From owner-freebsd-questions@FreeBSD.ORG Sat Jan 2 03:41:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10D631065679 for ; Sat, 2 Jan 2010 03:41:48 +0000 (UTC) (envelope-from runge@karlrunge.com) Received: from holmes.jfku.edu (holmes.jfku.edu [66.117.151.7]) by mx1.freebsd.org (Postfix) with ESMTP id EE8488FC0C for ; Sat, 2 Jan 2010 03:41:47 +0000 (UTC) Received: from haystack.runge.home (runge@localhost [127.0.0.1]) by holmes.jfku.edu (8.9.3p3.JFKU/8.9.1) with ESMTP id TAA12071; Fri, 1 Jan 2010 19:41:13 -0800 Received: from runge by haystack.runge.home with local (Exim 3.36 #1 (Debian)) id 1NQurZ-00056X-00; Fri, 01 Jan 2010 22:41:13 -0500 To: wblock@wonkity.com, runge@karlrunge.com In-Reply-To: Mail from 'Warren Block ' dated: Fri, 1 Jan 2010 19:53:15 -0700 (MST) From: "Karl J. Runge" Message-Id: Date: Fri, 01 Jan 2010 22:41:13 -0500 Cc: freebsd-questions@freebsd.org Subject: Re: Remote assistance for X X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2010 03:41:48 -0000 On Fri, 1 Jan 2010, Warren Block wrote: > > ssh -t -c blowfish -N -f -L 5500:$supporterhost:5500 $supporterhost && \ > x11vnc -display :0 -localhost -connect localhost -ncache 10 I think that will work, but I believe (for extra safety/clarity if nothing else) you really want: -L 5500:localhost:5500 in the ssh command. Note that for -L the ending host:port part is relative to the *sshd* (ssh-server) side. So, if I understand what you want, you might as well use localhost:5500 instead of $supporterhost:5500. Also, if $supporterhost is that of an internet firewall/router doing port forwarding, $supporterhost might not resolve properly on the "supporterhost", or leak back out to the internet in a weird way. Symmetrically: for -R the ending host:port part is relative to the ssh (ssh-client) side. Here are some examples that should work, I provide "prompt>" to indicate which machine the command is run on (and I skip your -c preference): supportee_host> ssh -t -N -f -L 5500:localhost:5500 $supporter_host && \ x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0 which should be the same as: supportee_host> x11vnc -display :0 -proxy ssh://$supporter_host \ -connect_or_exit localhost:0 -rfbport 0 i.e. x11vnc has a built-in -proxy that already does what you want it to do; it runs ssh(1) for you: http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-proxy Note how I use -connect_or_exit instead of -connect to try to avoid problems if the connection fails: http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-connect_or_exit I also use the '-rfbport 0' described there to prevent x11vnc from listening for any connections (which I think is what you want.) Aside: Originally I thought you could ssh into supportee_host, for anyone looking to do that here is the analogous command: supporter_host> ssh -t -N -f -R 5500:localhost:5500 $supportee_host \ x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0 In all cases supporter_host is running: supporter_host> vncviewer -listen 0 (or ssvncviewer -listen 0 if you have SSVNC) > ... > That looks more elegant. Are the security and speed comparable to ssh? Speed shouldn't be a problem; I believe both ssh and 'x11vnc -ssl' use OpenSSL for encrypting the session traffic. If a machine is *really* slow the choice of encryption cipher may be noticable (I don't see a big effect even on a 300MHz test machine I have.) Security-wise, of course 'ssh' is used much more than 'x11vnc -ssl'. For both ssh and 'x11vnc -ssl' if the certificate/key is not verified by an external means one is susceptible to man-in-the-middle-attack. However w/o verification at least both are safe against passive network sniffing.