sempergoofy
Premium
join:2001-07-06
Smyrna, GA
 ·AT&T Southeast
|  Supporting my elderly mom's Linux
I recently bought my 84 year old mom an Asus EeePC 1000HA netbook and installed OpenSuSE 11.1 on it. Mom has gotten a bit too feeble to make it easily back to her windoze desktop system, so I will be dropping in a wireless router at her place so she can sit in her favorite chair and do email and websurfing (her two primary needs) without getting up. Not positive this plan is going to work yet, but I intend to put it in her hands over the July 4 weekend.
I've been struggling with how I could most easily and effectively support mom on this system from my home which is an hour drive away. In other words, I'm her help desk.
Network background: Her DSL service provides her with a dynamic (not static) TCP/IP address. I put in Linksys BEFSR41 router some years ago. Ocassionaly, when she needs some problem help with her windoze tower system, I guide her by phone through opening up a port (normally closed) on the router so I can use VNC to look at her windows desktop. She would also have to tell me what the current public TCP/IP address was so I could point VNC to it. After I'm finished, we close the port again for better security.
My DSL service provides me with a static IP address, though that does not play much in this discussion.
So, as I was prepping the new Asus netbook, I first worked on setting up an OpenVPN connection between the netbook and a Linux system at my house. Fairly simple, with the only "hard" part being able to determine her dynamic public TCP/IP address. This can be managed easily enough by using dyndns.org and DDNS using the new Linksys WRT54G2 router I will be putting in. Naturally, the ports used by OpenVPN would have to be forwarded by our respective routers to our respective systems behind our routers.
But then I thought that OpenVPN was overkill for this problem. So I switched to this plan. Instead of an OpenVPN connection, I would just use SSH. I changed SSHD on her system to listen on a different (high numbered) port than the default port 22. In my setup lab, I told the new WRT54G2 to forward that port number to the static IP address I have assigned the wireless NIC in the Asus netbook.
To use VNC to see her desktop on the netbook, I tested this technique.
From my Linux system here:
Then in a second terminal window on my Linux system here:
This seems to work well. I can see and control her desktop from my system. Naturally, if I do not want to see her desktop, I can also ssh in without the added x11vnc command invocation and do as I please from the terminal ssh session.
The question is, am I missing something here? A better way given the needs? I am presuming that since only the port number I have specified for SSHD in the netbook's firewall is a risk, and I moved it from the well-known 22 to a higher number. That's just security by obfuscation, but might slow down the script kiddies. The root and her userid's Linux passwords are non-trivial.
I hate having an open/forwarded port on her router all the time, but I'm tired of leading her through the procedure of opening it when there is a problem so I can see her system. I don't see a way around it this time. I have a slightly better comfort level that while she is connected using the netbook that anybody trying to penetrate would fail in the face of it being a Linux system (in contrast to a windoze system).
--
nohup rm -fr /& |
|
pandora
Premium
join:2001-06-01
Outland
 ·ooma
·Future Nine Corpor..
 ·Comcast
|  At 84 if she is used to Windows, it may be better to provide her with something she can be comfortable with. Linux is fine for those who want it, but most of the world is still Windows. If she gets a digital camera, or goes to a website that needs to run IE, she will be lost. Some sites, like cvs.com can have issues with some browsers. It wasn't long ago that Opera didn't work with the CVS website at all.
You may wish to see where she goes, and verify that it all works to her satisfaction. She may need some accessibility features enabled too. Does her version of Linux and browser have accessibility features, can she comfortably enable and set them?
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
| Excellent question, but not related to security/support issue. 
Mom uses Firefox and Thunderbird on windows (thanks to me), and will use the same on Linux. I'll migrate any bookmarks and email folders to the Linux system for her. Likely she'll never know a difference since they are the same programs she is used to. She is not a power user. I put a great big Thunderbird application launcher on the desktop for her like on windows. Already was one for Firefox. I set her desktop to not use the KDE transparent dashboard. I also installed VLC on the system so that if anybody sends her a .wmv video or similar, its ready to go and she can view it.
--
nohup rm -fr /& |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| reply to sempergoofy
I suggest that you create a public/private key pair, and test using that for logins with ssh. When you have that working, configure sshd so that only public key authentication is allowed. That gives additional security to the use of ssh.
And yes, you should be able to do most administration via an ssh connection.
If you are running your own linux system, with any kind of accessible service (apache, sshd, etc), you could have crontab on your mother's system automatically connect to your system every 15 minutes. It doesn't have to do anything after connecting, other than disconnect. That will leave you a trail of IP address changes in your logs, and you will have a good chance of having the current IP on hand.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
ropeguru
Premium
join:2001-01-25
Bridgeport, WV
clubs:
·VOIPo
| reply to sempergoofy
Just a thought... Not sure if it might be good or not...
What I do for my home network is I have a wrt54g running dd-wrt o it. I have it setup so I log into the wrt54g via ssh directly using a public/private key pair and disallow password logins. Once I log into the router I then use port forwarding under putty to get to any ip/port in my network.
You can setup a free DynDns account which will track her IP, do the ssh directly on the router, and use port forwarding on your local ssh client. This way, you can run everything standard on her network and the only open port on the router will be the non-standard ssh port you assign. |
|
i2Fuzzy
join:2009-02-25
Cumming, GA | reply to sempergoofy
You could try Hamachi too for a simple VPN with private space IP addresses.
--
Ali Fazel
i2Telecom Representative |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
| reply to nwrickert
said by nwrickert  :I suggest that you create a public/private key pair, and test using that for logins with ssh. When you have that working, configure sshd so that only public key authentication is allowed. That gives additional security to the use of ssh. And yes, you should be able to do most administration via an ssh connection. If you are running your own linux system, with any kind of accessible service (apache, sshd, etc), you could have crontab on your mother's system automatically connect to your system every 15 minutes. It doesn't have to do anything after connecting, other than disconnect. That will leave you a trail of IP address changes in your logs, and you will have a good chance of having the current IP on hand. Good idea! Will try to do that.
