HowTo: Upload files to FTPS with cURL, Dolphin, and FileZilla

We've discussed setting up secured FTP with FTPS on VSFTP here.  This uses FTPS over port 21 and works well as Passive FTP.  We can connect using KDE's Dolphin and the KIO-Slave ftps://ftpuser:PaSsWoRd@1.2.3.4:21/ where 1.2.3.4 is the IP of the remote machine, ftpuser is the user account, and PaSsWoRd is the password, as we see here:

We can also connect with FileZilla as a setting the Server Type to 'FTPES' (or "Protocol: FTP" and "Encryption: Require explicit FTP over TLS") and Login Type to 'Normal' and using the needed credentials:

If you get an error which reads, "Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server", you need to either get an older version of FileZilla, or change your VSFTP settings to include "ssl_ciphers=HIGH".

Finally, we can upload files non-interactively with cURL using these settings (note this is all one line):

shell#  /usr/bin/curl --ssl-reqd --ftp-ssl-ccc -u ftpuser:PaSsWoRd ftp://1.2.3.4:21/ -v -k -T /home/lefty/testfile.txt

where 1.2.3.4 is the IP of the remote machine, ftpuser is the user account, and PaSsWoRd is the password.

Listing installed packages with Aptitude (to install on another computer)

Debian and Ubuntu machines, and others that use Aptitude, can list their installed packages many ways.  This is my favorite since it only lists the manually-installed packages.  Dependencies, which may change in the future, aren't included on this list which means that Aptitude can do the dependency handling.

First we list the packages and redirect that to a text file named packages.txt (note this is all one line):

root-shell-machine1#  aptitude search '~i' |grep -v "i.A " |awk '{print $2}' > packages.txt

Then we want to copy that packages.txt file to the other machine (I'll let you figure that out).  Once on the other machine, we want to update our Aptitude catalog and then install the listed packages:

root-shell-machine2#  aptitude update
root-shell-machine2#  aptitude install `cat packages.txt`

Debian has KDE 4.7.4 in Experimental repositories; install instructions

Not in the Debian-KDE repos that had 4.7.2, but in the official Debian Experimental repositories, KDE 4.7.4 has been released!  You need to be running Debian Sid to take advantage of this and be aware that these packages aren't fully vetted and may break your world.

First make sure that you're running Sid.  Add these three lines (or similar for your local repos) to the file at /etc/apt/sources.list making sure to adjust if you don't want the non-free packages, etc:

## EXPERIMENTAL aptitude -t experimental install digikam

deb http://debian.uchicago.edu/debian/ experimental main contrib non-free 

deb-src http://debian.uchicago.edu/debian/ experimental main contrib non-free 

Run aptitude update to update the catalog, and then we need to update the system and specify that we want the Experimental packages (for system stability reasons):



