Skip to content

REMOTE ACCESS MADE EASY

Remote access of a RHEL machine is very simple and can be done in a variety of ways. There are two that go hand-in-hand that I have been deploying for ages : sshd and x2go (formerly nx). As x2go uses ssh to make connections we will cover that second. Thirdly, we have x11vnc. And as a fourth viable option, we have rdp. As I find rdp a bit on the dangerous side security-wise, I will include it, but advise against and to stick with ssh/x2go as its a better model, and cross platform if you do not need session sharing, if you do, x11vnc.

SETTING UP SSHD

Setting this up is easy, but critically important that its done sanely, intelligently, and correctly. There are a few options that are a must and a few that are optional. I will presume your ability to read, and allow you to do that on your own to develop your own file, but will go over a few options that really do need to be set, and a few that if you plan accordingly can be a valuable asset.

  1. Install sshd if need be:

    $ dnf info openssh-server
    Loaded plugins: langpacks, nvidia, product-id, subscription-manager
    Installed Packages
    Name         : openssh-server
    Version      : 8.0p1
    Release      : 25.el8_10
    Architecture : x86_64
    Size         : 1.0 M
    Source       : openssh-8.0p1-25.el8_10.src.rpm
    Repository   : @System
    From repo    : rhel-8-for-x86_64-baseos-rpms
    Summary      : An open source SSH server daemon
    URL          : http://www.openssh.com/portable.html
    License      : BSD
    Description  : OpenSSH is a free version of SSH (Secure SHell), a program for logging
                 : into and executing commands on a remote machine. This package contains
                 : the secure shell daemon (sshd). The sshd daemon allows SSH clients to
                 : securely connect to your SSH server.
    
  2. First disable root logins. This is ALWAYS a good idea to put into place as it is NEVER a good idea for machines to allow remote root logins. Use sudo or su to gain root privileges. Find the line that includes the parameter and fix it to be this:

    PermitRootLogin no
    
  3. If you are not Chuck Norris of security (selinux included), its a very sane idea to change your sshd port somehow. For simplicity, if you want one place to fix many machines behind a NATted connection, fix it there -- the NAT machine. Have it accept on different ports than 22 and forward to the LAN on 22. But if this is a single or one of a small handful of machines, you can remap the port. Here is the parameter in question:

    Port 22
    
  4. Disable the ancient Protocol 1 by forcing Protocol 2 only.

    Protocol 2
    
  5. Spawn new processes with the exactly needed privileges

    UsePrivilegeSeparation yes
    
  6. Be anal about client config options that are passed to your server

    StrictModes yes
    
  7. This is to enforce that a rarely needed utility isn't put into place by accident. If you need this you will know, but if you don't need this, this sounds like gibberish.

    HostbasedAuthentication no
    
  8. We want real passwords!

    PermitEmptyPasswords no
    
  9. Notify on login when last login was

    PrintLastLog yes
    
  10. Forward X11 display connections. This is a needed option for using x2go

    X11Forwarding yes
    

PASSWORDLESS SSH LOGINS

To not use a password, but rather ssl keys, its a simple and much more secure approach.

  1. Generate SSL keys if need be. Root will need to do this for sshd only. Each respective user will need to run this to create their own keys.

    client : ssh-keygen
    server : sudo ssh-keygen
    
  2. For each system that you wish to do this on issue the following command

    ssh-copy-id user@host.tld
    

For example (with error for obvious reason):

    $ ssh-copy-id schotty.com
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.

SETTING UP X2GO

x2go is a great resource for getting a remote X11/Xorg session easily. Here are the steps needed for this to work.

New X2Go User Guide

Information on Published Applications

Information on Creating A Session

  1. Install x2go.

    $ sudo dnf info x2goserver
    Loaded plugins: langpacks, nvidia, product-id, subscription-manager
    Available Packages
    Name         : x2goserver
    Version      : 4.1.0.3
    Release      : 17.el8.1
    Architecture : x86_64
    Size         : 129 k
    Source       : x2goserver-4.1.0.3-17.el8.1.src.rpm
    Repository   : epel
    Summary      : X2Go Server
    URL          : http://www.x2go.org
    License      : GPLv2+
    Description  : X2Go is a server based computing environment with
                 :     - session resuming
                 :     - low bandwidth support
                 :     - session brokerage support
                 :     - client side mass storage mounting support
                 :     - client side printing support
                 :     - audio support
                 :     - authentication by smartcard and USB stick
                 :
                 : This package contains the main daemon and tools for X2Go server-side session
                 : administrations.
    
  2. Since certain desktop environments do things that x2go doesn't support (on the server side only), install a compatible DE for use with the remote sessions.  This does not impact local users to that system, as you can use an unsupported DE locally, and another remotely. http://wiki.x2go.org/doku.php/doc:de-compat

    sudo dnf groupinstall "Xfce"
    
  3. Firewalld will need some fixing:

    sudo firewall-cmd --permanent --zone=public --add-service=ssh
    sudo firewall-cmd --zone=public --add-service=ssh
    sudo firewall-cmd --reload
    
  4. Client side you will need to find an appropriate x2go client. On my RHEL7 systems I went this route:

    $ sudo dnf info x2goclient
    Loaded plugins: langpacks, nvidia, product-id, subscription-manager
    Installed Packages
    Name         : x2goclient
    Version      : 4.1.2.3
    Release      : 1.el8
    Architecture : x86_64
    Size         : 1.2 M
    Source       : x2goclient-4.1.2.3-1.el8.src.rpm
    Repository   : epel
    Summary      : X2Go Client application
    URL          : http://www.x2go.org
    License      : GPLv2+
    Description  : X2Go is a server-based computing environment with
                 :     - session resuming
                 :     - low bandwidth support
                 :     - session brokerage support
                 :     - client-side mass storage mounting support
                 :     - client-side printing support
                 :     - audio support
                 :     - authentication by smartcard and USB stick
                 :
                 : X2Go Client is a graphical client for the X2Go system.
                 : You can use it to connect to running sessions and start new sessions.
    