Supporting OpenSuSE remotely via SSH is something I have done quite a bit of (except for VNC). Invoking Yast after logging in as or switching to root is easy.
Good idea on the crontab, too. But I reckon the dyndns.org solution is easy and free and the router seems to support it.
--
nohup rm -fr /& |
|
cgeek5467
cleckjr
join:2003-08-30
Trenton, NJ
| reply to sempergoofy
The ssh public/private key pair would be my recommendation too, as has already been suggested.
On top of that, I'd suggesting installing DenyHosts (»denyhosts.sourceforge.net/) which will add hosts to the /etc/hosts.deny file after so many invalid attempts to hack in. |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
| Thanks for the DenyHosts suggestion. I installed it. Was simple when I went to »en.opensuse.org/Denyhosts and then selected the link for 11.1 on the right side of the page. Hit the install button and it invoked Yast and temporarily added a repository to pull a version already set to rock and roll with OpenSuSE 11.1. So I did not have to customize where the logs were, etc. Just verified settings were acceptable in the /etc/denyhosts.conf it added and then hit the run-level editor to make sure it would start it on subsequent boots.
So it should be more secure if attacked by a brute force attempt now.
I also finished implementing the public/private key pair requirement and root cannot login remotely through ssh any longer. No key, no entry.
--
nohup rm -fr /& |
|
Paulg
Displaced Yooper
Premium
join:2004-03-15
Neenah, WI
clubs:
·AT&T U-Verse
·AT&T Midwest
| reply to sempergoofy
Ive not had good luck with the dyndns updater built into the linksys firmwares, I ended up walking my dad through installing the updater on his PC after the router-based updater failed for the 4th time.
--
Guilty or Innocent? You Decide... »Pub Games |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
| said by Paulg :Ive not had good luck with the dyndns updater built into the linksys firmwares, I ended up walking my dad through installing the updater on his PC after the router-based updater failed for the 4th time. Hmm. Thanks for the heads up. If it fails on the router I bought for mom then I'll do the same. I can always coach her to use »whatismyip.com/ or get into the router itself if need be.
--
nohup rm -fr /& |
|
ropeguru
Premium
join:2001-01-25
Bridgeport, WV
clubs: | reply to Paulg
That is why I suggested dd-wrt or maybe even tomato. |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
1 edit | reply to sempergoofy
A small update on this topic, or "how I took careful aim and shot myself in the foot".
I delivered the system to mom yesterday. While I was ok with the security that I had setup which included
a) An encrypted /home filesystem for which you are prompted for the passphrase during boot (in case the netbook was stolen)
b) Public key requirement and no password prompts during login using ssh
c) No remote login for "root" via ssh
things did not work out too well.
Mom is a bit more feeble than I realized. She could not correctly type the encryption passphrase (eight chars and two numbers easily familiar to her) during boot. (Nerve issues with her hands, a little shakiness like parkisons.) So /home would not get mounted, and she could not get logged in from the graphical login screen due to absent /home. We practiced enough before I left yesterday that she could get it some of the time, and knew how to restart the system if she she failed.
Here's where I shot myself in my foot. Without the
/home/$USERID/.ssh/authorized_keys2
directory, I can't get logged in remotely. 
I put in keys for her userid and my own. Didn't bother for root since remote login for root is not allowed. Catch-22.
So, my sister who lives closer went over today and got the system up so I could login remotely. I added another luks keyslot passphrase that is a trivial two characters long and changed her userid pw to the same. (Yes, it really weakens the security, but what am I going to do? Don't even suggest having keys on a USB device which is the technical right answer.)
Sister is practicing with mom now to assure she can do the more simple password entry. If she can't, then I guess I'll have to tar up the /home and put it on an unencrypted LVM. And, I guess I need to move my own userid's $HOME directory on some other filesystem so it will be available (maybe /usr).
Edited to add the "$USERID" to the location of the .ssh dir for clarity.
--
nohup rm -fr /& |
|
no_one
@qwest.net
| reply to sempergoofy
I understand the security for logging in remotely. However, if most of what she does is surf and email than even no login password sitting in front of it should be fine. Or is the remote security in linux tied in to the sitting in front of login security? She is not a college student wondering where they last left the laptop or a worker not remembering which job they last used the laptop on.
She probably is not running everywhere in the world and if it is stolen just change passwords for any accounts she does do online.
I do not know what linux supports but if really need security and simpler how about fingerprint login or some other type that requires less dexterity.
Security is all well and good but sometimes things are more important. |
|
sempergoofy
Premium
join:2001-07-06
Smyrna, GA
·AT&T Southeast
1 edit | Well, two letter passwords have proven to be an effective barrier for mom. 
As soon as sister can get there later in the week, or me on the weekend, so that it can be brought up, I'm taking the encrypted password off the /home filesystem (move to a different LVM volume). And then I'll set it so that her userid logs in automatically.
Any more problems after that, and I'm chalking it up to a nice idea that was beyond her reach.
As for no_one's post, while your points are valid, it is the thought of theft from their home, not loss due to (im)mobility around the world that introduces the desire for some modicum of security. If I could be there to put the needed bullet into a thief, then bare-naked security would be a no brainer risk. The point is moot for mom now. She can't get a two character password correctly typed today, despite doing it correctly yesterday while sister was sitting with her. Perhaps if it was unmasked she could see and correct. We can't tell what she might be actually typing.
We just know what we know.
--
nohup rm -fr /& |
|