shell~$ sudo aptitude -t experimental dist-upgrade
[sudo] password for lefty: 
The following NEW packages will be installed:
  gcc-4.7-base{a} kamera{a} kmenuedit{a} libapt-inst1.4{a} libapt-pkg4.12{a} libboost-filesystem1.48.0{a} libboost-regex1.48.0{a} libboost-system1.48.0{a} libdbusmenu-glib4{a} libexiv2-11{a} libexttextcat-data{a} 
  libmagickcore5{a} libmagickcore5-extra{a} libmagickwand5{a} libopenal-data{a} libopenal1{a} libservlet2.4-java{a} libspandsp2{a} libtiff5{a} libvdeplug3{ab} libwine-alsa-unstable{a} libwine-bin-unstable{a} 
  libwine-cms-unstable{a} libwine-gecko-unstable{a} libwine-gl-unstable{a} libwine-gphoto2-unstable{a} libwine-ldap-unstable{a} libwine-openal-unstable{a} libwine-print-unstable{a} libwine-sane-unstable{a} 
  libwine-unstable{ab} python-pycurl{a} wine-bin-unstable{ab} wine-unstable{ab} 
The following packages will be REMOVED:
  libdbusmenu-glib3{u} libwine-alsa{u} libwine-cms{u} libwine-gl{u} libwine-gphoto2{u} libwine-ldap{u} libwine-print{u} libwine-sane{u} wine-utils{u} 
The following packages will be upgraded:
  apt apt-utils ark bash-completion colord dbus dbus-x11 debian-archive-keyring dolphin dragonplayer exiv2 filelight findutils foobnix freespacenotifier gawk gdb gdbserver git git-man gnokii-common gstreamer0.10-gconf 
  gstreamer0.10-plugins-bad gstreamer0.10-plugins-base gstreamer0.10-plugins-good gstreamer0.10-plugins-ugly gstreamer0.10-pulseaudio gstreamer0.10-x gwenview icedove icedove-dbg iftop ifupdown imagemagick imagemagick-common 
  initscripts{b} jovie juk kate kate-data kate-dbg katepart kcalc kcharselect kde-baseapps kde-baseapps-bin kde-baseapps-data kde-baseapps-dbg kde-config-cddb kde-config-cron kde-plasma-desktop kde-runtime kde-runtime-data 
  kde-runtime-dbg kde-standard kde-style-oxygen kde-wallpapers kde-wallpapers-default kde-window-manager kde-workspace kde-workspace-bin kde-workspace-data kde-workspace-dbg kde-workspace-kgreet-plugins kde-zeroconf kdeadmin 
  kdeadmin-dbg kdeartwork-emoticons kdeartwork-style kdebase-bin kdebase-dbg kdebase-runtime kdebase-runtime-dbg kdebase-workspace-bin kdebase-workspace-dbg kdegraphics-libs-data kdelibs-bin kdelibs5-data kdelibs5-dbg 
  kdelibs5-dev kdelibs5-plugins kdemultimedia kdemultimedia-dbg kdemultimedia-kio-plugins kdenetwork-dbg kdepasswd kdepimlibs-kio-plugins kdepimlibs5-dev kdeplasma-addons kdeutils kdeutils-dbg kdf kdm kdoctools kfind kget 
  kgpg khelpcenter4 kinfocenter klibc-utils klipper kmix kmouth kompare konqueror konqueror-nsplugins konsole konsole-dbg kopete krdc kremotecontrol kscd kscreensaver kscreensaver-xsavers kscreensaver-xsavers-webcollage 
  ksnapshot ksysguard ksysguardd ksystemlog ktimer kttsd kuser kwalletmanager kwrite libakonadi-calendar4 libakonadi-contact4 libakonadi-kabc4 libakonadi-kcal4 libakonadi-kde4 libakonadi-kmime4 libapache2-mod-php5 libcolord1 
  libdbus-1-3 libdbus-1-dev libgadu3 libgcc1 libgfortran3 libgomp1 libgpgme++2 libgstreamer-plugins-base0.10-0 libgstreamer0.10-0 libhsqldb-java libindicate-qt1 libindicate5 libio-compress-perl libkabc4 libkastencontrollers4 
