Help! ssh setup

[kartal]

Hi

I managed to install SSH on most of my computers using Cygwin and Copssh. For some reason one of my laptops did not like Cygwin and SSH just did not work on it so I ended up installing Copssh which seem to work now. Now everything works fine within my network but I have couple things I need to figure out. Hopefully there are couple experienced users here.

1- I have forwarded port 22 in my firewall to my laptop so that I can access over the internet. I have not tried it outside but hopefully it would work. My question is that I also would like to access my dekstop using  ssh from the outside world. But the thing is that I do not want to enable another port in my firewall for my desktop(tried did not work anyways) to my desktop because I have all kinds of important stuff on it. So here is what I want to do and I do not know how to do it. I want to be able to connect to my laptop from outside and somehow enable some of the drives(on my desktop) that are not shared and enable some form of access temporarily and disable  when I do not need them. At the moment I have shared drives(on my desktop) and I can access them once I logged into ssh account via "cd  //server name/share". The thing is that I also have some drives that I do not even share inside my network. And those are the ones I want to be able to access from outside.


2- Regarding the issue above, is it possible to switch port forwarding on my router(linksys) via ssh? I know it sounds silly but since I have ddwrt on it I thought maybe it is possible to connect to it via command line. I will investigate this one later but for now it is easier for me to ask here.


3-I am also trying to understand this public key private key thingies. I read couple pages but so far I have not found any simple tutorial. Are they  better than using passwords? If so how can I setup? Does anyone know any simple tutorial for putty-cygwin(client server)

4- I also want to be able to use git or bazaar over ssh. These parts of their documentation is little vague. They all assume some implicit understanding of how those systems work. I have used tortoise in the past but on mylocal systed. I know the basics of checkin checkout but have not really figured out how I can check out, update via sftp. It seems possible but not well covered I think

5-I need to figure out connecting to xserver thing. I can start xserver but never tried it connecting from outside. If anyone knows any simple tutorial that would be great.



Sorry for so many questions but I am exhausted for 2 days due to trying to get this ssh stuff work properly. It is easy if you are lucky(no problems within your system) but 2 of my machines gave me major headache and I ended up reinstalling Cygwin so many times. On one machine it took only 5 min on another over half a day. Go figure. I have no idea why that would be the case really.


thanks

[Shades]

1 - is setting up a VPN network not easier...taking into account the things you want to do when accessing from the outside? OpenVPN could be a candidate.

2 - No clue

3 - Ah, PKI...it is not that hard. Since you are in control of the network you can use/become your own CA and hand out keys to yourself (only). You don't need to go through all steps that are normally required...assuming that you trust yourself at least.   Again, the OpenVPN package has a nice script with which you can create all required certificates/keys (it comes with a short to the point manual). All for free. The script uses OpenSSL, which is also part of the OpenVPN package.

Importing those keys is easy as well, double click on them and use the defaults from the wizard, those are normally adequate. When you have still questions after following the manual, don't hesitate to contact me.

4 - And again no clue.

5 - XMing? This software works nice.

[4wd]

1 - is setting up a VPN network not easier...taking into account the things you want to do when accessing from the outside? OpenVPN could be a candidate.

-Shades (July 04, 2009, 09:00 PM)

I agree if you want to access the desktop via RDP, VNC, etc.

2 - Access a PC local to the router via RDP, open a browser, access the router config and change it.  This is the way I do it and the easiest if you're not willing to allow WAN access to the router configuration interface.

[kartal]

Thanks for the follow up guys.

In short, what makes openvpn better than ssh? I am not very literate about this stuff just learning.

[Shades]

In your case, with a VPN you create a bridge between your own network and the network you are currently at using the internet. A tunnel if you will. You have to use some kind of PKI setup to secure the communication through this tunnel. You could then use RDP (Remote Desktop Protocol) to connect to your Windows box(es) or VNC to access your Windows/Linux box(es).

OpenVPN is an open source tool (server and client) that comes with all requirements and will likely not set of too much alarm bells with the IT department on your job, which is why I mentioned it. There are also commercial packages and freeware.

