[nzlug] Best approach for remote-admin of a Debian box

Karl. kmw1 at free.net.nz
Wed Oct 24 13:36:12 NZDT 2007 

Now that we have a little more info on what your goals are - remote 
admin, "occasional assistance" and needing to see the remote user's 
desktop (rather than a separate desktop on the remote machine), I'd 
suggest this:

- start with SSH - once you have that, you can setup almost anything you 
  like on top of it.  No other protocols need to be setup in advance.

- use X11VNC  http://packages.debian.org/x11vnc "With x11vnc you can 
  export your currently running X11 session to any VNC client. You do 
  not have to launch another session as the regular VNC server does. So 
  it's very useful, if you want to move to another computer without 
  having to log out, or to help a distant colleague to solve a problem 
  with their desktop."
  
  You say this is for occasional use, not as a desktop that you would be 
  doing your daily work on.  I don't think that warrants the trouble of 
  setting up NX or anything else (unless you want to).  x11vnc will just 
  work without any effort, and it is trivial to tunnel over ssh, even 
  using a windows box as a viewer (using putty or plink as ssh 
  tunneler).  You can launch your own desktop if you want to, with plain 
  vnc.

- you could use some sort of dyndns on the machine you are trying to 
  connect to, but that also means you probably need to poke a hole in 
  his router firewall.  An alternate approach, which I use for remote 
  access to my father's computer, is to setup an icon for him to click 
  on that connects to *my* computer (via dyndns, which is at *my* end, 
  and so fully under my control) and sets up a tunnel back into his 
  machine.  
  
  Neither he nor I need to know what his IP address is, and there is the 
  added benefit that his router firewall integrity is maintained, and he 
  is in control of when I can access his computer.  This is a moot point 
  when you have admin rights and can setup whatever back doors you like, 
  but I think it is still nice to have that boundary of privacy - I 
  can't get into his computer unless he invites me by connecting to 
  mine.

  If you want to cover your bases, make a boot CD that allows setting up 
  the link to your machine, so that if the remote machine is *really* 
  messed up you can still get him to connect to you and give you a shell 
  to start working with.  Or, if you want to cover the possibility that 
  he just messes up his own login, create another user whose sole 
  function is to connect to your machine and setup the tunnel.

  Not that it's relevant, but my father's computer is running windows, 
  using VNC I can access his desktop just about as well as a linux box.   
  It's not fabulously fast, but it's plenty fine for admin or helping 
  with something he's working on.


Karl.
-- 
http://mowson.org/karl

More information about the NZLUG mailing list