  libkastencore4 libkastengui4 libkateinterfaces4 libkatepartinterfaces4 libkblog4 libkcal4 libkcalcore4 libkcalutils4 libkcddb4 libkcmutils4 libkdcraw-data libkde3support4 libkdeclarative5 libkdecorations4 libkdecore5 
  libkdesu5 libkdeui5 libkdewebkit5 libkdnssd4 libkemoticons4 libkephal4abi1 libkexiv2-10 libkexiv2-data libkfile4 libkholidays4 libkhtml5 libkidletime4 libkimap4 libkimproxy4 libkio5 libkipi-data libkipi8 libkjsapi4 
  libkjsembed4 libkldap4 libklibc libkmbox4 libkmediaplayer4 libkmime4 libknewstuff2-4 libknewstuff3-4 libknotifyconfig4 libkntlm4 libkonq-common libkonq5-templates libkonq5abi1 libkonqsidebarplugin4a libkontactinterface4 
  libkopete4 libkparts4 libkpimidentities4 libkpimtextedit4 libkpimutils4 libkprintutils4 libkpty4 libkresources4 libkrosscore4 libkrossui4 libksane-data libkscreensaver5 libksgrd4 libksignalplotter4 libktexteditor4 libktnef4 
  libkunitconversion4 libkutils4 libkwineffects1abi2 libkworkspace4 libkxmlrpcclient4 libmailtransport4 libmarblewidget12 libmicroblog4 libmpeg2-4 libmudflap0 libnepomuk4 libnepomukquery4a libnepomukutils4 libnewt0.52 
  liboktetacore4 liboktetagui4 liboktetakastencontrollers4abi1 liboktetakastencore4 liboktetakastengui4 libokularcore1 libortp8 libp11-kit-dev libp11-kit0 libplasma-geolocation-interface4 libplasma3 libplasmaclock4abi2 
  libplasmagenericshell4 libpopt-dev libpopt0 libprocesscore4abi1 libprocessui4a libqgpgme1 libquadmath0 libshout3 libsigsegv2 libslp1 libsolid4 libsolidcontrol4abi2 libsolidcontrolifaces4abi2 libstdc++6 libsvga1 
  libsyndication4 libtaskmanager4abi2 libtextcat0 libthreadweaver4 libvde0 libweather-ion6 libwine libxi-dev libxi6 libxine2 libxine2-bin libxine2-doc libxine2-ffmpeg libxine2-misc-plugins libxine2-plugins linux-libc-dev 
  locate make marble marble-data marble-plugins mkvtoolnix mplayerthumbs mysql-common okteta okular okular-extra-backends openvpn oxygen-icon-theme patch perlmagick php5-cli php5-common php5-ldap plasma-containments-addons 
  plasma-dataengines-addons plasma-dataengines-workspace plasma-desktop plasma-desktopthemes-artwork plasma-runners-addons plasma-scriptengine-googlegadgets plasma-scriptengine-javascript plasma-scriptengine-python 
  plasma-scriptengine-superkaramba plasma-scriptengine-webkit plasma-wallpapers-addons plasma-widget-folderview plasma-widget-lancelot plasma-widgets-addons plasma-widgets-workspace pmount python-cupshelpers python-kde4 
  python-newt python-numpy python-software-properties{b} qemu qemu-keymaps qemu-system qemu-user qemu-utils screen software-properties-gtk{b} sweeper system-config-printer system-config-printer-kde system-config-printer-udev 
  systemsettings tcpdump vde2 whiptail wine wine-bin x11proto-input-dev x11proto-randr-dev xkb-data xserver-common xserver-xephyr xserver-xorg-core xserver-xorg-input-evdev{b} xserver-xorg-video-dummy{b} 
  xserver-xorg-video-r128{b} zlib1g zlib1g-dev 
The following packages are RECOMMENDED but will NOT be installed:
  konq-plugins plasma-scriptengines plasma-widget-networkmanagement 
336 packages upgraded, 34 newly installed, 9 to remove and 1 not upgraded.
Need to get 948 MB/953 MB of archives. After unpacking 260 MB will be used.

