markwilson.it

Tag: Useful Websites

  • Secure, remote administration of a Windows computer

    I was going to call this post “secure, remote administration of a Windows computer from within Windows” but that sounds a bit odd, unless you realise that the last two posts have been “secure, remote administration of a Linux computer from within Windows” and “secure, remote administration of a Mac OS X computer from within Windows“. Basically, after getting SSH tunneling to work for administering Mac OS X and Linux machines, I thought that it would make sense to apply the same principles to Windows.

    John Fitzgibbon’s comparison of free SSH and SCP programs for Windows 9x, NT, ME, 2000 and XP explains the various SSH server options for Windows but one option he doesn’t mention is Tevfik Karagülle’s CopSSH, which I found on a list of free SSH implementations recommended by OpenSSH.

    CopSSH bundles parts of OpenSSL, OpenSSH and Cygwin into a Windows installer. It’s straightforward to install, and includes a GUI interface to activate a user for SSH, including the generation of a public/private key pair (saved to %programfiles%\copSSH\username\username.key and %programfiles%\copSSH\username\username.key.pub). The private key needs to be imported into PuTTYgen after which it can be saved in PuTTY’s .PPK format and used as previously described for Mac OS X and Linux. The only other point to note is that the sshd_config file is stored in %programfiles%\copSSH\etc and requires the same AllowTcpForwarding yes and PasswordAuthentication no settings as seen previously.

    To access the desktop via VNC, I installed UltraVNC Server on the target machine noting there are two settings that need to be configured for a successful connection through the SSH tunnel:

    • A password must be defined for VNC connections.
    • Loopback connections must be allowed.

    That’s fine for using an SSH tunnel to secure a VNC session, but why not tunnel remote desktop (RDP) connections to Windows servers instead of using VNC? In theory, all that should involve is changing the forwarded source port from 5900 (VNC) to 3389 (RDP) and setting the corresponding SSH port forwarding destination to localhost:3389 but Windows doesn’t like that, producing an error message as follows:

    Remote Desktop Disconnected

    The client could not connect. You are already connected to the console of this computer. A new console session cannot be established.

    One suggested fix is to change the destination to use another address from the loopback range (e.g. 127.0.0.2) but I found this just directed me to my own machine (as might be expected with a loopback). For a while, it looked as though the resolution would be related to a change made in Windows XP service pack 2, which prevents connections to loopback addresses other than 127.0.0.1, and Microsoft knowledge base article 884020 includes a hotfix that alters this behaviour but I don’t think it helped me much (I later removed the hotfix and didn’t notice any differences). Eventually I got things working by creating a new forwarded source port of 3390 and destination of localhost:3389 for SSH port forwarding, after which I could connect using mstsc /v:loopback:3390.

    It’s been an interesting few days getting acquainted with using SSH tunnels to securely connect to remote systems running a variety of operating systems – hopefully posting my experiences here will be useful to others.

  • Secure, remote administration of a Linux computer from within Windows

    Yesterday I wrote about using SSH to securely connect to a Mac from a Windows PC. At the time, I suggested that the advice should be equally applicable to a Linux system, or even to a Windows Server with an SSH server installed and I’ve since tested it with a Linux machine (running Fedora Core 5).

    The Linux process is almost identical to my original post for Mac OS X, except that:

    • The sshd_config file is found in /etc/ssh.
    • SSH is enabled in the firewall using the system-config-securitylevel command.
    • The SSH deamon is restarted using the service sshd restart command.
    • GNOME includes a VNC server called vino, which needs to be enabled (users of other graphical environments will need to choose an alternative VNC server).

    (Also… RTFM… I spent a lot of time trying to work out why I couldn’t connect, only to find that I’d neglected to place the public key in ~/.ssh/authorized_keys).

    Falko Timme has written an excellent tutorial on key-based SSH logins with PuTTY which outlines all the key steps (in fact, if I knew that existed then I wouldn’t have spent so much time writing up the process here!) but Jeremy Mates’ OpenSSH public key authentication article includes a useful troubleshooting guide for public key authentication problems.

    VNC is all very well for forwarding the entire desktop, but X11 forwarding can be used to run individual X applications on the Windows machine. Because Microsoft Windows doesn’t include an X Window server, it is necessary to download an X11 port for Windows – I used XMing. Once XMing (and the XMing fonts) were installed and running, I edited my PuTTY connection to enable X11 forwarding and ensured that the sshd_config file on the Linux box included X11Forwarding yes (that was the default on my Fedora Core 5 installation) and could launch an xapplication from within the PuTTY terminal window with xapplicationname & (e.g. xeyes &) (I found this information at the Linux Documentation Project). XEyes is nothing special, so how about running a Linux application on the Windows desktop… try mozilla & or gimp & – it feels “wrong” but it’s also pretty impressive and oh so “right” at the same time!

