 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>>> No, I mean there's a *hardware* firewall in the way. You know, with the
>>> big Cisco sticker on it and the 3-digit price tag? (Although obviously
>>> that's only because I'm at work right now. My house doesn't have one of
>>> those...)
>>
You're off by two orders of magnitude. Most Cisco firewalls are in teh
5 digit price tag.
>> And that hardware firewall is completely incapable of forwarding ssh
>> connections? Pretty useless, I'd say.
>
> No, I don't have the password to configure it. (And besides, have *you*
> tried configuring Cisco stuff? It's not exactly intuitive. You probably
> need Certified Engineer status to figure it out.)
You don't need to be a Cisco Certified Internetwork Expert to figure it
out. The Cisco manuals are usually pretty easy to follow, and freely
available on their web site.
And it is actually pretty intuitive...
- Give each interface an ip address.
- Create your NAT tables.
- And off you go.
The only difference between a Cisco firewall and a D-link or NetGear
home router, besides performance and scalability, is that you can (and
should!) override the basic "everything outbound is ok, nothing inbound
can come in" configuration.
Just like you would with any other infrastructure firewall, whether
hardware (e.g.: Juniper, Netscreen, etc...) or software (e.g.:
Checkpoint) (Not talking about the software you run on your PC asking
you if it's ok for MSPAINT.EXE to run as a service)
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> On 13/09/2011 03:21 PM, Invisible wrote:
>>>> Terminal Services is where you have an expensive server-class
>>>> version of
>>>> Windows,
>>>
>>> Nope, that's Citrix (it may have changed names since MS acquired them,
>>> but everyone in the industry still calls it Citrix) and it runs on a
>>> different port than RDP. Terminal Services is the service running on the
>>> remote machine that receives the connection from MSRTC.EXE running on
>>> your computer to allow remote desktop connections.
>>
>> As far as I'm aware, Citrix is a completely different product made by a
>> completely different company. Terminal Services is just another instance
>> of the general RDP protocol.
>
> http://en.wikipedia.org/wiki/Remote_Desktop_Services
>
> Terminal Services most definitely *is* RDP. So is Remote Assistance.
> Exactly as I claimed.
So did I. the part that you describes as "where you have an expensive
server-class version of Windows, you install all your complicated
applications on that, and then end users use their Windows-based desktop
PC to log into the server and run the applications on that."
Is what I said was not Terminal Services. It may be technically
possible to do it via Terminal Services, but most entreprises who will
require this will use Citrix.
>
> http://en.wikipedia.org/wiki/Citrix
>
> Citrix was not "acquired" by MS at all.
>
> MS got the idea for Terminal Services from Citrix, but the actual wire
> protocol appears to be derived from PictureTel.
Read the sentence just below the one where you pasted this from. I was
mistaken in thinking that they had been bought, but they are indeed in
bed with Microsoft.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Puzzling thing: There are many, many SSH clients for Windows. There are
> no SSH *servers*. And I have literally no idea why.
Really?
http://www.freesshd.com/?ctt=download
Or maybe, running OpenSSH's sshd under Cygwin?
http://www.petri.co.il/setup-ssh-server-vista.htm
Or buying one of the many commercial versions available?
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 07:00 PM, Francois Labreque wrote:
>>>> No, I mean there's a *hardware* firewall in the way. You know, with the
>>>> big Cisco sticker on it and the 3-digit price tag? (Although obviously
>>>> that's only because I'm at work right now. My house doesn't have one of
>>>> those...)
>>>
>
> You're off by two orders of magnitude. Most Cisco firewalls are in teh 5
> digit price tag.
True. But not this particular one.
http://www.ebuyer.com/135532-cisco-asa-5505-firewall-edition-bundle-asa5505-50-bun-k9
(Go on, hack me. You know you want to.)
>>> And that hardware firewall is completely incapable of forwarding ssh
>>> connections? Pretty useless, I'd say.
>>
>> No, I don't have the password to configure it.
Still stands.
>> (And besides, have *you*
>> tried configuring Cisco stuff? It's not exactly intuitive. You probably
>> need Certified Engineer status to figure it out.)
>
> You don't need to be a Cisco Certified Internetwork Expert to figure it
> out. The Cisco manuals are usually pretty easy to follow, and freely
> available on their web site.
Really? That might be worth reading...
> And it is actually pretty intuitive...
>
> - Give each interface an ip address.
> - Create your NAT tables.
> - And off you go.
From what I've seen, you telnet into the router, enter a password, and
then enter lines of gibberish such as "enh eth gw all". You would
*definitely* need a manual to figure out WTH that actually means, or
what the name of the command you want is.
> The only difference between a Cisco firewall and a D-link or NetGear
> home router, besides performance and scalability, is that you can (and
> should!) override the basic "everything outbound is ok, nothing inbound
> can come in" configuration.
I'm still guessing that, between the configuration for routing to
multiple LANs, multiple VPN endpoints, and remote access, adding a line
that forwards SSH to a port on a desktop PC who's IP address is
configured via DHCP is probably going to take some doing. (!)
And we still have the minor issue that I don't have the password. :-P
Actually, I have a NetGear router in my house. I used it to create a VPN
between my house and my grandparents' house. It lets you do all sorts of
port forwarding and stuff. The only trouble is... it's not reliable.