Watch YouTube videos on Wii in Fullscreen

This holiday I wanted to play a fireplace video on my Wii but the Internet channel and its Opera browser no longer allow fullscreen YouTube videos.  What good is a fireplace if it isn't the full screen?

I've solved this, sorta, but it's not convenient.  First we visit the video we want, using a computer browser, and click on the [Share] button, and then the [Embed] button:

Copy that Embed code and paste it into a text editor so we can just pull out the URL.  From this code:

<iframe width="560" height="315" src="http://www.youtube.com/embed/LIJAsKCLTqc" frameborder="0" allowfullscreen></iframe>

we want just this part (the src= part):

http://www.youtube.com/embed/LIJAsKCLTqc

Now we can either enter that URL/link directly into the Wii's Opera browser, or we can shorten that URL at a place like tinyurl.com

TinyURL was created!

The following URL:

http://www.youtube.com/embed/LIJAsKCLTqc

has a length of 40 characters and resulted in the following TinyURL which has a length of 26 characters:

http://tinyurl.com/bth5wqg

That TinyURL is far easier to type.  Once you've loaded this into your Wii, press the Star button on the screen to bring up your favorites/bookmarks, and then add this as a favorite to not have to type it again!

Did this work for you?  Any suggestions or feedback?  Anyone know how we can force this to be a higher quality than the Wii default?

Sending email from a Debian Web Server

On a Debian server it uses Exim4 for the mailing server; if this is only outgoing mail that is the easiest and we'll just cover that here.  Ubuntu will work similar if it uses Exim4.  Redhat uses Sendmail and will have different setups.

On Debian:

shell#  dpkg-reconfigure exim4-config

Select these options:

Internet server, sending mail directly with SMTP

System Name: set this as whatever you want user@____.com to come from; this will also accept emails for users at that name

Listen to the needed IPs and/or machines

Don't relay, generally

DND Minimal set to No

Maildir format to prevent a single-point-of-failure

Split Config is generally set to No

Test at a command line with:

shell#  mail -s "Subject" yourname@realemail.com [enter]

something something

[ctrl][d]

[enter]

shell#

See current mail queue with:

shell#  mailq

Run current queue with:

shell#  runq

With a bit more manual setup, we can also accept user+tag@domain.com type emails.

FTPS with VSFTP

FTP (File Transfer Protocol) is an older networking protocol to, you guessed it, transfer files.  Due to the way FTP works, there is a 'data channel' and a 'command channel'.  The Command Channel runs on Port 21 and is used to pass information about the session, while the Data Channel is where the file transfer actually happens.

Due to this two-channel setup, the inherent insecurities of a non-encrypted data stream, and the complexities of a Firewall and the NAT system and whatnot, FTP is slowly being replaced by SFTP which uses a single port (22) and the SSH protocol to transfer files.  But since SFTP isn't everywhere (especially on Windows machines), FTP is still needed.

Let's add some more complexities: Active vs Passive FTP.  In Active FTP, the Data Channel is on Port 20 and it is initiated by the FTP Server.  This is nice because the Server's firewall has a known port (port 20) that needs to be opened.  Unfortunately, this requires the client's firewall be wide open to listen for that incoming connection, which may be blocked.  Some firewalls will expect these connections, however, and permit the access.

Passive FTP, on the other hand, has the client initiate the data connection.  This works to not open wide the firewall on the client network, but requires that the FTP Server's firewall has holes.  Since the server will only be set up once for multiple clients, this can be a better method than expecting everyone to open their firewall.

An issue with Passive FTP behind a firewall, however, is that the server is initiating the connection using its own, private IP.  With normal FTP, apparently the firewall may rewrite these packets.  But with FTPS, which is secured using an SSL certificate, this data is encrypted and the firewall cannot make those packet changes.

VSFTP on Debian GNU/Linux allows us to set up Passive FTP on a NAT system with FTPS (or FTPES, meaning "explicit SSL" which is Port 21 still.  There is also FTPS on port 990, which uses implicit SSL, and this HowTo doesn't cover that.)

First install VSFTP:

# aptitude update# aptitude install vsftpd

Now we'll make a self-signed SSL Certificate:

# mkdir /etc/vsftpd# cd /etc/vsftpd# openssl req -new -x509 -days 9999 -nodes -out vsftpd.pem -keyout vsftpd.pem

Answer the questions and when you're done you'll have a file named /etc/vsftpd/vsftpd.pem