    Using XMing to run X11 applications on a Windows XP machine

  • Secure, remote administration of a Mac OS X computer from within Windows

    In a recent post about multimedia file format conversions, ripping DVDs, playback and more, I linked to a number of Mark Pilgrim’s “How To” articles; however there was one which wasn’t relevant to that particular post – how to use your Mac from anywhere (although it is intended for remote control of a Mac the advice should be equally applicable to a Linux system, or even to a Windows Server with an SSH server installed).

    A few months back, I blogged about using creating an SSL VPN to access my network but Mark’s video explains how to open a single firewall port and use SSH to provide a secure tunnel through which other protocols (in this case VNC) can be run for remote administration of a single computer. I tried it earlier and it’s very straightforward. Best of all, the software involved is all freely available under open source licensing agreements!

    I recommend downloading Mark Pilgrim’s video for a full explanation but the notes below explain what is involved (some of the Unix concepts may be unfamiliar to those more used to a graphical environment and my quick introduction to Linux for Windows administrators might be useful):

    1. Download and install the PuTTY, PuTTYgen, Pageant and Plink SSH utilities on a Windows PC.
    2. Using puttygen, generate a public/private key pair and protect it with a passphrase. Save the private key to a file on the Windows PC and copy the public key to the remote computer (e.g. within a text file transmitted via e-mail or FTP).
    3. On the Mac, open a terminal session (either using the OS X Terminal application or an alternative such as iTerm) and enter the following commands from the home (~) directory:
      • mkdir .ssh (this was already present on my machine as I already had the SSH server running).
      • chmod 700 .ssh (again, I didn’t need to do this).
      • chmod 600 publickeyfilename (the default permission set is 640).
      • mv publickeyfilename .ssh/authorized_keys
      • sudo nano /etc/sshd_config (non-admin users may need to su - to an admin account first as explained in my earlier post about running sudo as a standard user) and make the following edits:
        • Allow SSHtunnelling (also known as TCP forwarding or port forwarding) by changing #AllowTcpForwarding yes to AllowTcpForwarding yes
        • (Optionally) Prevent the use of usernames and passwords for login (the public/private key pair and passphrase will provide the security for the connection) by changing #PasswordAuthentication yes to PasswordAuthentication no
        • (OS X 10.4 only) Disable pluggable authentication modules by changing #UsePAM no to UsePAM no
      • Exit nano and save the changes to /etc/sshd_config (exit to the original shell if su was previously used to escalate privileges).
      • Generate an SSH key fingerprint (to prevent man-in-the-middle attacks) using ssh-keygen -l -f /etc/ssh_host_rsa_key.pub and make a note of the fingerprint.
    4. Open TCP port 22 on any firewalls/routers between the Windows and Macintosh computers and enable port forwarding to the appropriate internal IP address (it may be necessary to apply a static IP address to the Mac but I prefer to use a DHCP reservation).
    5. If the external IP address for the network is not static (mine is) then use a dynamic DNS service to assign a DNS name so that it may be located on the Internet.
    6. Within the OS X System Preferences, Open Sharing and enable Remote Login (restart the service if it is already running in order to pick up the changes made earlier to /etc/sshd_config). Because password authentication has been disabled, remote login (SSH) will only be possible from a machine with the appropriate private key.
    7. Although OS X includes Apple Remote Desktop, which is a VNC server, alternatives such as Vine Server (OSXvnc) offer additional functionality. In particular, VNC is insecure by default; however by selecting to only allow local connections (require SSH) and start the system server (i.e. run as a service, rather than in the context of a particular user), it is possible to run a secure VNC server each time the system is restarted.
    8. At this stage, it should be possible to create an SSH tunnel to the Mac. On the Windows PC, run pageant which is a PuTTY helper application (SSH agent) to cache the passphrase for the private key, which adds a level of security if the PC is compromised but which would also become a nuisance if it needed to be repetitively entered. Add a key using the private key file generated in step 2 and enter the passphrase that was used when created the key.
    9. Next, run putty and enter:
      • The hostname/ipaddress in the basic session options.
      • The auto-login username for the Macintosh for the connection data.
      • The privatekeyfilename for SSH authentication.
      • A new forwarded source port of 5900 and destination of localhost:5900 for SSH port forwarding.
    10. Save the session with an appropriate sessionname and open the connection. On the first connection, the host key will be unknown; however the reported key can be compared with the one generated earlier to ensure that the host is the intended target computer. Assuming that all is well and the connection is allowed to continue, then a Welcome to Darwin! greeting should be displayed, along with a shell prompt.
      • If the connection fails and there is a prompt for the private key then Pageant is not correctly configured.
      • If there is a prompt for a password then /etc/sshd_config was not correctly edited.
    11. Unless command line interaction with the Mac is required, the PuTTY window can be minimised. In order to create the SSH tunnel automatically at login, a startup shortcut can be created with the target of "%programfiles%\PuTTY\pageant.exe" privatekeyfilename -c "%programfiles%\PuTTY\plink.exe" sessionname
    12. Finally, a graphical connection may be initiated with a VNC viewer such as UltraVNC. The connection should be made to localhost; however because localhost:5900 has been defined as the forwarded port in the SSH tunnel, the request is securely transferred to the VNC server on the Mac.