Like, when certain datagrams pass through it, the firmware crashes, and
you have to power-cycle it to get the Internet back. Eventually I was
forced to take it out of the circuit, because it was pissing me off so
much! (No, there isn't a firmware update available.)
Given the price of the Cisco ASA, I'm almost tempted...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Damn. Setting up SSH has got a whole lot easier than when I tried to do
>> it with Debian a few years ago.
>>
>> I'm presuming it defaults to password authentication though? As I
>> recall, half the trouble was figuring out how to permanently and
>> irrevocably disable password authentication and *only* allow public key
>> authentication. (For one thing, you have to work out how to create a
>> keypair...)
>
> Yes, it defaults to password authentication.
>
> To disable password authentication, modify /etc/ssh/sshd_config to
> include:
>
> PasswordAuthentication no
>
> Done.
The solution may not be complex. Trying to find it in the documentation
often is.
Now explain how to generate a keypair and put the public half on the
list of acceptable clients.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 05:48 PM, Darren New wrote:
>> (OTOH, doesn't X allow more than one user to log in at once?
>
> Not really. Remember, client and server are "reversed". You still need
> one computer per user, and indeed, I don't know of any modern distro
> that lets you lock the screen as one X user and then log in as a
> different user without logging out the first one. (Someone tell me if
> there's a way to do this with Ubuntu! :-)
OK, let me put it this way: X lets you install an application on a
central server, and have multiple X "servers" (i.e. *clients*) connect
to that server and have their own instance of the application appear on
their screen.
If you want to do that with RDP, you need the multi-thousand dollar
"server" version of Windows.
(Then again, I gather that X is doing all the work at the client end,
while RDP is doing all the work at the server end and then copying it to
the client screen...)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 05:50 PM, Darren New wrote:
> On 9/13/2011 3:42, Invisible wrote:
>> I'm told it requires spending hours editing the X configuration files
>> to set up authentication and so forth, and then to make sure the
>> server is
>> started, and then to tell the application you want to run to open on the
>> remote machine rather than the local one (by using CLI options that
>> vary for
>> every individual program so you have to look them up), and then...
>
> You're about 10 to 15 years out of date.
>
> Back when 256 colors was a high-end graphics card, this is how it worked.
So what changed then? Certainly X hasn't changed since prehistoric times...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>>> As far as I'm aware, Citrix is a completely different product made by a
>>> completely different company. Terminal Services is just another instance
>>> of the general RDP protocol.
>>
>> http://en.wikipedia.org/wiki/Remote_Desktop_Services
>>
>> Terminal Services most definitely *is* RDP. So is Remote Assistance.
>> Exactly as I claimed.
>
> So did I. the part that you describes as "where you have an expensive
> server-class version of Windows, you install all your complicated
> applications on that, and then end users use their Windows-based desktop
> PC to log into the server and run the applications on that."
>
> Is what I said was not Terminal Services. It may be technically possible
> to do it via Terminal Services, but most entreprises who will require
> this will use Citrix.
Well, this is how *all* of the applications where I work are deployed.
And as far as I can tell, it works just fine. (Modolo the occasional
stupid glitches, of course...)
> Read the sentence just below the one where you pasted this from. I was
> mistaken in thinking that they had been bought, but they are indeed in
> bed with Microsoft.
OK, sure. Novell too, I gather...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 07:17 PM, Francois Labreque wrote:
>> Puzzling thing: There are many, many SSH clients for Windows. There are
>> no SSH *servers*. And I have literally no idea why.
>
> Really?
>
> http://www.freesshd.com/?ctt=download
>
> Or maybe, running OpenSSH's sshd under Cygwin?
> http://www.petri.co.il/setup-ssh-server-vista.htm
>
> Or buying one of the many commercial versions available?
Let me rephrase: There are no SSH servers that are free software.
(At least, 5 years ago I wasted weeks searching for one, and never found
one.)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>>>> You can thank Windows for this.
>>>
>>> Nah. You can thank NAT for this.
>>
>> I think it's more the general problem of Internet security.
>
> No, it's a problem of routing. If you can't address the remote computer,
> you can't give it a file, no matter what protocol you use.
>
>>> Note how all of those require a running server on a public IP address.
>>
>> Well, yes. To perform a data transfer, you need a way to contact the
>> other end.
>
> That's my point. It's nothing to do with Windows vs Linux. It has to do
> with public vs private IP addresses.
Certainly it's nothing to do with what OS you're running.
I still think the main problem is that to allow somebody to send you
data, you have to figure out how to prevent anybody *else* sending you data.
>> I'm told there's a system called UPnP or something which is supposed to
>> allow you to automatically bypass NAT.
>
> The local machine still needs to run something that uses upnp to poke a
> hole in the firewall.
Sure. I'm saying that if you were expecting someone to get/put a file,
the software that makes this happen could temporarily open a suitable
port, and then close it when it's done.
That way, you could (for example) have an IM client that doesn't send
data through a 3rd party.
>> It's news to me that you can transfer files with RDP.
>
> Give it a try. Log in remotely, copy a file off your desktop, mouse over
> the remote machine, and pick paste.
How the heck w...?
Oh, wait, you can set the remote display to not take up the whole
screen, can't you?
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