Edit the /etc/vsftpd.conf file to have these options, which of course you can adjust:

listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

pasv_enable=YES

pasv_address=66.44.55.66 

pasv_min_port=24000

pasv_max_port=24100

syslog_enable=NO

log_ftp_protocol=YES

chroot_local_user=YES

secure_chroot_dir=/var/run/vsftpd

pam_service_name=vsftpd

ssl_enable=YES 

rsa_cert_file=/etc/vsftpd/vsftpd.pem

force_local_data_ssl=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=YES

ssl_sslv3=YES

ssl_ciphers=HIGH

Note this line (below); this will allow VSFTP to rewrite its own passive packets to allow for that data channel to function.  Set this as the firewall's external IP, not the 66.44.55.66 example I have here:

pasv_address=66.44.55.66

In your firewall, allow these ports through and port-forward them to this same internal server:

pasv_min_port=24000pasv_max_port=24100

Now you need to add a user to your system:

adduser ftpusername

If you want to prevent this user from logging in with SSH or at a console, you'll need to set this user to not have a shell (aka, set to /bin/false ) in /etc/passwd:

ftpusername:1001:1001::/home/ftpusername:/bin/false

and make sure that is a valid (even though fake) shell option in /etc/shells:

....../bin/false...

Finally, we'll turn off VSFTP's checking of the shell access in the file /etc/pam.d/vsftpd by commenting out (putting a #) the line:
#auth   required        pam_shells.so

We'll restart VSFTP

# /etc/init.d/vsftpd restart

and we should now be able to use FTPS from another computer, assuming you have your Firewall and Port Forwarding set up correctly for port 21 and ports 24000-24100 (or whatever you set in vsftpd.conf).  Instructions for connecting with various options (Dolphin, FileZilla, and cURL) can be found here.

More about FTP here

More about FTPS in VSFTP here

More about VSFTP logging here and conf options here

More about disabling PAM authentication to allow VSFTP to use /bin/false here


Thanks everyone who has written about this elsewhere and thanks to the developers of VSFTP.

HowTo: Batch-Converting m4a files to mp3 (command line)

If you buy songs in *.m4a (or ma4) format but, like me, your car stereo plays *.mp3 audio files only, here is a commandline script to convert all the m4a/ma4 files in the local directory to mp3 at 320 audio bitrate (the highest offered by mp3)

for f in *.m4a; do ffmpeg -i "$f" -acodec libmp3lame -ab 320 "${f%.m4a}.mp3"; done

HowTo Get Mac OS X’s “Natural Scrolling” In KDE

MakeUseOf.com has an article on setting up Natural Scrolling on Ubuntu, which requires a lot of setup for such a simple idea!  Natural Scrolling basically takes the scrollbar out of the equation and relies on your mousewheel/touchpad/touchscreen to be pushing a page up or down, rather than it's scrollbar.  In other words, you reverse the direction (and the behaviour) that we've learned about scrolling.  Without a mouse, this makes some sense.

This is easy to do in KDE: Open System Settings, click on "Input Devices" or "Keyboard and Mouse", click on the "Mouse" section, checkmark the 'Reverse Scroll Direction' box and click [Apply]:

I can see this making sense on a touch device but not as much on a computer with a mouse.  Do you prefer the Natural Scrolling or is it too much of a change?

Setting up Exim4 to allow Tagging: user+tag@domain.com

Email Tagging is a super-handy feature in GMail and other services, but if you run your own mail server on Exim4 this should be possible for you also.  Let me show you how!

Briefly, email address tagging (or "sub-addressing") means that if user@domain.com is a valid email address, then we can tag it with +anything (well, almost anything) and still have it be delivered to the user@domain.com address which allows for easy sorting and searches or to see who is selling your information:
  user+amazon@domain.com
  user+petition@domain.com
  user-senator@domain.com

To do this we need to first have your Exim4 server working properly and ports forwarded in the firewall or whatever you need to make Email flow; this is beyond this HowTo.  Then you need to know if you use Exim4's config split into smaller files or if the config is done in one large file (or make the changes in both, I suppose).  On Debian we can find this out by configuring Exim4 (or not changing the working settings if they work already) :

root-shell#  dpkg-reconfigure exim4-config

  internet site; mail is sent and received directly using SMTP <Ok>

  System mail name: domain.com <Ok>

  IP-addresses to listen on for incoming SMTP connections: _________ <Ok>

  Other destinations for which mail is accepted: <Ok>

  Domains to relay mail for: <Ok>

  Machines to relay mail for: <Ok>

  Keep number of DNS-queries minimal (Dial-on-Demand)? <No>

  Delivery method for local mail:  (You decide but an mbox file is a single point of failure) <Ok>

  Split configuration into small files?  <No>

Exim4 will restart with your config changes.  Now we're going to add a few lines to the config.