  5. Configuration is rather straight forward, but there are a few things to take note of. Firstly the main issue that can be easily avoided is using the wrong sessions. Check towards the bottom of the new session editor for what session is selected (if any), and pick the appropriate one. This is vital if you are using an unsupported DE as there are parameters that will need to go with it. And in case it needs to be said, tick the box for using keys rather than passwords if you prefer the ssl key route over password auth. That's it! Sometimes after crash scenarios, X2Go will not accept new connections and complain about authentication issues. This is misleading as %99 of the time this is actually the session database corrupted. To fix, do the following two instructions:

    sudo rm  /var/lib/x2go/x2go_sessions
    sudo x2godbadmin --createdb
    
  6. On th occasion that one's Windows client has issues with the known_hosts file, the file can be fixed/deleted here:

    C:\Users\<username>\ssh\known_hosts
    

SETTING UP X11VNC

x11vnc is a x11/xorg screen sharing capable vnc server. Via this, you may have a logged in as a user, you can share your active session. Here are the steps to sanely setup this on your system.

  • Package Info on RHEL8 as of time of writing

    Name         : x11vnc
    Version      : 0.9.16
    Release      : 3.el8
    Architecture : x86_64
    Size         : 927 k
    Source       : x11vnc-0.9.16-3.el8.src.rpm
    Repository   : epel
    Summary      : VNC server for the current X11 session
    URL          : https://github.com/LibVNC/x11vnc
    License      : GPLv2+
    Description  : What WinVNC is to Windows x11vnc is to X Window System, i.e. a server which
                 : serves the current X Window System desktop via RFB (VNC) protocol to the
                 : user.
                 :
                 : Based on the ideas of x0rfbserver and on LibVNCServer it has evolved into
                 : a versatile and productive while still easy to use program.
    
  • Install package

    sudo dnf install x11vnc
    
  • Set user's password

    x11vnc -storepasswd
    
  • Invoke server as user

    x11vnc -usepw -ncache -forever -display :1 -ultrafilexfer -auth guess
    
  • Ensure that you ONLY have ssh access to the system. DO NOT open up any VNC ports

  • On remote system install a VNC viewer application
  • Invoke vncviewer
    vncviewer -via YOUR-VNCSERVER localhost:0
    

With this setup you have

    * An ssh tunnel
    * A password to protect the screen
    * Remote access to your active Xorg session

SETTING UP XRDP

  1. Install EPEL (if not already present).

  2. Install vnc and xrdp

    sudo dnf install tigervnc-server xrdp
    
  3. Open up the firewall

    sudo firewall-cmd --permanent --zone=public --add-port=3389/tcp
    sudo firewall-cmd --reload
    
  4. Enable rdp

    sudo systemctl enable xrdp
    sudo systemctl start xrdp
    
  5. On the client, you can use your favorite rdp tool to connect up, I prefer to use Remmina :

    Name         : remmina
    Version      : 1.4.33
    Release      : 1.el8
    Architecture : x86_64
    Size         : 1.0 M
    Source       : remmina-1.4.33-1.el8.src.rpm
    Repository   : epel
    Summary      : Remote Desktop Client
    URL          : https://remmina.org
    License      : GPL-2.0-or-later and MIT
    Description  : Remmina is a remote desktop client written in GTK+, aiming to be useful for
                 : system administrators and travelers, who need to work with lots of remote
                 : computers in front of either large monitors or tiny net-books.
                 :
                 : Remmina supports multiple network protocols in an integrated and consistent
                 : user interface. Currently RDP, VNC and SSH are supported.
                 :
                 : Please don't forget to install the plugins for the protocols you want to
                 : use.
    

To install:

    sudo dnf install remmina remmina-plugins-*

SETTING UP X11 FORWARDING

X11 Forwarding will allow for running a remote application on your local display.

  1. Setup X11 Forwarding on remote system

    #sudo vim /etc/ssh/sshd_conf
    * fix the following three lines, although the offset may not be needed
    X11Forwarding yes
    X11DisplayOffset 10
    X11UseLocalhost yes
    
  2. Restart sshd

    sudo systemctl restart sshd
    
  3. On local system, fix ssh to allow for X11 Forwarding:

    sudo vim /etc/ssh/ssh_config
    * Fix the following two lines
    Host *
    ForwardX11 yes
    
  4. On local machine execute ssh in the following way:

    #ssh -X host
    #ssh -X user@host
    

Now if remoted in to your system, and "gedit" is executed, it will display locally.

Now depending on issues that may crop up with the permissions system, you may require fixing your root user's .Xauthority file if you need to run remote applications as root. To allow for a user to run an application as root, do the following:

    sudo su
    xauth merge /home/user/.Xauthority