Terminal server for 1C using vnc + ssh based on fedora 8.
Actually, this is an instruction for my own self, so that when I need to set up such a thing the next time, do not tear the hair on my head and not think again: “I had to write everything down when I did it last time” ... But maybe Someone else will come in handy ... I absolutely do not pretend that this is an absolutely correct decision and what needs to be done that way, moreover, I will only be happy with objective criticism ... I just did it and decided to write it down ...
So, one day the following task was set before me:
it is necessary that users of the remote office could connect to 1C in our office ...
We have:
The server on fedora 8 (I’ll say right away, I’m a RedHat OS supporter) with X (in fact, X is almost not using all the work in the + mc terminal, but it's just more convenient for me when there are X on the server), which is the gateway for the local network Office (IPTables).
Clients in a remote office: windows xp professional with Internet access.
So step 1: configure ssh.
')
The first thing to do is install the OpenSSH package, which is pretty simple
yum install openssh.
Unfortunately, I can not bring the logs of all this, because there is already a de facto tuned system, and I’m writing this post after the fact) =)
After installation, open / etc / ssh / sshd_config and start editing it:
In our case, authorization will occur using PublicKey and we will not accept any other types of authorization. The main parameters that must be specified:
1) Network settings: IP address and port that OpenSSH will listen on. In my case, ssh will listen on port 22 on the IP address of the local network and on the external IP.
Port 22
ListenAddress 192.168.0.1
ListenAddress xxx.xxx.xxx.xxx
2) ssh parameters: protocol version (1 or 2) and HostKeys. We will only use protocol version 2, so we specify the following settings:
Protocol 2
HostKey / etc / ssh / ssh_host_rsa_key
HostKey / etc / ssh / ssh_host_dsa_key
3) Authentication parameters (various parameters like time or number of authentication attempts, I will not consider). So, it is necessary to prohibit all types of authentication, except for authentication using the public key. And also prohibit authentication for the root user.
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
Ignorerhosts yes
PermitEmptyPasswords no
PasswordAuthentication no
UsePAM no
4) Parameters tunneling ports. In this case, we will not use X11 Forwarding, but simply use ssh as a tunnel for port 5901, respectively, the parameters relating to X11 Forwarding can be left alone, the main thing is to enable tunneling.
PermitTunnel yes
I left the remaining parameters by default.
So, the ssh server is almost set up, it only remains to do a couple of things.
1) Create a key pair for the desired user. This is done using the ssh-keygen command. You can set a large number of different options, such as key length, key type, host name, etc., but even when used with the default options, if you do not need too high security, you will get a completely safe key. I generated the key as follows:
ssh-keygen -t rsa
When generating a key, you will need to enter a password that will be used to access it in the future. By default, the id_rsa and id_rsa.pub keys will be saved in the ~ / .shh folder. The closed part of the key (id_rsa) must be moved to the host from which remote access will be performed.
2) Copy the PUBLIC part of the generated key to the file ~ / .ssh / authorized_keys, for example:
cat id_rsa.pub >> authorized_keys
That's it, the configuration of the OpenSSH server is over, it remains to run it:
/ sbin / service sshd start
And at the same time, in order not to launch it manually after reboots:
chkconfig sshd on
After that, you can test the operation of our server. Connect from the local network using Putty .
First, using the puttygen utility, you need to convert our private key into putty format:
1) Run puttygen.
2) Conversions-Import Key and specify our secret key
3) After entering the password, a window with key parameters will open, where you need to select “Save private key” and save the key version for putty.
After converting the key, run putty, to connect
In the settings you must specify:
1) On the Session tab, the IP address of the server to which we are connecting and the port (in case of using a port 22 different from).
2) On the SSH-> Auth tab, in the “Private key file for authentication” field, specify the path to our key:
After that, you can safely click Open. And ... here it is, remote access.
Step 2: The next thing we need to configure is the vnc server.
1) Installation (nowhere is easier):
yum install vncserver
Customization is also surprisingly simple:
2) Start vncpasswd and set a password to access your terminal server
3) Description of running vnc servers in the / etc / sysconfig / vncservers file:
To configure the terminal server, you must specify the users to which desktops will be connected. In this case, we configured 2 terminal servers to access the desktops of user1 and user2. By default, the first one will be available on port 5901, the second 5902. In the VNCSERVERARGS lines, we set the necessary options for each of the servers. In this case:
-geometry - screen resolution.
