UNIX SSHD - Enable Tunnel

Almost all UNIX distributions have a SSH server preinstalled, and ready to work. One thing I realize recently is that this default configuration does not allow tunnels.

I have a couple of post explaining how to connect windows machines through a SSH tunnel (http://trabajosdesisifo.blogspot.com.es/2015/08/remote-desktop-with-ssh-tunnel.html and http://trabajosdesisifo.blogspot.com.es/2015/10/vnc-connection-with-ssh-tunnel.html), but in order to work properly in UNIX, you have to make a small tweak first.


Edit /etc/ssh/sshd_config file and set the following parameter:
GatewayPorts clientspecified

Then, just restart the service:
service sshd restart


This is my full sshd_config file:

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
GatewayPorts clientspecified
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

VNC Connection with SSH Tunnel

In a previous post I explained how to make a remote desktop connection using a SSH Tunnel. Recently I had to use this solution and I found it did not work with the target machine´s network configuration. Fortunately there Mr V (alias coffee man) was to safe our lives.

This new solution involve Real VNC and, of course, a SSH Tunnel.

As you can check in the official site (http://www.realvnc.com/download/):

VNC enables you to remotely access and control your devices wherever you are in the world, whenever you need to. VNC has a widespread user base — from individuals to the world's largest multi-national companies — utilizing the technology for a range of applications.

You will need two tools:

• VNC Server installed in the Target PC
• VNC Viewer "installed" (there is a portable version) in the Source PC

Also you will need a third machine, called Gateway, with a SSH Server installed.

Previous preparation

I will not explain again how to set up a SSH server in Gateway. In this case, I will use a CentOS machine, so this step is already taken for granted.

In Target machine you do need to install VNC Server. You can install only the VNC Server and leave the VNC Viewer because in Target PC you will not need it.

The installation is quite simple and you can leave all options by default. You only need to set a connection password.

Once installed, the first time you start the program, it will ask you for a license key. You can get a free non-expired license in the official site.

The important part of all of this configuration is the port 5900. This is the port in which VNC Server will be listening for incoming connections.

Tunneling

There will be just one SSH Tunnels:

• From Target PC to Gateway

The topology of the solution is depicted in the following image:

Tunnel from Target to Gateway

Working on Target PC, with putty you have to set the following configuration.

In Session category:

• Host name and port of the SSH Server of Gateway

In Connection category:

• Set the parametter "Seconds beween keepalives" to 180

In Connection > SSH > Tunnels category:

• Check "Local ports accept connections from other hosts" option
• Check "Remote ports do the seame (SSH-2 only)" option
• Set Source port 9999 (this is a random number), destination localhost:5900 and check the option Remote. Then push "Add"

Note; If with localhost does not work, try to put the Target PC IP in destination.

Testing the tunnel

In order to test de connection, from Source, you need to install VNC Viewer. This is a standalone app (ie, portable).

In Source PC just open VNC Viewer and set the value of VNC Server as your Gateway direction and port 9999.

Then you will have to enter the password you set during the VNC Server installation.

Enjoy.

Virtual Box - CentOS - Shrink VMDK disk

We start with a bunch of VMDK files and we want to shrink their size. The steps are as follow:
1) Unlink el VMDK of the virtual machine from VirtualBox

2) Convert the VMDK to VDI

"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd --format VDI CentOS6.6-base.vmdk Integracion.vdi

3) Link the VDI again to the virtual machine

4) Nullify the empty space (this example is for CentOS)

dd if=/dev/zero of=/bigemptyfile bs=4096k
rm -rf /bigemptyfile

5) Compact the VDI

"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" modifyhd Integracion.vdi --compact

6) Convert the VDI to VMDK, and specify the split option

"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd --format VMDK Integracion.vdi Centos-Integracion.vmdk --variant Split2G

7) Link de VMDK to the virtual machie


Note: VBoxManage is one of the command-line tools which are installed with Virtual Box.