SSH
- Generate an SSH Key:
ssh-keygen -t rsa -b 4096
.- This will create
~/.ssh/id_rsa
and optionally sets a passphrase
- This will create
- Copy ssh onto a remote machine:
ssh-copy-id username@remote_host
- You will be prompted for the password of the remote machine. All your public keys will then land in
~/.ssh/authorized_keys
.
- You will be prompted for the password of the remote machine. All your public keys will then land in
-
sudo nmap -sn 192.168.1.0/24
: uses ICMP echo requests (ping), TCP (SYN) packets on OSI layer 3 (the network layer). This is more robust thansudo arp-scan -l
because the latter uses ARP (Address Resolution Protocol) protocol on layer 2 (the local subnet). Some devices may not respond due to its firewall settings. Also, ARP is an IPv4 protocol. IPv6 devices may also avoid using it. - Check login history:
who
display the last 3 loginslast
display a longer list.
SSH vs SSHD
- SSH (Secure Shell Client): Initiates machine as an SSH Client to connect to a remote server
ssh username@remote_host 'ls -la /var/www'
: run commands on a remote serverscp local_file username@remote_machine:PATH
- All data transmission here is encrypted.
- SSHD (Secure Shell Daemon):
- Listens on a specified port (default port 22) for incoming SSH requests.
What is X?
X Window System (or X11, X) renders graphics on display hardware. It can interact with input devices such as a mouse, keyboard, etc., to create effects like dragging windows and clicking. X is widely used in UNIX like systems: Linux, Solaris, etc.
X has an x server (screen) and x clients (keyboard, mouse, etc.). They talk to each other through network protocol, so a screen can display inputs remotely.
Be Careful With Adding XClients
If a child process does not have access to the X server, but is running as root (e.g., in a container), one not super secure solution is to allow any process running as root to have access to the X server.
1
xhost +local:root
- Note that this command cannot be run in a script because running a script opens up a new shell. It can be sourced, though (source executes the command in the current shell).
Alternatively,
1
xhost +local:
This allows a local user to access Xterminal
What If I Can’t See GUI From Remote Machine?
-
Log onto remote server
echo $DISPLAY
: This should display your current X11 display.- Running on local machine through SSH shows
system76-pc:10.0
, orlocalhost:10.0
. This value is set by SSH client - If
echo $DISPLAY
returns:1
, it means X11 server connect to the local display:1
, instead of the remote server.
- Running on local machine through SSH shows
xauth list
If nothing prints on console, it means ssh did not automatically generate the X11 authorization cookies on the local display properly.- If you don’t see this, first
sudo vim /etc/ssh/sshd_config
-
Make sure these exists:
1 2
X11Forwarding yes # allows the server to accept and forward X connections from SSH client X11UseLocalhost no
X11UseLocalhost yes
is the default and binds X11 to listen to loopback, so only local machine can acccess it- In general, this is more secure.
- But in this case, we want to allow external ssh connection to access x server. It’s not the most secure though.
-
Restart the SSH console:
1
sudo systemctl restart ssh
-
Remove
.Xauthority
1
rm ~/.Xauthority
- This file is automatically generated by the SSH client (usually stored in your home directory as
~/.Xauthority
). - Removing it can force ssh to regenerate it upon reconnection
- This file is automatically generated by the SSH client (usually stored in your home directory as
-
Log out and reconnect to generate X11 authorization cookies
1
ssh -Y rico@rico-orin
- If you don’t see this, first
Adding X11 Access To Docker
- Do all steps in the section above
- Launch containers remotely, not on the server itself
- This way,
echo $DISPLAY
on the remote server, inside and outside the container, should give the same value, likesystem76-pc:10.0
.
- This way,
- On remote server, add docker to xhost:
xhost +local:docker
, or doxhost +local:
?xhost +local:docker
X server allows connections from clients running in group dockerxhost +local:
: X server allows connections from any clients
-
In docker compose:
1 2 3 4 5 6
environment: - DISPLAY - XAUTHORITY=/tmp/.host_Xauthority # avoid name clashing with a directory with the same name?? volumes: # - /tmp/.X11-unix:/tmp/.X11-unix - /home/ricojia/.Xauthority:/tmp/.host_Xauthority:ro
- Why
# - /tmp/.X11-unix:/tmp/.X11-unix
is commented out?- The
/tmp/.X11-unix
directory holds the Unix domain sockets for X11 communication when connecting locally (e.g., for display:0
). - In the SSH X forwarding scenario, the connection to your X server happens over TCP (using the DISPLAY value like
system76-pc:10.0
), not via the local Unix socket. So we do NOT want to include it.
- The
/home/ricojia/.Xauthority:/tmp/.host_Xauthority:ro
is required:- This line binds the host’s Xauthority file to the container at
/tmp/.host_Xauthority
in read-only mode. - Required so that the container has access to the correct authentication cookie that matches your SSH-forwarded X session.
- Without this file inside the container, X clients would be unable to authenticate with your X server, resulting in errors like “X11 connection rejected because of wrong authentication.”
- This line binds the host’s Xauthority file to the container at
- Why
- do
xclock
in the docker. The GUI should pop up on the client machine.- A catch to this method is, because
$DISPLAY=system76-pc:10.0
, the GUI will be launched there even if you launch the GUI on the server.
- A catch to this method is, because
Remote SSH Forwarding W/ AT&T Routers
- Log onto the
AT&T
page,192.168.1.254
Go to Ip Passthrough -> change allocation mode fromOff
toPassthrough
- I noticed that on my local network, SSH connection to the server was not stable
- “Hairpin NAT” is the mechanism required on a router to allow machines on local network to access the server, using its public IP Address
- Unfortunately, my router doesn’t support that
- So I made
IP->Passthrough Mode
off, instead ofpassthrough
- I noticed that on my local network, SSH connection to the server was not stable
- Use DCHP Fixed. Under the device list, find the ssh server’s MAC address
- In NAT/GAMING, add the device as an SSH server. Make sure the correct device is added.
- Check IP addresses that have logged on, use
who
.
Trouble shooting
sudo tcpdump -ni any tcp port 22
run a packet capture on the server itself.
Change Port To A Non-Default One
The default port on Linux is 22. Changing port number to another number will make it slightly more difficult for malicious bots. When changing default port, please go to NAT/GAMING
, specify port
in both base port range (port of the server) and the global port range
- I ran into an issue where the router couldn’t find the MAC address in
NAT/GAMING
. It seemed to have been resolved after rebooting my machine and deleting the passthough rules.
Public Key Only SSH
When one uses a public-facing SSH service on a server, password authentication could be fragile. One can check the ssh activities with sudo journalctl -feu ssh.service
. One security measure is to enable public-key-only SSH sessions so only selected devices can ssh into the server.
-
Copy the public key:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip
-
sudo nano /etc/ssh/sshd_config
1
2
PasswordAuthentication no
PubkeyAuthentication yes
- Restart SSH and SSHD
1
2
sudo systemctl restart ssh
sudo systemctl restart sshd
Static IP Configuration
- For Raspberry Pi:
-
sudo nano /etc/dhcpcd.conf
1 2 3 4
interface wlan0 # Use eth0 if you're configuring Ethernet static ip_address=192.168.1.100/24 # Replace with your desired static IP and subnet mask static routers=192.168.1.1 # Replace with your router's IP address static domain_name_servers=8.8.8.8 8.8.4.4 # Replace with preferred DNS servers
-
sudo systemctl restart dhcpcd
-