-nohttpd - disable starting https server, which by default vnc starts. (Otherwise, it will be possible to connect to the desktop by typing server-name : 590x in the browser)
-localhost - we allow connection only from localhost, that is, you will not be able to remotely access the desktop (but since we will first connect to the server via ssh, then vnc will perceive our connection as local.)
VNCSERVERS: "1: user1 2: user2"
VNCSERVERARGS [1]: "- geometry 800x600 -nohttpd -localhost"
VNCSERVERARGS [2]: "- geometry 1280x1024 -nohttpd -localhost"
4) Start the service:
/ sbin / service vncserver start
Well, to continue to run when you boot:
chkconfig vncserver on
We can try to connect to the desktop of the required user.
1) First you need to configure port tunneling in putty. To do this, on the SSH-> Tunnels tab, specify the local port number and the destination to which this request will be forwarded. We specify the address 127.0.0.1, since we allowed connection to vnc only from localhost.
2) After that we can connect using the vnc client. For Windows, there are several different vnc clients. Personally, I prepare TightVNC , in my opinion, the best among free vnc clients.
In the vnc startup window, specify the VNC server: 127.0.0.1:x , where x is the port number to which the connection is made.
Vncserver will ask for the username and password that we set with the vncpasswd command when setting up the server.
So:
For greater security in IPTables, port 22 was open only for two IP addresses: the administrator in the local network and the remote office IP. For those who set up IPTables, I think there is nothing difficult in this, and one rule in the field is not a warrior. But, if that:
iptables -a INPUT -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT
The remote server is configured, it remains to configure 1C. Setup is described in sufficient detail - http://ru.wikibooks.org/wiki/LOR-FAQ-Wine . However, in case you want to use the network version of 1C, the usual Wine will not work ... In any case, I haven’t met a single case for anyone to succeed. Therefore, the easiest way to spend 2000 rubles (1700 written on the site, but in fact + VAT = 2006) and buy WINE @ Etersoft Network Lite It is extremely easy to configure, so I will not describe. The final result:
So, one day the following task was set before me:
it is necessary that users of the remote office could connect to 1C in our office ...
We have:
The server on fedora 8 (I’ll say right away, I’m a RedHat OS supporter) with X (in fact, X is almost not using all the work in the + mc terminal, but it's just more convenient for me when there are X on the server), which is the gateway for the local network Office (IPTables).
Clients in a remote office: windows xp professional with Internet access.
So step 1: configure ssh.
')
The first thing to do is install the OpenSSH package, which is pretty simple
yum install openssh.
Unfortunately, I can not bring the logs of all this, because there is already a de facto tuned system, and I’m writing this post after the fact) =)
After installation, open / etc / ssh / sshd_config and start editing it:
In our case, authorization will occur using PublicKey and we will not accept any other types of authorization. The main parameters that must be specified:
1) Network settings: IP address and port that OpenSSH will listen on. In my case, ssh will listen on port 22 on the IP address of the local network and on the external IP.
Port 22
ListenAddress 192.168.0.1
ListenAddress xxx.xxx.xxx.xxx
2) ssh parameters: protocol version (1 or 2) and HostKeys. We will only use protocol version 2, so we specify the following settings:
Protocol 2
HostKey / etc / ssh / ssh_host_rsa_key
HostKey / etc / ssh / ssh_host_dsa_key
3) Authentication parameters (various parameters like time or number of authentication attempts, I will not consider). So, it is necessary to prohibit all types of authentication, except for authentication using the public key. And also prohibit authentication for the root user.
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
Ignorerhosts yes
PermitEmptyPasswords no
PasswordAuthentication no
UsePAM no
4) Parameters tunneling ports. In this case, we will not use X11 Forwarding, but simply use ssh as a tunnel for port 5901, respectively, the parameters relating to X11 Forwarding can be left alone, the main thing is to enable tunneling.
PermitTunnel yes
I left the remaining parameters by default.
