查看“模板:Lucid/Networking”的源代码

= Networking =
== Network Manager ==
[http://en.wikipedia.org/wiki/NetworkManager Network Manager] is the default network manager in Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or wired connection). 

== Wicd Network Manager ==
[http://wicd.sourceforge.net/ Wicd] is a GTK-dependent networking manager written in Python that can be used in all variants of Ubuntu. Some users report it to be faster and more stable than Network Manager. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation.
 sudo apt-get install wicd

== Set a static IP address ==
I couldn't get Network Manager to accept my static IP address settings manually. Here's the alternative method (which works for wired interfaces only, not wireless):
*Remove Network Manager:
  sudo apt-get remove network-manager

*Edit the /etc/network/interfaces file:
 sudo kate /etc/network/interfaces

*and replace the line (ok if line is missing)
 iface eth0 inet dhcp

*with the following lines (using your own LAN settings, of course):
 auto eth0
 iface eth0 inet static
 address 192.168.0.35
 netmask 255.255.255.0
 network 192.168.0.0
 broadcast 192.168.0.255
 gateway 192.168.0.1

*Then restart networking:
 sudo /etc/init.d/networking restart

*Check to see if your settings are now correct:
 ifconfig

*If you need a static IP address and have a wireless connection, you have 2 choices:
:*Install the newer version of Network Manager from the [https://launchpad.net/~network-manager/+archive/ppa launchpad repository]:
:*Add the repository key (you need port 11371 open in your firewall to use the keyserver):
 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC8EBFE8

:*[[#Add_Extra_Kubuntu_Repositories|Add these repositories]]:
 deb <nowiki>http://ppa.launchpad.net/network-manager/ppa/ubuntu</nowiki> karmic main
 deb-src <nowiki>http://ppa.launchpad.net/network-manager/ppa/ubuntu</nowiki> karmic main

:*Update
 sudo apt-get update

:or

:*Uninstall the network manager widget and install wicd
 sudo apt-get remove network-manager
 sudo apt-get install wicd

== Wireless ==
=== Network Manager ===
Network Manager has been redesigned for Ubuntu and now works quite well. You should not require other network managers, and, in fact, more than one network manager can cause conflicts. 

It can be accessed from the tray icon.

=== Manual configuration from the command-line ===

3 steps for WEP:

 sudo iwconfig eth[N] essid [SSID]
 sudo iwconfig eth[N] key restricted s:[PASSWORD]
 sudo dhclient

WPA is more complicated:

 su
 mkdir /etc/wpa_supplicant
 cd /etc/wpa_supplicant
 echo network = { > wpa_supplicant.conf
 echo ssid="SSID" >> wpa_supplicant.conf
 echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
 echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
 echo } >> wpa_supplicant.conf
 cd /etc/network
 vim interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." (press 'i'):

 wpa-driver wext # or whatever driver your network card needs
 wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file ('Esc', ':x', 'Enter') and restart your system.

== Internet connection sharing (DHCP server) ==
In most LANs, an inexpensive router is used to provide [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] functions (internet connection sharing). 

However, DHCP services can also be provided by a single host computer on your [http://en.wikipedia.org/wiki/Local_area_network LAN] if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to [[#Using a nested wireless LAN router|nest LANs]]). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range ''10.0.0.1 - 10.0.0.250'' with netmask ''255.255.255.0'' and gateway ''10.0.0.1''). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet ([http://en.wikipedia.org/wiki/Wide_area_network WAN]) through a second port (which in the example below will be a wireless (wifi) port (wlan0)). 

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see [[#Using a nested wireless LAN router|using a nested wireless LAN router]] below.)

(Note: If you want your LAN to use the same subnet as your WAN, see [[#Network Interfaces Bridging|network interface bridging]].)

