Linux - SSH and X Window System

SSH

• Generate an SSH Key: ssh-keygen -t rsa -b 4096.
  • This will create ~/.ssh/id_rsa and optionally sets a passphrase
• Copy ssh onto a remote machine: ssh-copy-id username@remote_host
  • You will be prompted for the password of the remote machine. All your public keys will then land in ~/.ssh/authorized_keys.

• sudo nmap -sn 192.168.1.0/24: uses ICMP echo requests (ping), TCP (SYN) packets on OSI layer 3 (the network layer). This is more robust than sudo arp-scan -l because the latter uses ARP (Address Resolution Protocol) protocol on layer 2 (the local subnet). Some devices may not respond due to its firewall settings. Also, ARP is an IPv4 protocol. IPv6 devices may also avoid using it.

• Check login history:
  • who display the last 3 logins
  • last display a longer list.

SSH vs SSHD

• SSH (Secure Shell Client): Initiates machine as an SSH Client to connect to a remote server
  • ssh username@remote_host 'ls -la /var/www' : run commands on a remote server
  • scp local_file username@remote_machine:PATH
  • All data transmission here is encrypted.
• SSHD (Secure Shell Daemon):
  • Listens on a specified port (default port 22) for incoming SSH requests.

What is X?

X Window System (or X11, X) renders graphics on display hardware. It can interact with input devices such as a mouse, keyboard, etc., to create effects like dragging windows and clicking. X is widely used in UNIX like systems: Linux, Solaris, etc.

X has an x server (screen) and x clients (keyboard, mouse, etc.). They talk to each other through network protocol, so a screen can display inputs remotely.

Be Careful With Adding XClients

If a child process does not have access to the X server, but is running as root (e.g., in a container), one not super secure solution is to allow any process running as root to have access to the X server.

1
xhost +local:root

• Note that this command cannot be run in a script because running a script opens up a new shell. It can be sourced, though (source executes the command in the current shell).

Alternatively,

1
xhost +local:

This allows a local user to access Xterminal

What If I Can’t See Images From Remote Machine?

1. Log onto remote server

2. echo $DISPLAY This should display your current X11 display, something like localhost:10.0

3. xauth list If nothing prints on console, it means ssh did not automatically generate the X11 authorization cookies on the local display properly.

   1. If you don’t see this, first sudo vim /etc/ssh/sshd_config

   2. Make sure these exists:

      1
      2
       X11Forwarding yes
       X11UseLocalhost yes
      

   3. Restart the SSH console:

      1
       sudo systemctl restart ssh
      

   4. Remove .Xauthority

      1
       rm ~/.Xauthority
      

   5. Log out and reconnect to generate X11 authorization cookies

      1
       ssh -Y rico@rico-orin
      

Remote SSH Forwarding W/ AT&T Routers

1. Log onto the AT&T page, 192.168.1.254
2. Go to Ip Passthrough -> change allocation mode from Off to Passthrough
   • I noticed that on my local network, SSH connection to the server was not stable
     • “Hairpin NAT” is the mechanism required on a router to allow machines on local network to access the server, using its public IP Address
     • Unfortunately, my router doesn’t support that
     • So I made IP->Passthrough Mode off, instead of passthrough
3. Use DCHP Fixed. Under the device list, find the ssh server’s MAC address
4. In NAT/GAMING, add the device as an SSH server. Make sure the correct device is added.
5. Check IP addresses that have logged on, use who.

Trouble shooting

• sudo tcpdump -ni any tcp port 22 run a packet capture on the server itself.

Change Port To A Non-Default One

The default port on Linux is 22. Changing port number to another number will make it slightly more difficult for malicious bots. When changing default port, please go to NAT/GAMING, specify port in both base port range (port of the server) and the global port range

• I ran into an issue where the router couldn’t find the MAC address in NAT/GAMING. It seemed to have been resolved after rebooting my machine and deleting the passthough rules.

Public Key Only SSH

When one uses a public-facing SSH service on a server, password authentication could be fragile. One can check the ssh activities with sudo journalctl -feu ssh.service. One security measure is to enable public-key-only SSH sessions so only selected devices can ssh into the server.

1. Copy the public key: ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip

2. sudo nano /etc/ssh/sshd_config

1
2
PasswordAuthentication no
PubkeyAuthentication yes

1. Restart SSH and SSHD

1
2
sudo systemctl restart ssh
sudo systemctl restart sshd

Static IP Configuration

• For Raspberry Pi:

  1. sudo nano /etc/dhcpcd.conf

     1
     2
     3
     4
      interface wlan0   # Use eth0 if you're configuring Ethernet
      static ip_address=192.168.1.100/24  # Replace with your desired static IP and subnet mask
      static routers=192.168.1.1         # Replace with your router's IP address
      static domain_name_servers=8.8.8.8 8.8.4.4  # Replace with preferred DNS servers
     

  2. sudo systemctl restart dhcpcd

• Previous
  Literature - The Wealthy Barber Notes
• Next
  Linux - Udev Rules And Systemd Services