Tuesday, April 15, 2008
Methods ofr remote GUI control of Linux servers
There are currently (3) basic methods for getting a remote control GUI on a Linux server (like we do with Remote Desktop for Windows servers):
1) X-Windows over TCP/IP
All GUI operations on Unix/Linux are handled by the X-Windows sub-system. Window interfaces like KDE, Gnome, and others are merely layered on top of the X sub-system. One of the useful things about X is that any window can be forwarded over TCP/IP to any other X server. So you could run an application on the linux server, but display the output window on your PC (as long as you run a local X server program).
The downside of all this is that accessing remote servers requires the use of SSH port forwarding, and a bit of arcane magic. It's nowhere near as clean of a solution as RDP (Terminal Services). But it can be ultra-secure (by using SSH keys) and it works fairly well across the WAN.
2) VNC
VNC is a screen-scraper solution for GUI desktops, very similar to the old pcAnywhere and e/pop solutions that we used to use.
The downsides of VNC are:
- security is non-existent in the base spec
- different VNC server use different encryptions
- authentication tends to be done via plain text passwords
- rather slow across the WAN
3) NX/FreeNX
A company called NoMachines came out with a different solution called "NX". NX is a protocol that is very similar to RDP and the client works rather similar to Remote Desktop. You used to have to pay for the product, but over the years, they've opened up the source code. So now there are (3) different server implementations (NX, FreeNX, and another) and you can download the NX client from NoMachines for free.
The big advantage here is that security is better and performance is better over slow WAN links.
1) X-Windows over TCP/IP
All GUI operations on Unix/Linux are handled by the X-Windows sub-system. Window interfaces like KDE, Gnome, and others are merely layered on top of the X sub-system. One of the useful things about X is that any window can be forwarded over TCP/IP to any other X server. So you could run an application on the linux server, but display the output window on your PC (as long as you run a local X server program).
The downside of all this is that accessing remote servers requires the use of SSH port forwarding, and a bit of arcane magic. It's nowhere near as clean of a solution as RDP (Terminal Services). But it can be ultra-secure (by using SSH keys) and it works fairly well across the WAN.
2) VNC
VNC is a screen-scraper solution for GUI desktops, very similar to the old pcAnywhere and e/pop solutions that we used to use.
The downsides of VNC are:
- security is non-existent in the base spec
- different VNC server use different encryptions
- authentication tends to be done via plain text passwords
- rather slow across the WAN
3) NX/FreeNX
A company called NoMachines came out with a different solution called "NX". NX is a protocol that is very similar to RDP and the client works rather similar to Remote Desktop. You used to have to pay for the product, but over the years, they've opened up the source code. So now there are (3) different server implementations (NX, FreeNX, and another) and you can download the NX client from NoMachines for free.
The big advantage here is that security is better and performance is better over slow WAN links.
Wednesday, June 20, 2007
Remote GUI administration of CentOS5 using Windows
Over the years, I've become very spoiled by Windows Terminal Services that we use to administer our Windows 2000 and Windows 2003 servers. It's fast, it's slick, it allows copy-paste and with a bit of command line fu you can connect to the physical display (instead of one of the two virtual sessions). It also uses built-in Windows authentication and offers encryption.
So, now that I'm rolling out CentOS 5 servers - I need something similar that allows me to look at the graphical UI on the box from elsewhere. From what I can tell, my options are:
KVM that supports TCP/IP
Probably one of the holy grails of remote administration. It allows you to see everything from the BIOS setup screen onward without needing to be physically at the machine. The downside is cost. So while I will eventually be hooking one of these up, it's not in the budget for this quarter.
VNC over SSH
I have a love/hate relationship with VNC. On the Windows clients, we use UltraVNC with built-in Windows authentication and the AES encryption plug-in.
But if you want to wrap VNC with SSH, you have to configure port forwarding all the time in PuTTY. Which turns connecting to a remote server into a multi-step process. With Windows' RDP, I just say "connect to IP address X" and I'm done (and I can connect in as anyone that I want). For PuTTY+VNC, I have to jump through a lot more hoops.