If you DO have this split into smaller configs, open the files listed below (Debian 6; your files may be different) and add the lines in bold:

root-shell#  vim /etc/exim4/conf.d/router/600_exim4-config_userforward

userforward:
debug_print = "R: userforward for $local_part@$domain"
driver = redirect
local_part_suffix = -* : +*

local_part_suffix_optional

domains = +local_domains
check_local_user
file = $home/.forward
require_files = $local_part:$home/.forward
no_verify
no_expn
check_ancestor
allow_filter
forbid_smtp_code = true
directory_transport = address_directory
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
skip_syntax_errors
syntax_errors_to = real-$local_part@$domain
syntax_errors_text = \
This is an automatically generated message. An error has\n\
been found in your .forward file. Details of the error are\n\
reported below. While this error persists, you will receive\n\
a copy of this message for every message that is addressed\n\
to you. If your .forward file is a filter file, or if it is\n\
a non-filter file containing no valid forwarding addresses,\n\
a copy of each incoming message will be put in your normal\n\
mailbox. If a non-filter file contains at least one valid\n\
forwarding address, forwarding to the valid addresses will\n\
happen, and those will be the only deliveries that occur.

And this one:

root-shell#  vim /etc/exim4/conf.d/router/900_exim4-config_local_user

local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
local_part_suffix = -* : +*

local_part_suffix_optional

domains = +local_domains
check_local_user
local_parts = ! root
transport = LOCAL_DELIVERY
cannot_route_message = Unknown user

If you're NOT using split-file, edit this single file and find these two sections and edit them to add the parts in bold:

userforward:  

debug_print = "R: userforward for $local_part@$domain"  

driver = redirect  

local_part_suffix = -* : +*  

local_part_suffix_optional  

domains = +local_domains
....

....

....


local_user:  

debug_print = "R: local_user for $local_part@$domain"  

driver = accept  

local_part_suffix = -* : +*  

local_part_suffix_optional  

domains = +local_domains  

check_local_user 

... 

...

...

Rebuild your config:

root-shell#  update-exim4.conf

Find your config file and look in there to see if these changes made it:

root-shell#  exim -bV

Exim version 4.69 #1 built 30-Jan-2011 20:48:20Copyright (c) University of Cambridge 2006Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messagesLookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch nis nis0 passwdAuthenticators: cram_md5 plaintextRouters: accept dnslookup ipliteral manualroute queryprogram redirectTransports: appendfile/maildir/mailstore autoreply lmtp pipe smtpFixed never_users: 0Size of off_t: 8

Configuration file is /var/lib/exim4/config.autogenerated

Assuming the config file looks right, restart Exim4 and try your emailing now with a +sometag

root-shell#  /etc/init.d/exim4 restart

Note that in our two lines that we added:

local_part_suffix = -* : +*
local_part_suffix_optional

 
the first line has a minus and a star, colon, plus and a star.  The colon separates the options and we're saying that a minus-anything or plus-anything on an address is an acceptable tag.  We could specify this more with this instead:

local_part_suffix = -beta

local_part_suffix_optional

to accept only user-beta@domain.com if that is what we wanted.

Forwarding X11 through multiple SSH connections

Graphical Applications on a GNU/Linux machine can be launched from the remote machine to appear on your local machine by using 'X11 Forwarding', with X11 (or Xorg) being the name of the software that makes graphics possible on a GNU/Linux machine.  Your desktop such as KDE or GNOME or whatever is the client which connects to the X11 server.  There is now Wayland in the works, to replace Xorg/X11, but this won't cover that.