*Install the DHCP server and firewall programs:
 sudo apt-get install dhcp3-server firestarter

*Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
 sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd

*Edit the DHCP server configuration file:
 sudo nano -w /etc/default/dhcp3-server

::Change the line
 INTERFACES=""
::to
 INTERFACES="eth0"

*Restart the DHCP server:
 sudo dhcpd restart

*Right click on Network-Manager -> Edit Connections... -> Wired -> Add
: -> Connection name: ''Shared internet connection''
: -> IPv4 Settings -> Method: Manual -> Add
: -> Address: ''10.0.0.1'' -> Netmask: ''255.255.255.0'' -> Gateway: 0.0.0.0
: -> Available to all users: [x]

*Attach the ethernet cable to (eth0).
:Network-Manager -> Wired Networks -> ''Shared internet connection''

*Adjust your firewall to allow the internet connection sharing. Start Firestarter: 
 sudo firestarter

:*Tell the firewall which port is your direct Internet Connection:
Firestarter -> Preferences -> Firewall -> Network Settings -> 
Internet connected network device: (wlan0)
:-> IP address is assigned by DHCP: [x]

:*Tell the firewall which port is for the LAN, and specify the details for the LAN:
Firestarter -> Preferences -> Firewall -> Network Settings -> 
Local network connected device: (eth0) 
:-> Enable internet connection sharing: [x]
:-> Enable DHCP for the local network: [x]
:: -> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: ''10.0.0.2''
:: -> Highest IP address to assign: ''10.0.0.250'' -> Name server: <dynamic>

:Note: Use your own desired LAN settings (internal [http://en.wikipedia.org/wiki/Static_IP#Static_and_dynamic_IP_addresses DHCP-assigned dynamic IP] address range), of course. In this example I don't use the full IP range ''10.0.0.2 - 10.0.0.255'' for dynamic IP addresses because I want to reserve some LAN addresses (''10.0.0.251 - 10.0.0.255'') to be used as static IP addresses).

*Notes:
:*If you wish to use this setup all the time, make the "''Shared internet connection''" profile your default connection profile in Network Manager.

=== Using a nested wireless LAN router ===
Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as '''nested LANs'''. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range ''10.0.0.1 - 10.0.0.255'' (with netmask ''255.255.255.0''), as in the above example. The router's nested wireless LAN must then use a different IP range (for example ''192.168.0.1 - 192.168.0.255'' with netmask ''255.255.255.0''). 

*Do not use your wireless router's WAN (Internet) port.
*Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
*Configure your wireless router's LAN so that it appears to be a ''single device'' to the main LAN:
:*Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. ''10.0.0.254''), and make sure the subnet mask matches the one you chose for your main LAN (e.g. ''255.255.255.0''). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. ''10.0.0.1'' in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN. 
:*If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of ''192.168.0.1'' (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be ''192.168.0.2'' or greater. (Some routers ask you to specify the entire range (such as ''192.168.0.2 - 192.168.0.255''.)
*Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP ''192.168.0.1'') instead of from the main LAN gateway. 
*Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN). 
*Note: The host computer for the main LAN must have a static IP address (e.g. ''10.0.0.1'' as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

=== Network Interfaces Bridging ===
*Install bridge-utils to be able to create network bridges:
 sudo apt-get install bridge-utils

*Edit /etc/network/interfaces:
 sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:
 auto eth0
 iface eth0 inet manual
 #
 auto br0
 iface br0 inet dhcp
 #
 bridge_ports eth0 wlan0
 #
 # The loopback network interface
 auto lo
 iface lo inet loopback

*Restart networking with:
 sudo /etc/init.d/networking restart

== Using Dynamic IP addresses for a webserver ==
Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a static IP address, then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is dynamic (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few DNS services that will do this for you, either for a small fee or even for free. For more info, see [https://help.ubuntu.com/community/DynamicDNS this Ubuntu help article].

For specific tips on setting up this service, see [[Dynamic IP servers|this article]].

== Filesharing ==
=== NFS ===
NFS is the default networking protocol for network file sharing in *nix systems (including Ubuntu Linux).

=== Samba File Sharing ===
==== Samba client ====
Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu Jaunty and should work seamlessly (unless you have have a firewall blocking the ports).

==== Samba server ====
The following instructions are to install a Samba server (which is not installed by default). This allows you to share your files over a Samba (Windows) network to other Samba clients.
*Install Samba:
 sudo apt-get install samba samba-tools system-config-samba smbfs

:Note: samba-tools, system-config-samba, and smbfs are optional.