There's also the (possible) issue that VNC is nowhere as efficient over the network as RDP. Once you use Terminal Services' RDP, you'll be spoiled and never want to use older technologies. It (almost) never glitches, it's lightning fast and responsive, and it's just pure remote GUI goodness (except for being a MS-only protocol).
X11 over SSH
This is where I'm heading at the moment. It uses SSH for authentication, so we can lock things down that way (forcing the use of public keys).
Now, a word of caution. A misconfigured SSH or X11 server is a security breach waiting to happen. Pay close attention to chapter 9 in SSH, The Secure Shell, The Definitive Guide by Barrett, Silverman & Byrnes (published by O'Reilly).
Installing Xming on Windows
In order to do X11 on Microsoft Windows, you need to install "X Server" software on the Windows box. While there are pay options out there, I'd suggest starting with Xming which is free (GPLv2). You'll want to download and install both Xming and Xming-fonts.
Configuration of sshd and X11
In order for the local X Server (Xming - running on your Windows system) to talk to the remote Linux server, you'll need to verify some settings on the Linux server. First up is configuration of the sshd daemon (typically /etc/ssh/sshd_config for OpenSSH). Look for the following 2 lines and make sure they are configured correctly:
X11Forwarding yes
#X11UseLocalhost yes
By default, OpenSSH ships with X11Forwarding set to "no" but the default for X11UseLocalhost is "yes". So you should only have to add the "X11Forwarding yes" line.
Create a PuTTY session
I'll make the assumption that you're going to use a PuTTY public-key pair. If you need to install a generated PuTTY key (maybe you want to use a separate PuTTY key for X11 forwarding), then here are the directions for OpenSSH.
(login as yourself or as root and then "su" to your username)
# cd ~/.ssh
# cat > machinename@svn.pub
(paste in PuTTY key)
# ssh-keygen -i -f machinename@svn.pub >> authorized_keys
(Ctrl-D to exit)
If all goes well, you should see a line like:
/usr/bin/xauth: creating new authority file /home/thomas/.Xauthority
Which tells us that SSH is ready to do some X forwarding.
Fire up Xming
If you haven't already ran Xming you should run XLaunch and just roll through the defaults. Now, in the PuTTY window that is sitting at a command prompt, try:
# xeyes
And you should see the xeyes application open up on your Windows system. If you want to continue to start up other X applications, put an ampersand (&) at the end of the line.
More advanced stuff
If all goes well, you should see the Gnome desktop!
Final thoughts (for the moment)
Now, it's still not as slick as Terminal Services. But it seems to work just fine and gives me a GUI desktop. I still plan on doing most of my administration from the command line, but this provides a nice GUI for those who follow in my footsteps.
So, now that I'm rolling out CentOS 5 servers - I need something similar that allows me to look at the graphical UI on the box from elsewhere. From what I can tell, my options are:
KVM that supports TCP/IP
Probably one of the holy grails of remote administration. It allows you to see everything from the BIOS setup screen onward without needing to be physically at the machine. The downside is cost. So while I will eventually be hooking one of these up, it's not in the budget for this quarter.
VNC over SSH
I have a love/hate relationship with VNC. On the Windows clients, we use UltraVNC with built-in Windows authentication and the AES encryption plug-in.
But if you want to wrap VNC with SSH, you have to configure port forwarding all the time in PuTTY. Which turns connecting to a remote server into a multi-step process. With Windows' RDP, I just say "connect to IP address X" and I'm done (and I can connect in as anyone that I want). For PuTTY+VNC, I have to jump through a lot more hoops.
There's also the (possible) issue that VNC is nowhere as efficient over the network as RDP. Once you use Terminal Services' RDP, you'll be spoiled and never want to use older technologies. It (almost) never glitches, it's lightning fast and responsive, and it's just pure remote GUI goodness (except for being a MS-only protocol).
X11 over SSH
This is where I'm heading at the moment. It uses SSH for authentication, so we can lock things down that way (forcing the use of public keys).
Now, a word of caution. A misconfigured SSH or X11 server is a security breach waiting to happen. Pay close attention to chapter 9 in SSH, The Secure Shell, The Definitive Guide by Barrett, Silverman & Byrnes (published by O'Reilly).