    It’s worth noting that when I originally tried to test this configuration from a remote network I was unable to get past my employer’s firewall; however there are plenty of unsecured wireless networks around which I could use to test the connection!

    Note that the original information that provided inspiration for writing this post is licensed under a creative commons attribution sharealike 2.5 license and consequently so is the information contained in this post.

  • Mac OS X keyboard shortcuts

    After my backup hard disk failed a couple of weeks ago, I needed to be sure that a hard reset of my Mac hadn’t damaged anything so I fired the machine up in single user mode and ran AppleJack.

    As it happened, there was nothing wrong, but there’s no harm in a bit of preventative maintenance from time to time; however I had forgotten the keypress to bring Mac OS X up in single user mode – for future reference, Apple has a document which details OS X keyboard shortcuts.

  • Time to get creative!

    Late last night, I wanted to write a blog post which quoted a portion of someone else’s copyrighted work. After researching fair use legislation (and finding out that the UK equivalent is fair dealing), it seemed that what I was doing constituted criticism, review and news reporting under the terms of fair dealing in the United Kingdom Copyright, Designs and Patents Act 1988 (CDPA) but I was caught up in a haze of legal doubt. I made clear that I was not the originator of this work, credited the artists but even so I felt that I needed to disclaim my use of the work on the blog post and I’m no legal expert – what if I’ve got it all wrong? I’m not making vast sums of money from this blog and what if I get sued?

    Whilst my problem related to copyrighted work and fair use/fair dealing is very vague, there is an answer for content publishers who do want to share their work – it’s been around for a while now and is really starting to get some traction – that answer is Creative Commons. I first heard about Creative Commons on an episode of TWiT a year or so back and when I recently redesigned this website, I turned it over to a Creative Commons Attribution-Noncommercial-Share Alike 2.0 UK: England & Wales License – effectively retaining some rights over the work whilst allowing others to use it in the manner that I see fit.

    Basically, if anything is copyrighted (and under many jurisdictions it is automatically copyrighted – whether or not the © symbol is displayed) then permission is required to use it (subject to the vagaries of fair use/fair dealing). Creative Commons licenses are intended to make it easy to skip intermidiaries and to grant others permission to use creative works.

    Creative Commons licenses are standard copyright licenses provided free of charge via the Internet. Written for lawyers and courts, they are translated for people, and again for computers. The are used to retain copyright whilst granting permission for certain uses, subject to some conditions (images are from Creative Commons):

    AttributionAttribution. You let others copy, distribute, display, and perform your copyrighted work – and derivative works based upon it – but only if they give credit the way you request.
    Noncommercial Noncommercial. You let others copy, distribute, display, and perform your work – and derivative works based upon it – but for noncommercial purposes only.
    No Derivative Works No Derivative Works. You let others copy, distribute, display, and perform only verbatim copies of your work, not derivative works based upon it.
    Share Alike Share Alike. You allow others to distribute derivative works only under a license identical to the license that governs your work.

    Any content may be protected with Creative Commons license, e.g. files, photos, drawings, websites, films, sounds, books, or weblogs – there is even a Creative Commons search engine.

    To find out more, watch the video clip below:

    Get creative!

  • Text me outta here

    When I was about 15, I remember using a telephone engineering number to get the phone to ring, then pretending that it was my friend’s Dad on the phone, that we were in trouble, and that we had to go to his house right away – just to get my girlfriend to leave so I could hang out with my mates!

    Fast forward 20 or so years and teenage girlfriends are definitely a thing of the past (I’m happily married, with two lovely kids). The engineering code that I used to know is also long since confined to a distant memory (but you can do something similar in the UK with 17070); however there is a new service for those who need to escape from dodgy dates, or other potentially sticky situations. For £1, text me outta here will send an SMS message at a pre-defined time and you can either ignore it (if things are going well) or use the excuse you dreamed up previously to get you out of a situation. It’s only been running for a few weeks but sounds like an interesting service to me!