So, the ssh server is almost set up, it only remains to do a couple of things.
1) Create a key pair for the desired user. This is done using the ssh-keygen command. You can set a large number of different options, such as key length, key type, host name, etc., but even when used with the default options, if you do not need too high security, you will get a completely safe key. I generated the key as follows:
ssh-keygen -t rsa
When generating a key, you will need to enter a password that will be used to access it in the future. By default, the id_rsa and id_rsa.pub keys will be saved in the ~ / .shh folder. The closed part of the key (id_rsa) must be moved to the host from which remote access will be performed.
2) Copy the PUBLIC part of the generated key to the file ~ / .ssh / authorized_keys, for example:
cat id_rsa.pub >> authorized_keys
That's it, the configuration of the OpenSSH server is over, it remains to run it:
/ sbin / service sshd start
And at the same time, in order not to launch it manually after reboots:
chkconfig sshd on
After that, you can test the operation of our server. Connect from the local network using Putty .
First, using the puttygen utility, you need to convert our private key into putty format:
1) Run puttygen.
2) Conversions-Import Key and specify our secret key
3) After entering the password, a window with key parameters will open, where you need to select “Save private key” and save the key version for putty.
After converting the key, run putty, to connect
In the settings you must specify:
1) On the Session tab, the IP address of the server to which we are connecting and the port (in case of using a port 22 different from).
2) On the SSH-> Auth tab, in the “Private key file for authentication” field, specify the path to our key:
After that, you can safely click Open. And ... here it is, remote access.
Step 2: The next thing we need to configure is the vnc server.
1) Installation (nowhere is easier):
yum install vncserver
Customization is also surprisingly simple:
2) Start vncpasswd and set a password to access your terminal server
3) Description of running vnc servers in the / etc / sysconfig / vncservers file:
To configure the terminal server, you must specify the users to which desktops will be connected. In this case, we configured 2 terminal servers to access the desktops of user1 and user2. By default, the first one will be available on port 5901, the second 5902. In the VNCSERVERARGS lines, we set the necessary options for each of the servers. In this case:
-geometry - screen resolution.
-nohttpd - disable starting https server, which by default vnc starts. (Otherwise, it will be possible to connect to the desktop by typing server-name : 590x in the browser)
-localhost - we allow connection only from localhost, that is, you will not be able to remotely access the desktop (but since we will first connect to the server via ssh, then vnc will perceive our connection as local.)
VNCSERVERS: "1: user1 2: user2"
VNCSERVERARGS [1]: "- geometry 800x600 -nohttpd -localhost"
VNCSERVERARGS [2]: "- geometry 1280x1024 -nohttpd -localhost"
4) Start the service:
/ sbin / service vncserver start
Well, to continue to run when you boot:
chkconfig vncserver on
We can try to connect to the desktop of the required user.
1) First you need to configure port tunneling in putty. To do this, on the SSH-> Tunnels tab, specify the local port number and the destination to which this request will be forwarded. We specify the address 127.0.0.1, since we allowed connection to vnc only from localhost.
2) After that we can connect using the vnc client. For Windows, there are several different vnc clients. Personally, I prepare TightVNC , in my opinion, the best among free vnc clients.
In the vnc startup window, specify the VNC server: 127.0.0.1:x , where x is the port number to which the connection is made.
Vncserver will ask for the username and password that we set with the vncpasswd command when setting up the server.
So:
For greater security in IPTables, port 22 was open only for two IP addresses: the administrator in the local network and the remote office IP. For those who set up IPTables, I think there is nothing difficult in this, and one rule in the field is not a warrior. But, if that:
iptables -a INPUT -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT
The remote server is configured, it remains to configure 1C. Setup is described in sufficient detail - http://ru.wikibooks.org/wiki/LOR-FAQ-Wine . However, in case you want to use the network version of 1C, the usual Wine will not work ... In any case, I haven’t met a single case for anyone to succeed. Therefore, the easiest way to spend 2000 rubles (1700 written on the site, but in fact + VAT = 2006) and buy WINE @ Etersoft Network Lite It is extremely easy to configure, so I will not describe. The final result:
Source: https://habr.com/ru/post/39045/
All Articles