0

I currently have Xubuntu 18.04 with Remmina and for some reason, their SSH option doesn't work for me. So I'm left with insecurely accessing my remote machine over the Internet.

So I ssh'd to my local machine with xorg forwarding, i.e. ssh -Y myself@localmachine (with public-key authentication, etc) Then I started up Remmina and then connected to my remote machine over the Internet (without the SSH option).

Is this secure?

Joshua Tao
  • 1
  • 1
  • "connected to my remote machine over the internet" is vague, but from your description it doesn't sound like you're actually doing anything with the ssh tunnel... – AndrolGenhald Jun 27 '18 at 19:43
  • I started up remmina in the terminal window after I ssh'ed to myself. I'm a complete beginner at this, but my theory was by ssh-ing to yourself, you encrypt your data before it goes across the internet. – Joshua Tao Jun 27 '18 at 20:01
  • 1
    @JoshuaTao Sure, the data is encrypted between your computer and itself, but how would it be encrypted across the internet with nothing on the receiving end to decrypt it? Instead of using Remmina's option (which is broken for me as well), create the SSH tunnel manually. Also, RDP isn't inherently insecure if that's what you are using; it typically has its own encryption and certainly authentication. – multithr3at3d Jun 27 '18 at 20:09
  • @JoshuaTao I've edited your question to clarify it based on what you've said, if I was incorrect in my interpretation please [edit](https://security.stackexchange.com/posts/188591/edit) the question to fix it and clarify what's happening on which machine. – AndrolGenhald Jun 27 '18 at 21:50
  • Thanks AndrolGenhald and multithr3at3d. I guess I'm not really doing anything. – Joshua Tao Jun 27 '18 at 23:17

3 Answers3

1

No, this is not secure.

Let's call your machines local and remote. What you're doing right now is creating a tunnel for X11 from local to local, then running a VNC client over that tunnel and using it to connect to remote. This effectively does nothing, traffic between local and remote isn't going over the SSH tunnel.

Originally it sounded like you might be saying that you were SSHing from local to remote, running a VNC client on remote X11 forwarded to local, then using the VNC client to connect from remote to remote. This would be secure (as long as you trust the remote computer, X11 forwarding is somewhat vulnerable if remote is malicious; I'm not familiar enough with VNC to know if this is better or worse than using VNC directly) but it seems convoluted and unnecessary, and I would guess performance would suffer.

If you want to have VNC tunneled through an SSH connection the correct way to do this is to forward a port from local to remote using ssh -L:

ssh -L [localhost port]:[host]:[host port] remote

This syntax can be a little confusing at first until you figure out what's happening on which machine. [host] here is from the perspective of remote; what happens is that you're forwarding [localhost port] to remote, then remote sends it to [host]:[host port], so what you actually want is:

ssh -L 5900:localhost:5900 remote

That way traffic is sent from local port 5900 to remote, then remote sends it to itself on port 5900. Then you can use your VNC client on local to connect to local on port 5900 (if port 5900 is already used on local [localhost port] can of course be changed to something else).

It's not relevant here because remote is forwarding to itself, but it's important to understand that once the traffic reaches remote it will be sent unencrypted. If you had a separate VNC host accessible from remote and used ssh -L 5900:vnchost:5900 remote the traffic would be encrypted from local to remote, but not from remote to vnchost.

You didn't specify what protocol you were using, so this answer assumes VNC, but it would work equally well for other protocols simply by changing the port being forwarded. Also note that some desktop sharing protocols allow using TLS, which should make SSH forwarding unnecessary when implemented correctly.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
0

Relatively, but you've switched off the session isolation in X so you're client is more vulnerable to attack from the server. Using -X would be better.

symcbean
  • 18,278
  • 39
  • 73
  • I thought so too at first, but I think he's actually sshing to localhost, which effectively does nothing. – AndrolGenhald Jun 27 '18 at 21:51
  • Also, since he's using Debian derived system using `-X` is the same as `-Y`, since they change the `ForwardX11Trusted` config's default value (see man page). – AndrolGenhald Jun 27 '18 at 21:56
  • Yeah I'm sshing to localhost. I guess I'm actually not doing anything haha. Thanks for your answers! – Joshua Tao Jun 27 '18 at 23:16
0

Have you considered running your X apps directly instead of using a remote desktop (remmina)? For example, try this command on the local machine:

ssh -X user@remotemachine thunar 2>/dev/null &

That will run the thunar file manager on the remote machine but will display it on the desktop of the local machine as if it were local. It's as secure as your SSH connection. Other file managers include nautilus, dolphin, and krusader.

Of course, the remote SSH server must be configured to allow X11 forwarding.

KenJackson
  • 1