  • Portable applications – an alternative approach to mobile computing

    I’ve been playing around with the idea of running operating systems from USB flash drives for a while now but the main problem is USB boot support in the hardware I use (most notably the Fujitsu Siemens Lifebook S7010D that I use for work doesn’t support it).

    A while back I wrote about my experiences of booting Windows PE from a USB flash drive (and I believe that new versions of PE make this easier) but the reality is that I haven’t needed this – it not really anything more than a challenge that I set myself to see if it could be done and for those (up to now, theoretical) “system down” occasions there are CD-based solutions that I can use (e.g. Knoppix STD, Trinity Rescue Kit or Winternals Administrators Pak).

    For other occasions (like working on someone else’s PC), there is the option of a portable application. I tried out two such packages tonight (my favourite Windows FTP program – FileZilla – and Mozilla Firefox) and was very impressed. Neither of these applications is installed on my wife’s Windows XP PC and yet I was able to run the portable versions of the them both from my USB flash drive without leaving any files behind. It’s the ultimate in mobile computing – literally anytime, anyplace, anywhere – as long as you can borrow a (Windows) PC!

    There are alternative solutions such as U3 and MojoPac but, as far as I can tell, these rely on kernel hacks to implement technology such as roaming desktops and the beauty of the Portable Applications solution is that, even though there is an application “suite” available, I can just run the individual applications that I need, on any Windows PC, without any specialist hardware – and it’s free.

  • Flash Earth

    Many people are familiar with Google Earth and others may use Microsoft Virtual Earth but Paul Neave (who describes himself as a “serial flash fettler and interactive designer”) has produced a great mash-up of zoomable images from all the major aerial and satellite photograph providers called Flash Earth (alongside some other cool stuff on his website).

    Flash Earth

    One of Flash Earth’s strengths is the ability to switch between services on the fly as I’ve found that some services have better images than others (e.g. Microsoft gets closer to my home, but Google has higher resolution images of some neighbouring towns). Best of all, although Google Earth and competing products have additional functionality (for example, 3D viewpoints), Flash Earth doesn’t require any client software (aside from the Adobe Flash Player, which is a common browser plug-in) – of course, Windows Live Local offers a similar service, without using Flash and including additional functionality, but it is limited to the Microsoft mapping and imaging data.

    It’s also worth noting that the images served by these services are not completely up-to-date. Based on new developments where I live and work, I’m guessing that the aerial data which Ask, Google, Microsoft and Yahoo! serve is approximately 4-7 years old (which service is more recent does vary though, according to the area being viewed) but Microsoft’s mapping data is more current than their images, which results in some interesting roads shown across fields in the hybrid view!

    I should add that this blog post comes with a warning – browsing the planet looking at aerial photographs can lead to many wasted hours (and much lost sleep)… as I found to my own detriment last night!

  • Keeping up with the news (plus some tips for Windows Vista)

    Clicking through from one of Victor Laurie’s sites, I found Ed Bott’s 10 expert tips and tweaks for Windows Vista – it looks as though there are some nice tips there.

    I regularly read Paul Thurrott‘s writing (as well as listening to his Windows Weekly podcast with Leo Laporte) and I occasionally check out what Stephen Bink and Ryan Hoffman have to say but it seems Ed Bott’s Microsoft Report is another useful resource for those keeping up-to-date with the latest news from Redmond (there is also the official Microsoft news is at Presspass, but it’s all so clinical and corporate).

    Of course, Ed Bott writes at ZDNet, who have loads of writers churning out news on Microsoft, Google, Apple and others but it’s just so hard to keep up (and RSS feeds are worsening my information overload instead of making it better!) – just thought I’d make a note of it up here on the blog in case it turns out useful for someone.

  • Windows for beginners

    Earlier today, I was looking for a complete list of Windows environment variables and a spot of googling turned up Victor Laurie’s Computer Education website, which describes itself as “an educational site that is intended for the home user of personal computers… teaching some basic points about how they and their Windows operating systems work”. From a cursory glance, it looks to be a useful resource, with information written in a clear and concise manner.

    Among his collection of sites, Vic also has a site called Surf the Internet Safely with advice for those who are worried about security online and a Windows Tips and Tricks blog with “selected tips on making Windows safer and easier to use”.

    All of these sites look to be useful resources for those who are just getting started with a Windows computer (and for some more advanced home users too).