[mythtv-users] Is there interest for a couple very short
jeff at intersystems.com
Fri Mar 26 11:14:09 EST 2004
Friday, March 26, 2004, 7:01:02 AM, Chris Strom wrote:
> On Thu, Mar 25, 2004 at 08:34:59PM -0700, Nowhere wrote:
>> I am somewhat new to Linux and I just secured my Mythweb with a password
>> so that I can safely pass the port through my router and access it from
>> the internet. I know for the experience Linux users out there it's a no
>> brainer but I had to read up how to do it. Anyone want me to write up a
>> short HOWTO on this?
> Call me paranoid, but I don't regard this as "safe". The
> username/password are sent in clear text. Unless you're using something
> like /etc/hosts.allow or additional apache configuration, anyone can
> access the resource. I accomplish the same thing via SSH tunnel.
> The only port that I have opened is for SSH (and for that I only allow
> two IP addresses access, set both in the firewall and in
> /etc/hosts.allow). I use SSH port forwarding to access the various net
> resources, including mythweb on my apache server:
> remote-host $ ssh -L 10080:localhost:80 my-home-ip-address
> To access mythweb I then open the following URL in my browser:
> Port forwarding sends all request to port 10080 on remote-host (e.g. my
> work computer) to port 80 of my mythbox. It's all encrypted by the SSH
> connection and the security administration is easier (read more secure).
> If your SSH box and mythbox are different, then simply:
> # Note the change in the argument to the -L switch
> remote-host $ ssh -L 10080:mythbox:80 my-home-ip-address
SSH, see www.openssh.org, is what you want to use for this.
If you need to connect to it from a windows box then something
like puTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/
can provide the keys and set up tunnels for you. puTTY also
includes PSFTP for using FTP over a SSH connection. You can't
simply set up a tunnel for FTP because there are 2 connections
The easiest way to set this up is to configure your firewall to
forward the SSH port to your mythbox and run sshd on your mythbox.
Then when you connect via the tunnel you'll be sending requests to
the mythbox directly.
VNC and MythWeb (http traffic) can both run over tunnels.
In /etc/ssh/sshd.conf disable password authentication, list the
user or users which are allowed to connect (AllowUsers) and only
accept SSH2 connections (Protocol 2). See the man page for sshd_config(5)
(http://tinyurl.com/2ghvs) for other fields which you may want to set.
The one tricky part which I can't remember the command for is
after you generate your key pair on the client (eg. puTTYgen)
you copy the public key to the server. There is a ssh command that
reads the public key file and generates a .ssh/authorized_keys
entry. You don't just paste the public key into this file.
More information about the mythtv-users