Remote access of a RHEL machine is very simple and can be done in a variety of ways. There are two that go hand-in-hand that I have been deploying for ages : sshd and x2go (formerly nx). As x2go uses ssh to make connections we will cover that second. And as a third viable option, we have rdp. As I find rdp a bit on the dangerous side security-wise, I will include it, but advise against and to stick with ssh/x2go as its a better model, and cross platform.
SETTING UP SSHD
Setting this up is easy, but critically important that its done sanely, intelligently, and correctly. There are a few options that are a must and a few that are optional. I will presume your ability to read, and allow you to do that on your own to develop your own file, but will go over a few options that really do need to be set, and a few that if you plan accordingly can be a valuable asset.
- Install sshd if need be:
[andrew@big-red-wireless Desktop]$ sudo yum info openssh-server Loaded plugins: langpacks, nvidia, product-id, subscription-manager Installed Packages Name : openssh-server Arch : x86_64 Version : 6.6.1p1 Release : 12.el7_1 Size : 916 k Repo : installed From repo : rhel-7-desktop-rpms Summary : An open source SSH server daemon URL : http://www.openssh.com/portable.html License : BSD Description : OpenSSH is a free version of SSH (Secure SHell), a program for : logging into and executing commands on a remote machine. This : package contains the secure shell daemon (sshd). The sshd daemon : allows SSH clients to securely connect to your SSH server. [andrew@big-red-wireless Desktop]$
- First disable root logins. This is ALWAYS a good idea to put into place as it is NEVER a good idea for machines to allow remote root logins. Use sudo or su to gain root privileges. Find the line that includes the parameter and fix it to be this:
- If you are not Chuck Norris of security (selinux included), its a very sane idea to change your sshd port somehow. For simplicity, if you want one place to fix many machines behind a NATted connection, fix it there -- the NAT machine. Have it accept on different ports than 22 and forward to the LAN on 22. But if this is a single or one of a small handful of machines, remap the port. Here is the parameter in question:
- Disable the ancient Protocol 1 by forcing Protocol 2 only.
- Spawn new processes with the exactly needed privileges
- Be anal about client config options that are passed to your server
- This is to enforce that a rarely needed utility isn't put into place by accident. If you need this you will know, but if you don't need this, this sounds like gibberish.
- We want real passwords!
- Notify on login when last login was PrintLastLog yes 10)Forward X11 display connections. This is a needed option for using x2go
PASSWORDLESS SSH LOGINS
To not use a password, but rather ssl keys, its a simple and much more secure approach.
1)Generate SSL keys if need be. Root will need to do this for sshd only. Each respective user will need to run this to create their own keys.
client : ssh-keygen
server : sudo ssh-keygen
2)For each system that you wish to do this on issue the following command
For example (with error for obvious reason):
[andrew@big-red-wireless Desktop]$ ssh-copy-id schotty.com /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system. [andrew@big-red-wireless Desktop]$_
SETTING UP x2go
x2go is a great resource for getting a remote X11/Xorg session easily. Here are the steps needed for this to work.
[andrew@big-red-wireless Desktop]$ sudo yum info x2goserver-xsession Loaded plugins: langpacks, nvidia, product-id, subscription-manager Available Packages Name : x2goserver-xsession Arch : x86_64 Version : 184.108.40.206 Release : 3.el7 Size : 13 k Repo : epel/x86_64 Summary : X2Go Server Xsession runner URL : http://www.x2go.org License : GPLv2+ Description : X2Go is a server based computing environment with : - session resuming : - low bandwidth support : - session brokerage support : - client side mass storage mounting support : - audio support : - authentication by smartcard and USB stick : : This X2Go server add-on enables Xsession script handling : when starting desktop sessions with X2Go. : : Amongst others the parsing of Xsession scripts will : enable desktop-profiles, ssh-agent startups, gpgagent : startups and many more Xsession related features on : X2Go session login automagically. [andrew@big-red-wireless Desktop]$
2)Since certain desktop environments do things that x2go doesn't support (on the server side only), install a compatible DE for use with the remote sessions. This does not impact local users to that system, as you can use an unsupported DE locally, and another remotely.
Here are the recommended DE group install commands:
yum groupinstall "Xfce" yum groupinstall "MATE Desktop" yum groupinstall "KDE Desktop"
3)Firewalld will need some fixing:
firewall-cmd --permanent --zone=public --add-service=ssh firewall-cmd --reload
4)Client side you will need to find an appropriate x2go client. On my RHEL7 systems I went this route:
[andrew@big-red-wireless Desktop]$ sudo yum info x2goclient Loaded plugins: langpacks, nvidia, product-id, subscription-manager Installed Packages Name : x2goclient Arch : x86_64 Version : 220.127.116.11 Release : 1.el7 Size : 2.5 M Repo : installed From repo : epel-testing Summary : X2Go Client application (Qt4) URL : http://www.x2go.org License : GPLv2+_ _Description : X2Go is a server based computing environment with : - session resuming : - low bandwidth support_ _: - session brokerage support : - client-side mass storage mounting support : - client-side printing support : - audio support : - authentication by smartcard and USB stick : : X2Go Client is a graphical client (Qt4) for the X2Go system. : You can use it to connect to running sessions and start new : sessions. [andrew@big-red-wireless Desktop]$_
5)Configuration is rather straight forward, but there are a few things to take note of. Firstly the main issue that can be easily avoided is using the wrong sessions. Check towards the bottom of the new session editor for what session is selected (if any), and pick the appropriate one. This is vital if you are using an unsupported DE as there are parameters that will need to go with it. And in case it needs to be said, tick the box for using keys rather than passwords if you prefer the ssl key route over password auth. That's it! Sometimes after crash scenarios, X2Go will not accept new connections and complain about authentication issues. This is misleading as %99 of the time this is actually the session database corrupted. To fix, do the following two instructions:
sudo rm /var/lib/x2go/x2go_sessions sudo x2godbadmin --createdb
SETTING UP xrdp
1)Install the Nux! repo. EPEL is a prerequisite for Nux's functionality http://li.nux.ro/repos.html
2)Open up the firewall
firewall-cmd --permanent --zone=public --add-port=3389/tcp firewall-cmd --reload
systemctl enable xrdp systemctl start xrdp
4)On the client, you can use your favorite rdp tool to connect up. On RHEL6/7 I prefer to use Remmina :
[andrew@big-red-wireless ~]$ sudo yum info remmina [sudo] password for andrew: Loaded plugins: langpacks, nvidia, product-id, subscription-manager Installed Packages Name : remmina Arch : x86_64 Version : 1.0.0 Release : 8.el7.nux Size : 897 k Repo : installed From repo : nux-dextop Summary : Remote Desktop Client URL : http://remmina.sourceforge.net License : GPLv2+ and MIT Description : Remmina is a remote desktop client written in GTK+, aiming to be : useful for system administrators and travelers, who need to work : with lots of remote computers in front of either large monitors or : tiny netbooks. : : Remmina supports multiple network protocols in an integrated and : consistent user interface. Currently RDP, VNC, XDMCP and SSH are : supported. : : Please don't forget to install the plugins for the protocols you : want to use. [andrew@big-red-wireless ~]$
yum install remmina remmina-plugins-*