Linux - SSH and X Window System

SSH

• Generate an SSH Key: ssh-keygen -t rsa -b 4096.
  • This will create ~/.ssh/id_rsa and optionally sets a passphrase
• Copy ssh onto a remote machine: ssh-copy-id username@remote_host
  • You will be prompted for the password of the remote machine. All your public keys will then land in ~/.ssh/authorized_keys.

• sudo nmap -sn 192.168.1.0/24: uses ICMP echo requests (ping), TCP (SYN) packets on OSI layer 3 (the network layer). This is more robust than sudo arp-scan -l because the latter uses ARP (Address Resolution Protocol) protocol on layer 2 (the local subnet). Some devices may not respond due to its firewall settings. Also, ARP is an IPv4 protocol. IPv6 devices may also avoid using it.

• Check login history:
  • who display the last 3 logins
  • last display a longer list.

SSH vs SSHD

• SSH (Secure Shell Client): Initiates machine as an SSH Client to connect to a remote server
  • ssh username@remote_host 'ls -la /var/www' : run commands on a remote server
  • scp local_file username@remote_machine:PATH
  • All data transmission here is encrypted.
• SSHD (Secure Shell Daemon):
  • Listens on a specified port (default port 22) for incoming SSH requests.

What is X?

X Window System (or X11, X) renders graphics on display hardware. It can interact with input devices such as a mouse, keyboard, etc., to create effects like dragging windows and clicking. X is widely used in UNIX like systems: Linux, Solaris, etc.

X has an x server (screen) and x clients (keyboard, mouse, etc.). They talk to each other through network protocol, so a screen can display inputs remotely.

Be Careful With Adding XClients

If a child process does not have access to the X server, but is running as root (e.g., in a container), one not super secure solution is to allow any process running as root to have access to the X server.

1
xhost +local:root

• Note that this command cannot be run in a script because running a script opens up a new shell. It can be sourced, though (source executes the command in the current shell).

Alternatively,

1
xhost +local:

This allows a local user to access Xterminal

What If I Can’t See GUI From Remote Machine?

1. Log onto remote server

2. echo $DISPLAY : This should display your current X11 display.
   • Running on local machine through SSH shows system76-pc:10.0, or localhost:10.0. This value is set by SSH client
   • If echo $DISPLAY returns :1, it means X11 server connect to the local display :1, instead of the remote server.
3. xauth list If nothing prints on console, it means ssh did not automatically generate the X11 authorization cookies on the local display properly.
   1. If you don’t see this, first sudo vim /etc/ssh/sshd_config

   2. Make sure these exists:

      1
      2
       X11Forwarding yes   # allows the server to accept and forward X connections from SSH client
       X11UseLocalhost no 
      

      • X11UseLocalhost yes is the default and binds X11 to listen to loopback, so only local machine can acccess it
        • In general, this is more secure.
        • But in this case, we want to allow external ssh connection to access x server. It’s not the most secure though.

   3. Restart the SSH console:

      1
       sudo systemctl restart ssh
      

   4. Remove .Xauthority

      1
       rm ~/.Xauthority
      

      • This file is automatically generated by the SSH client (usually stored in your home directory as ~/.Xauthority).
      • Removing it can force ssh to regenerate it upon reconnection

   5. Log out and reconnect to generate X11 authorization cookies

      1
       ssh -Y rico@rico-orin
      

Adding X11 Access To Docker

1. Do all steps in the section above
2. Launch containers remotely, not on the server itself
   • This way, echo $DISPLAY on the remote server, inside and outside the container, should give the same value, like system76-pc:10.0.
3. On remote server, add docker to xhost: xhost +local:docker, or do xhost +local: ?
   • xhost +local:docker X server allows connections from clients running in group docker
   • xhost +local: : X server allows connections from any clients

4. In docker compose:

   1
   2
   3
   4
   5
   6
    environment:
      - DISPLAY
      - XAUTHORITY=/tmp/.host_Xauthority  # avoid name clashing with a directory with the same name??
    volumes:
      # - /tmp/.X11-unix:/tmp/.X11-unix
      - /home/ricojia/.Xauthority:/tmp/.host_Xauthority:ro
   

   • Why # - /tmp/.X11-unix:/tmp/.X11-unix is commented out?
     • The /tmp/.X11-unix directory holds the Unix domain sockets for X11 communication when connecting locally (e.g., for display :0).
     • In the SSH X forwarding scenario, the connection to your X server happens over TCP (using the DISPLAY value like system76-pc:10.0), not via the local Unix socket. So we do NOT want to include it.
   • /home/ricojia/.Xauthority:/tmp/.host_Xauthority:ro is required:
     • This line binds the host’s Xauthority file to the container at /tmp/.host_Xauthority in read-only mode.
     • Required so that the container has access to the correct authentication cookie that matches your SSH-forwarded X session.
     • Without this file inside the container, X clients would be unable to authenticate with your X server, resulting in errors like “X11 connection rejected because of wrong authentication.”
5. do xclock in the docker. The GUI should pop up on the client machine.
   • A catch to this method is, because $DISPLAY=system76-pc:10.0, the GUI will be launched there even if you launch the GUI on the server.

Remote SSH Forwarding W/ AT&T Routers

1. Log onto the AT&T page, 192.168.1.254
2. Go to Ip Passthrough -> change allocation mode from Off to Passthrough
   • I noticed that on my local network, SSH connection to the server was not stable
     • “Hairpin NAT” is the mechanism required on a router to allow machines on local network to access the server, using its public IP Address
     • Unfortunately, my router doesn’t support that
     • So I made IP->Passthrough Mode off, instead of passthrough
3. Use DCHP Fixed. Under the device list, find the ssh server’s MAC address
4. In NAT/GAMING, add the device as an SSH server. Make sure the correct device is added.
5. Check IP addresses that have logged on, use who.

Trouble shooting

• sudo tcpdump -ni any tcp port 22 run a packet capture on the server itself.

Change Port To A Non-Default One

The default port on Linux is 22. Changing port number to another number will make it slightly more difficult for malicious bots. When changing default port, please go to NAT/GAMING, specify port in both base port range (port of the server) and the global port range

• I ran into an issue where the router couldn’t find the MAC address in NAT/GAMING. It seemed to have been resolved after rebooting my machine and deleting the passthough rules.

Public Key Only SSH

When one uses a public-facing SSH service on a server, password authentication could be fragile. One can check the ssh activities with sudo journalctl -feu ssh.service. One security measure is to enable public-key-only SSH sessions so only selected devices can ssh into the server.

1. Copy the public key: ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip

2. sudo nano /etc/ssh/sshd_config

1
2
PasswordAuthentication no
PubkeyAuthentication yes

1. Restart SSH and SSHD

1
2
sudo systemctl restart ssh
sudo systemctl restart sshd

Static IP Configuration

• For Raspberry Pi:

  1. sudo nano /etc/dhcpcd.conf

     1
     2
     3
     4
      interface wlan0   # Use eth0 if you're configuring Ethernet
      static ip_address=192.168.1.100/24  # Replace with your desired static IP and subnet mask
      static routers=192.168.1.1         # Replace with your router's IP address
      static domain_name_servers=8.8.8.8 8.8.4.4  # Replace with preferred DNS servers
     

  2. sudo systemctl restart dhcpcd

• Previous
  Electronics - General Science Facts
• Next
  Linux - Udev Rules And Systemd Services