNC or XRDP, or;

With 1., I'd prefer to have a homogeneous environment in my home datacentre.
With 2., my programming skills are really rather rusty. Maybe a decade ago I would have had no issue with it, but I do mostly PHP and shell scripting now. It's been a few years since I've seen C or variants.
With 3., I'd rather to go with option 1.

My only requirements are that the solution run in a jail and be easy (read transparent) to use through SSH or something equivalent.

Any advice? Other options?

Thank you in advance for your help.

Cheers!
Randall
 
NX X is proprietary protocol. It is basically cleverly compressed

ssh -Y username@server

to minimize the amount of data transmitted. Until version 3.x it was open source. Starting version 4.x NX X both client and servers are binary blobs only for selected OS (obviously server should be Linux only).

I am not aware that NX X version 3.x server was released for anything but Linux (possibly Solaris). OpenNX client which is in FreeBSD ports works very well and I use it daily not just on FreeBSD but on OpenBSD as well. There were some attempts most notably FreeNX and NeatX servers. Both sucked in comparison with proprietary server. The only draw back for the proprietary server was the fact that you could have only 2 concurrent session with free version so I actually became a paid customer of No Machine. Then No Machine released 4.xxx binary blob series and everything was over.

Few guys with some Perl skills picked up free nx libraries scattered all over the place and created X2Go server. It works reasonably well and the client is available for FreeBSD. However there is a big BUT. X2Go comes with built in root exploit both on the client and server side. Whether that major security problem is due to the lack of skills or was built in intentionally in X2Go is not something I personally want to think. I simply don't use X2Go :)

So that leaves with


ssh -Y username@server

if you network is fast enough and if X clients you need to access are reasonably small (I am afraid you will not be able to use web Browser) but plotting a curve using matplotlib or R should definitely work.

Alternative is VNC (VNC protocol is a separate network protocol which I tend to firewall) of course which has its own share of security problems which are equally bad as X2Go or even worse.

The real question you should be asking is why do you need X access to your FreeBSD desktop machine? In 95% of cases people really don't need X access to remote machine. The remaining 5% are commonly encountered situations in scientific computing when you need MATLAB for example which doesn't run on FreeBSD so you are accessing it on the Linux server using NX client (even in that case unless you are visualizing something you really don't need full MATLAB gui and its default shell which is in ncurses is sufficient to do the job).
 
This provides fairly fast xwindow connection, but at the cost of some security.

If this will be over local network, create an alias to make this easier in your bashrc or profile somewhere

Code: 
ssh-x='ssh -c arcfour,blowfish-cbc -X'

Make sure xauth and X11 fonts are installed on the freebsd server/instance.

Make sure where you are ssh from has an X11 manager.

In mac you need xquarts, in linux if you have a frontend it will probably just work.

If you are going to ssh over public internet, use this alias so you get standard ssh encryption.

Code: 
ssh-X='ssh -c -X

NX just over complicates something simply done with ssh and has the issue Oko mentioned as well.
 
I forgot to mention once you ssh in commands like:

startxfce
startkde
gnome-session

Should launch the frontend over xauth.

Normally if I have machines that I would want a frontend on, but dont have convenient physical access to I boot them into multi user mode, to save a pinch of system resources as well.

Of course a terminal is generally a far more powerful tool than a frontend, but there are situations where someone needs a gui.

Try an write a 1500 line autoyast.xml install config for SLES file from scratch without a gui :)
 
Thanks for your responses Oko and Matthew.

I like the relaxed local security and standard remote security approach--definitely something I wouldn't have thought of.

There are occasions where I need to connect to my home desktop to do things like ping, traceroute (which are both blocked by the work ISP) and test remote access (to websites and video conferencing appliances). I don't need it to be video-streaming fast--I normally just look to see if an image actually shows up.

Now that I've got it working, is there any way to bring multiple remote applications together in a single window, like VNC and X2Go can? Sort of like a desktop in a window. With X2Go, I have different keys defined in fluxbox so I can change virtual desktops, send windows to other virtual desktops etc. without doing that on the local system.

When I startfluxbox in the ssh session (which has 6 virtual desktops configured, some containing mrxvt windows) it all ends up on the corresponding virtual desktops on the local machine. Having it wrapped in a single window would complete the package for me.

Cheers!
Randall
 
For these work problems you mentioned, it would be far easier to setup a squid web proxy or a socks proxy.

For example:

ssh -D 9090 host will create a socks proxy on your local work machine.

