Setting up Secure SSH, X11 Forwarding and VNC on CentOS

I’m more of an Ubuntu fan personally but one of the people I work with wants to use the Red Hat.  So instead of asking our boss for $800 I decided to opt for CentOS, same binaries so I’m hoping it will work.  These instructions will get you started with remote control for your CentOS server.

We’ll configure three type of “remote access” for various use cases.

  1. SSH
  2. X11 Forwarding
  3. VNC

I am not a sysadmin purist so I don’t care about sysadmins who say that servers don’t need GUIs.  This server is for a wide range of users and needs to support varying comfort levels with Linux based systems.

Step 1 – Configuring SSH

After I got CentOS 7 installed I opened up the ssh config. Security is a big concern for this system as the previous Windows installation on the server had been hacked and used maliciously. Since our company doesn’t have any full time sys admins I want to make sure that it’s as secure as possible.

sudo nano /etc/ssh/ssh_config

I first wanted to check to ensure that it didn’t allow ssh with a password. It was enabled by default so I turned it off for security reasons. I also wanted to setup X11 for remote access since I’d be administrating this thing from Wisconsin when the server will be in St. Louis. Doing things like limiting users, changing the standard ssh port and using Public/Private Key Authentication all harden the system.

PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
AllowUsers myself myCoworker
Port 22XXXX

Since we’ve changed the port make sure ot make an entry in the Firewall rules in the permanent section. for the port you’ve specified.

GNOME has a Firewall Configuration in Applications > Sundry > Firewall

We’ll need to restart the sshd service as well as update SELinux (not sure why yet…)

sudo service sshd restart
sudo semanage port -a -t ssh_port_t -p tcp 22XXXX

Now that my ssh_config is ready I’ll need to generate some security keys so that we can ssh to it.

For X11 and SSH on Windows I prefer to use MobaXterm.  On the client you wish to connect form we need to generate some RSA keys.

Open up MobaXterm go to Tools > SSH Key Generator

Generate a new key pair for yourself and save the keys.  I always recommend copying the raw public key into a text file so you can paste the contents if necessary.  OpenSSH will complain if the format of the key isn’t what it likes.

Put the key on a jump drive and pop it in the server.  Then do some concatenation to the key file.

cd /the_location/of_the/jump_drive/
mkdir ~/.ssh
chmod 700 ~/.ssh
cat public_key.txt >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
restorecon -Rv ~/.ssh

Make sure you delete the key file after you’ve concatenated it.

Now we test our SSH connection form the client.  Open up MobaXterm and create a new SSH connection.  Specify the IP of the server, the user name you’ve allowed in the SSH config, the port you specified in the SSH config and use the private key you generated in the Advanced SSH setting tab.  Leave the X11 forwarding and compression enabled.  If you’re having trouble connecting try checking if your router is blocking the port you specified or and additional firewall.

Step 2 – X11 Forwarding – Running Applications Remotely

For those more familiar with Windows X11 Forwarding is similar to the concept of Remote Desktop but a little different.  With X11 you can not only run the desktop application “GNOME” but applications individually if you choose.  So if you have an installer you want to run you can simple execute the installer application with out the burden of running a “Desktop” over the connection.

Once you’ve successfully connected via SSH it time to configure X11

First make sure your OS is up to date… this could take a while… If your OS isn’t updated you might have some conflict trying to install “X Windows System”

su root
yum update
yum groupinstall "X Window System" "Desktop" "Fonts"

Once your OS is up to date and you have X Windows System installed you should be able to run things like “gedit” from ModaXterm and use the application remotely by simply typing in the name of the application.

X11 can be a bit slow if you plan to use the desktop a lot like a windows admin would so nex tup we’ll setup VNC

Step 3. VNC

X below represents your desired port number it will be an offset from 5900 which will result in 590X.

su root
yum install tigervnc-server xorg-x11-fonts-Type1
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:XXXX.service
nano /etc/systemd/system/vncserver@:X.service

Replace all instances of <USER> with the user name for the connection, there will be two.

Update the firewall to allow the connection in a similar way as earlier.

Start the server as the user…

vncserver

Set a password.

Now Reload the deamon as root, start the service and set it to run on startup.

su root
systemctl daemon-reload
systemctl start vncserver@:X.service
systemctl enable vncserver@:X.service

Go to your client and download a VNC client if you don’t already have one.

Now before you go connecting to your server note:
THIS VNC CONNECTION IS NOT ENCRYPTED

So let’s set that up ;)

Open up MobaXterm and click “Tunneling”

  • Create a new tunnel.
  • Local port forwarding
  • Local Port  = 5900
  • SSH Server = Server IP, username, and SSH port set above
  • Remote Server = Server IP and Port assigned to VNC user. (the 590X one…)

Now start your tunnel.  Then open up VNC Viewer and use localhost:5900 as your destination.

VNC will complain that this is an “unencrypted” connection but its not ;)

You are now ready to rock an roll!

Tell me what you REALLY think...

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">