Installing Xming on Windows
In order to do X11 on Microsoft Windows, you need to install "X Server" software on the Windows box. While there are pay options out there, I'd suggest starting with Xming which is free (GPLv2). You'll want to download and install both Xming and Xming-fonts.
Configuration of sshd and X11
In order for the local X Server (Xming - running on your Windows system) to talk to the remote Linux server, you'll need to verify some settings on the Linux server. First up is configuration of the sshd daemon (typically /etc/ssh/sshd_config for OpenSSH). Look for the following 2 lines and make sure they are configured correctly:
X11Forwarding yes
#X11UseLocalhost yes
By default, OpenSSH ships with X11Forwarding set to "no" but the default for X11UseLocalhost is "yes". So you should only have to add the "X11Forwarding yes" line.
Create a PuTTY session
I'll make the assumption that you're going to use a PuTTY public-key pair. If you need to install a generated PuTTY key (maybe you want to use a separate PuTTY key for X11 forwarding), then here are the directions for OpenSSH.
(login as yourself or as root and then "su" to your username)
# cd ~/.ssh
# cat > machinename@svn.pub
(paste in PuTTY key)
# ssh-keygen -i -f machinename@svn.pub >> authorized_keys
(Ctrl-D to exit)
- Right-click on the Pageant icon in the system tray and choose "New Session".
- Enter the hostname (i.e. 192.168.1.1)
- Go to the Connection -> SSH -> X11 tab
- Turn ON "X11 forwarding"
- Display location should be: localhost:0
- Go back to the Session tab
- Enter a name in the Saved Sessions text box (i.e. "MyHost-X11") and click on "Save"
- Click the "Open" button to connect to the server
If all goes well, you should see a line like:
/usr/bin/xauth: creating new authority file /home/thomas/.Xauthority
Which tells us that SSH is ready to do some X forwarding.
Fire up Xming
If you haven't already ran Xming you should run XLaunch and just roll through the defaults. Now, in the PuTTY window that is sitting at a command prompt, try:
# xeyes
And you should see the xeyes application open up on your Windows system. If you want to continue to start up other X applications, put an ampersand (&) at the end of the line.
More advanced stuff
- Fire up XLaunch
- Select "One window" and click "Next"
- Select "Start a program" and click "Next"
- The start program should be either "gnome-session" or "startkde"
- Select Run Remote using PuTTY (plink.exe) and turn on the compression option.
- Enter the IP address or hostname in "Connect to computer" of the Linux box that you are connecting to
- Enter your username in the "Login as user"
- Click the "Next" button
- In the "Additional parameters", enter "-screen 0 1024 768" which will set screen zero to be 1024x768
- If you run your SSH server on a non-standard port, enter "-P port" in the PuTTY extra options field (run "plink" at a Windows command prompt to see the possible options)
- Save your configuration file and click "Finish"
If all goes well, you should see the Gnome desktop!
Final thoughts (for the moment)
Now, it's still not as slick as Terminal Services. But it seems to work just fine and gives me a GUI desktop. I still plan on doing most of my administration from the command line, but this provides a nice GUI for those who follow in my footsteps.
Sections:
Recent posts:
[an error occurred while processing this directive]
Monthly archives:
2003/04
2003/05
2003/06
2003/07
2003/08
2003/09
2003/10
2003/11
2003/12
2004/01
2004/02
2004/03
2004/04
2004/05
2004/06
2004/07
2004/08
2004/09
2004/10
2004/11
2004/12
2005/01
2005/02
2005/03
2005/04
2005/05
2005/06
2005/07
2005/08
2005/09
2005/10
2005/11
2005/12
2006/01
2006/02
2006/03
2006/04
2006/05
2006/06
2006/07
2006/08
2006/09
2006/10
2006/11
2006/12
2007/01
2007/02
2007/03
2007/04
2007/05
2007/06
2007/07
2007/08
2007/12
2008/01
2008/03
2008/04
2008/05
2008/06
2008/07
2008/08
2008/09
2008/10
2008/11
2008/12
2009/01
2009/02
2009/03
2009/04
2009/05
2009/06
2009/07
2009/08
2009/09
2009/10
2009/11
2009/12
2010/06
Copyright 2003-2010, Thomas G. Harold, All Rights Reserved