From there you can set your adapter to send all traffic over the sock proxy.

In firefox you can download foxyproxy.

With that you could open multiple ssh sock proxies to say an aws instance, then setup regex pattern based on host names that automatically select the proxy you want to send the traffic over without changing your nic settings.

ssh can do an aweful lot for you, ssh VPN tunnels, local and remote proxies, port forwarding local and remote.

At work and ssh, there is always a way to do what you want.

If they give a machine with internet access blocked, ssh will fix that :)


In regard to multiple desktops. Sending 6 desktops over the internet with video requires alot of bandwidth and up speed.

First I just wouldn't do it and with that in mind I would find a better way to accomplish what ever it is you are trying to do.
 
That's exactly why I started this thread--to find a better way (a BSD way).

What I'm trying to do is have a desktop that I can access from anywhere and is where I left off when I last disconnected. It's rather trivial in Linux--albeit with quite a few security concessions as pointed out by Oko. With my move to FreeBSD, I'm hoping I can bring the experience with me (not necessarily the method). If not that's okay, but I'd like to put in the effort before giving up and putting Linux in a FreeBSD jail to do the task.

I'm not concerned about video--as I said, I just check to see that an image appears on the web page of the appliance (implies a web browser). An image means the appliance is working and I can close the tab, moving on to the next troubleshooting step.

The tasks I use the desktop for at work are a very small part of it's total use. It's my 'everything' box. All the physical computers I use outside of work are just a means to get to it, search the web or consume media.

You mentioned startxfce, startkde and gnome-session. Those all start with 4 virtual desktops by default. I don't understand how adding 2 more is so difficult--I manage with 80kbps upstream now with fluxbox through X2Go.

So maybe X forwarding isn't the way to go. I'll try VNC and RDP through ssh before I give up and go Linux.

Thanks for your help. I hope there's no offence taken, I'm just trying to explain where I'm coming from and what I'm trying to do.

Cheers!
Randall
 
:) First there could be no offense taken. We are just strangers and I am just offering some help here because people have helped me, I get bored, and people have to contribute for this to continue.

I think we have had miscommunication however.

I thought you where referring to multiple monitors, ie Desktops, which I have seen in NX, but it sounds like your are referring to 1 screen with multiple virtual desktops with in.

ssh is going to perform better than vnc and is more secure as well. I have only seen rdp in microsoft.

Getting the fancier features of the desktops to work over xwindow is some work perhaps.

Gnome 3 seems very picky about your graphics card and I have never seen it work over ssh / xauth, whereas gnome2 works great.

Whether you are using bsd or linux, there is virtually no difference for what you are trying to do. You are using 3rd party packages, nothing that is natively linux or bsd.

If you wanted multiple desktops, you could simple open multiple ssh connections.
 
Good stuff. We did have some miscommunication, my apologies.

Thanks for your advice. I'll stick with ssh for now and try to glue things together. There's got to be a way to create a smaller 'root'-type window (the main window that X creates and draws everything on) with decorations (title bar, min/max/close buttons and resize handles) and have the remote apps sent there--I just have to find it.

Maybe I'll start by looking at the X2Go and old NX scripts/code and possibly get some ideas from it.

EDIT: And of course I completely forgot about xnest and Xephyr... time to do some reading.

My goal with these forums is to eventually turn every thread I create into a how-to. Whether I will end up helping or simply amusing others, only time will tell. ;)

Cheers!
Randall
 
Btw, you don't need to bring up the whole desktop. You can start firefox like: firefox &.
This sends the process in the terminal to the background but still opens up firefox from that server.

Then you can continue to open additional programs as needed.

I dont usually install the whole desktop, you just need xauth, x11 fonts and then any program you want to open.
 
Just over a year and a half later, including several breaks and revisits, I've found a solution that works for me.

I ended up using Xvfb and x11vnc with fluxbox to provide a reasonable (and probably more secure) desktop than Debian+X2Go. For security, I lucked into a decommissioned (and discontinued but still updated) Fortinet FGT-200B that now provides a LDAP-authenticated SSLVPN tunnel to my home network.

Aside from having the added step of connecting to the VPN first (which I think I would have had to do with an SSH tunnel anyway), I'm happily connecting from wherever I have Wi-Fi or 3G+ connectivity.

Thanks all for your contributions. Now to work on turning what I did into a tutorial--even if it's just for my own use in the future.

Cheers!
Randall
 
You must log in or register to reply here.
Back
Top