Setting up a VPN server at your home network is not as easy as it seems, but OpenVPN does not make it too hard either. For example, SSH together with Putty would be tool to use to access your home network if the VPN server failed and you want to restart it.

[4wd]

Setting up a VPN server at your home network is not as easy as it seems, but OpenVPN does not make it too hard either.

-Shades (July 05, 2009, 01:08 PM)

Actually, it's remarkably easy, see here 

Having learnt from that exercise, it's taken me less than 15 minutes to set up another one on a different machine with PKI.

And I'm now about to test PortableOpenVPN and see if it works.

@kartal:  Think of the VPN as a LAN, you can do anything across it that you can do on your real LAN except it's fully encrypted, (and you can also add password verification which I'm just about to play with), you can access it from outside your real LAN, (from anywhere you have TCP/IP access to it), and when you do it's exactly the same as if you were sitting at one of the computers on your LAN.

[kartal]

4wd,

I actually printed your vpn directions, it is not something I have forgotten about.

I actually use vpn with one of my clients. I am not the one who set it up though, I just connect to their project servers.

At this point I am too exhausted to try today but I might try in couple days.


Based Shades reply I am guessing that having vpn+ssh is not a bad idea. Would there be any conflicts along the way? Or would they just compliment each other in general?

[kartal]

Btw, do I really need keys? Cannot I just use dial up for Vpn? That is how I connect to my client`s network at the moment.Although I am not sure if they had set up key based stuff on their servers.

[Shades]

If you want the data that passes through the VPN connection to be encrypted then yes. From your earlier posts I noticed that you are very aware of your online presence and do like your privacy (both are a good thing). So I would say: yes, you need keys.

a CA key that has to be installed on every PC that will contact your home network including the PC that hosts the VPN server. For each PC that is in this VPN you need a secret and public key and each PC in the network should have all public keys from all other PC's in the VPN network.

Not that hard, but maybe an example would be more clear:
Say you have a VPN server called 'server' and two VPN clients called 'client1' and 'client2'

The VPN server needs the CA key, the secret 'server' key, the public 'server' key, public 'client1' key & 'client2' key
The VPN client1 needs the CA key, the secret 'client1' key, the public 'client1' key and public 'server' key
The VPN client2 needs the CA key, the secret 'client2' key, the public 'client2' key and public 'server' key
Using this particular setup each client can securely communicate with the VPN server.

If really need be, I would be able to create all the necessary keys, but then you have to trust me (and inform me how many you need). And if you have trust issues, I could rewrite some manuals I had to write on this subject (but that will be something I can only do when I have time) and you do it yourself. 

[4wd]

1- I have forwarded port 22 in my firewall to my laptop so that I can access over the internet. I have not tried it outside but hopefully it would work.

-kartal (July 04, 2009, 08:08 PM)

One thing I forgot to mention.  Most routers have some way to loopback the connection if they see you're addressing using the WAN IP.  Whether it's enabled or not is another thing.

eg.
Your WAN IP is 114.123.234.123, your LAN IP range is 192.168.0.1 - 16 and you're running a HTTP server on port 8080 of IP 192.168.0.10.  Normally you'd access it from within your LAN by http://192.168.0.10:8080  within a browser.

Enabling loopback in your router lets you do http://114.123.234.123:8080, the router seeing that you've used your WAN IP will loop the connection back through it's firewall and NAT routing to the computer running the HTTP server without ever going further upstream, (ie. ISP, DNS, etc).

This allows you to test your router/firewall config without having to go 'outside' your network to make sure it will pass through to whatever server you're trying to reach within your network.

It's the way I test any server I'm running without having to wait until I visit a mate's place, (only to find I screwed up the NAT or something).

How you enable it depends on your router.  For example, on my Zyxel P660 I have to telnet in, navigate the menus to the CLI and then enter: ip nat loopback on

This is only in effect until the router reboots, so I have also edited it into the router's autoexec.net file so it's executed at reboot.