Because this is a client/server relationship, the two don't need to be running on the same machine.  We can start a remote graphical app from a command line and run the processing power on that remote machine (the server), while seeing and working on that app at the local machine (the client).

Let's first get an SSH connection with X11 forwarding started using the -X flag:

local-shell$  ssh user@remote.server.com -X

password: **********

remote-shell$

remote-shell$  dolphin

Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
kbuildsycoca4 running...

Here is a partial screenshot of this; the front Dolphin is the remote Dolphin (@bigboi) and running KDE 4.7.2 and with its specific layout, while the Dolphin in the back is the locally-running Dolphin (KDE 4.4.5 on Squeeze).

Click to Enlarge

Note the Dolphin in the foreground has its window management handled by the local machine (we can see the colour mismatch), but other aspects such as icons and contents belong to the remote machine.

To run X11 graphics across two connections, however, requires a bit of TTY-forwarding (using the -t flag, multiple times).  This tip allows us to connect to one machine, say a network gateway, and from that machine run a command to connect to our office desktop.  From here we can launch a graphical application and have it appear on our local machine.

local-desktop$  ssh -X -t -t -t lefty@gatewaymachine.com "ssh employee@192.168.1.00 -X"

lefty@gateway's password:

employee@192.168.1.100's password

employee-desktop$

This can come in very handy and it allows X applications to be run through a complex firewall scheme.  That command is a single line:

ssh -X -t -t -t lefty@gatewaymachine.com "ssh employee@192.168.1.00 -X"

FLOSS: Making Crazy Remote Connections Possible

This is certainly not the only way to do this connection, and very likely not the most efficient, but I found it cool so I had to write it up.  Do you have a similar story?

I have a client with a VPN connection that requires Windows to make that VPN connection, from my office IP address.  Because of this VPN requirement and other clients with similar setups, I keep a Windows virtual machine at the ready, as a VirtualBox Virtual Machine (VM) image.  This VM has its graphical bling set as minimally as possible to help speed connections wherever possible.

Tonight I wanted to do some remote work for this client.  I first connected into my office over VPN using KVpnc, and then over SSH to my office desktop with -X for X11 (graphical) forwarding:

home-shell$  ssh lefty@10.10.10.10 -X

work-shell$

From my office desktop, I was then able to list my VMs

work-shell$  vboxmanage list vms

  XPsp3

  TinyKore-kde 

and boot that VirtualBox version of XP from the command line:

work-shell$  vboxheadless -startvm XPsp3 --vnc --vncpass SomePass &

[1] 6079

Oracle VM VirtualBox Headless Interface 4.1.6_Debian(C) 2008-2011 Oracle CorporationAll rights reserved. 

work-shell$

Using the VirtualBox built-in VNC server on default port 5900 (which I started with --vnc in the above command) and the SomePass password that I set above, I was then able to use VNC to remote into my Windows XP machine (note this is all one line):

work-shell$  xtightvncviewer localhost::5900 -quality 0 -bgr233 -compresslevel 9 -encodings CoRRE

When prompted for the Password, I entered the SomePass as I set when initially starting the VirtualBox VM.  I tried using different -encodings flags for that xtightvncviewer connection, such as  -encodings zlib and -encodings CoRRE and -encodings CopyRect; the default encoding (tight) seemed to well but for rapid screen updates (such as scrolling yum messages), -encodings CoRRE really worked best.

Once on the Windows XP virtual machine, I was then able to start my magical VPN connection and fire up PuTTY, and connect to the remote server for maintenance.

To recap:

• I connected to work with a VPN
• then to my office desktop with SSH
• then I booted the XP virtual machine in headless mode with VNC
• I then connected from that SSH session to the VNC server on the XP VM
• From XP I started a VPN connection to a remote client's office
• I then started PuTTY and connected to the client's Linux server

Are there any crazy connections that you go through that wouldn't be possible without Free Software?