this post was submitted on 15 May 2024
22 points (95.8% liked)

Linux

48008 readers
921 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Problem: I want to remotely access my computer from untrusted computers like on friends house or at work.

Looking for: Remote desktop software (SSH is out of scope, as it could do commands in the background). Client should work in the browser or have portable binaries. Server should send some soft of 2FA before every connection without a way to remember it, so I could be safe in a case of a keylogger snooping on connection password. Not nessesary, but would be nice to have some sort of rate limiting for the inputs, so it won't be possible for some rubber-ducky style script to open terminal and run command before I could react.

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 5 months ago (3 children)

Honestly, it sounds like you want ssh.

[–] [email protected] 10 points 5 months ago* (last edited 5 months ago)

I'm not saying this to be smug, everything you listed here is things ssh can do if configured to do so... 2FA can be configured in various ways via PAM (namely yubikey being the superior method, but the possibilities are limitless). Banning non interactive shells can be done with something along the lines of:

ForceCommand    if [ "$SSH_ORIGINAL_COMMAND" ]; then echo "this server rejects non-interactive ssh usage" >&2; exit 1; else exec "$SHELL" -i; fi

Rate limiting is achievable via iptables/nftables.

[–] [email protected] 3 points 5 months ago (4 children)

No, because with remote desktop (GUI or terminal) I would clearly see if something other than my instructions is being done. I would see someone else typing or moving stuff around. With SSH malware on the client device can open second session/tty and do things there or simply write a command very fast and click enter before I can react.

[–] [email protected] 15 points 5 months ago

If you're genuinely worried about this, you shouldn't be using untrusted machines for remote access.

[–] [email protected] 10 points 5 months ago* (last edited 5 months ago)

If you're RDPing from a malicious client, how do you know what you're seeing is real? How do you know that your viewer didn't show the same screen for just a little too long while the host popped up a cmd, curl, run, close, continue in the background? How do you know that closing your session isn't "forwarding it to someone else for a bit, but they'll close it when they're done"? One time you start a session, verify it with your phone, waiting waiting waiting, an error occurred try again. Did it fail, or did it go to someone else?

[–] [email protected] 8 points 5 months ago

Malware attacking vulnerability in whatever third party software you end up using is far more likely. You can't open a second tty with an existing SSH session, you'd have to authenticate again, which would require the 2FA. Using a GUI isn't going to prevent "doing something very fast" and like I said you can rate limit ssh using nf/iptables if you think that's helpful. I'm not sure what you are referring to when you say "terminal", because that's normally what is referred to as a tty.

[–] [email protected] 0 points 5 months ago

All your concerns are true of remote x sessions and while I’m not familiar enough with Wayland to defend this claim, I’d bet they are true of remote Wayland sessions too.

The old way of doing a secure remote x session was by tunneling it through ssh. When I needed remote desktop reachable anywhere I used passwordless 2fa ssh as the tunnel.

How exactly were you planning on initiating this connection to the host machine from an untrusted client, using their binaries?

[–] [email protected] 1 points 5 months ago
[–] [email protected] 9 points 5 months ago* (last edited 5 months ago)

RustDesk sort of fits the bill. It's open-source, has 2FA, can be self-hosted (but not needed), the client runs on anything, but the main issue here is that no amount of workarounds will make an untrusted machine any less untrusted, you're essentially extending the display and input from a dubious machine into your own.

If you're really worried about the security aspect, my suggestion would be to only use your phone as the client, and if you need to do anything more complex, use a Bluetooth keyboard connected to it. There are some foldable keyboards that don't take too much space and are not terrible.

[–] [email protected] 6 points 5 months ago

Apache Guacamole might be a good option. "Clientless" (browser-based), supports various mfa, uses ssh/vnc/rdp on the backend.

However, if the data on that machine is sensitive, or if that machine has access to other sensitive things on your network, I'd suggest caution in allowing remote access from untrusted machines on the wider internet.