*Modify Samba settings.
:*Method 1:

:System -> Administration -> Advanced -> Samba
:(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare [[#Change your user groups|group]], as well.

:*Method 2:
:Enable File Sharing Server With User Login (Very Reliable Method)

:Do the following on the machine that has the files to be shared:

::*Add current user to Samba:
 sudo smbpasswd -a username
::(replacing username with your login username)

::*Open the samba config file:

 sudo nano /etc/samba/smb.conf

::*Add the directories to be added (right at the end) in the following format:

 [Pictures]
 path = /home/username/<folder_to_be_shared>

::(Replace username with your username and <folder_to_be_shared> with the folder you want to share)

::Press CTRL+X and then Y to save.

::*Restart Samba:
 sudo service smbd restart
 sudo service nmbd restart

:::Note: Prior versions used:
 sudo /etc/init.d/samba restart

*On Windows access the folder in the following format in Windows Explorer:
 \\192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server which is serving the folder)

*On Linux type the following in Konqueror or Nautilus:
 smb://192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported [https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/95452 here]. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
 case sensitive
 msdfs proxy

==== Change your Workgroup ====
To change your Samba (Windows network) workgroup:
 sudo nano /etc/samba/smb.conf

Look for the line:
 workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

==== Recognizing Win98 machines ====
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
 sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
 [global]
 # THE LANMAN FIX
 client lanman auth = yes
 client ntlmv2 auth = no

=== Integrating into Mac OS X Network ===
See [http://www.zaphu.com/2008/04/30/five-guides-on-how-to-integrate-ubuntu-into-a-mac-os-x-network/ this guide] for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

== Local Area Network ==
== Modems / Dial-up ==
GPPP is the default modem dialing application.

:Applications -> Internet -> GPPP Internet Dial-up

= Remote Access =
There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

== SSH ==
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel")  between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

=== Connect to a remote SSH server ===
==== From the command-line terminal ====
Install the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 OpenSSH] client (if not already installed):
 sudo apt-get install openssh-client

From the command-line Terminal type:

 ssh -C <username>@<computer name or IP address>

:Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

 ssh -C joe@remote.computer.xyz

:or:

 ssh -C mike@192.168.1.1

:or
 ssh -C 192.168.1.1 -l mike

:Note: -l specifies the login id.


If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

 ssh -C joe.friday@remote.computer.xyz:11022

:or

 ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/''user''/.ssh. The key should be accessible only to ''user''
 sudo chmod 600 /home/''user''/.ssh/identity

:or

 sudo chmod 600 /home/''user''/.ssh/id_rsa 

To login with the key:

 ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

==== Port forwarding through SSH ====
* See [[Using_SSH_to_Port_Forward|Using SSH to Port Forward]] for full details. 

* In brief, use 
 ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port.
To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
 krdc vnc://localhost:<local port>

Note: ''localhost'' is equivalent to (and interchangeable with) ''127.0.0.1''. Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as [[#X11VNC_Server|X11VNC]]) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security. 

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote '''computer''' (such as 192.168.1.155) instead of the remote '''router''''s IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

''Example'':
For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155.  I have set up an [[#X11VNC_Server|X11VNC server]] on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story. 

 ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
 krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

=== PuTTY ===
[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage [[#OpenSSH Public Key Authentication|OpenSSH]] is generally recommended instead).
 sudo apt-get install putty putty-tools

*To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use [http://linux.die.net/man/1/puttygen Puttygen] (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend [[#OpenSSH Public Key Authentication|OpenSSH keygen]] for routine usage instead):
 puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
 puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
 puttygen putty_rsa.ppk -O private-openssh -o id_rsa

*Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/''user''/.ssh) folder
 mv id_rsa* ~/.ssh

*[[#OpenSSH Public Key Authentication|Copy the public key]] ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility: 

 ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

*Connect a VNC client (such as Krdc) through SSH using the command-line:
 putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22''
 krdc vnc://127.0.0.1:5900

:or as a single command:
 putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22'' sleep 5; krdc vnc://127.0.0.1::5900

*Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

==== Using keys created by Puttygen in OpenSSH ====
The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see [http://unixwiz.net/techtips/putty-openssh.html this tutorial]), the public key looks like:
 ---- BEGIN SSH2 PUBLIC KEY ----
 Comment: "rsa-key-20100302"
 AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6k
 unPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYD
 ZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9
 YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvC
 bYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykee
 RwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
 ---- END SSH2 PUBLIC KEY ----

* To be used by OpenSSH, the saved public key must be edited. 
:* Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
:* Join the remaining lines into a single line.
:* Place ssh-rsa at the beginning.
:* It should end up looking like:
 ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==

*Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

=== Connect using SSH Agent ===
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See [http://kimmo.suominen.com/docs/ssh/#ssh-agent this tutorial].

Also see this alternative simple approach: [[#Connect with SSH and start an application with a single command|Connect with SSH and start an application with a single command]].

=== Setup an SSH server ===
Install the [https://help.ubuntu.com/9.10/serverguide/C/openssh-server.html OpenSSH] server:
 sudo apt-get install openssh-server

Note: The OpenSSH server can also be installed when doing a [[#Servers|server]] installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See [http://pigtail.net/LRP/printsrv/cygwin-sshd.html these instructions].

==== Limit authorized SSH users ====
* See [[Limit_the_user_accounts_that_can_connect_through_OpenSSH_remotely|Limit the user accounts that can connect through OpenSSH remotely]]

==== OpenSSH Public Key Authentication ====
See this [http://sial.org/howto/openssh/publickey-auth/ OpenSSH Public Key Authentication Tutorial].

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
 ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client.  By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/''user''/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

:*The private key must only be accessible (and should be read-only) to ''user'', the owner of the file:
 chmod 600 /home/''user''/.ssh/id_rsa

::You could also make the entire .ssh folder accessible only to ''user'':

 chmod 700 /home/''user''/.ssh

*Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
 ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

:*The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file):
 mkdir ~/.ssh
 cd ~/.ssh
 touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.):
 cd ~/.ssh
 chown ''serveruser'' id_rsa.pub
 cat authorized_keys id_rsa.pub >> authorized_keys

*Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
 sudo nano /etc/ssh/sshd_config

:*Uncomment the line (i.e. remove the # at the beginning of the line):
 #AuthorizedKeysFile %h/.ssh/authorized_keys

*Remove the ability to login to the OpenSSH server using password authentication:
  sudo nano /etc/ssh/sshd_config

:*Change the line
 #PasswordAuthentication yes
:to
 PasswordAuthentication no

*Restart the OpenSSH server:
 sudo /etc/init.d/ssh restart

*Now you can connect securely with an SSH tunnel without requiring a password, logging in as ''serveruser''.

 ssh -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p ''22''

==== Connect with SSH and start an application with a single command ====
* If you have created an [[#OpenSSH Public Key Authentication|OpenSSH key pair]] (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
 ssh -f -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p 22 sleep 5; krdc vnc://127.0.0.1::5900
:*Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

* Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

== VNC ==
Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as [[#X11VNC_Server|X11VNC]], [[#Vino Remote Desktop VNC server|Vino]], or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system.

=== Vino Remote Desktop VNC server ===
Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

System -> Preferences -> Remote Desktop

*You can accept uninvited connections in the Security section. You can require a password for these connections.
*This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use X11VNC instead.

*A user can connect using [[#Vinagre VNC client|Vinagre]], the [[#Terminal Server Client|Terminal Server Client]], or any other VNC client.

==== How to securely use VNC with SSH tunneling ====
It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under [[#Port forwarding through SSH|SSH port forwarding]], the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

=== X11VNC Server ===
While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.
*Install an X11VNC server to share your desktop with other computer:
    sudo apt-get install x11vnc

*Run X11VNC without a password:
 x11vnc -forever -rfbport 5900

:Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See [http://www.karlrunge.com/x11vnc/x11vnc_opts.html here] for more command line options.

*Create a password to use with X11VNC:
 mkdir ~/.vnc
 x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass

*X11VNC can then be started with a password:
 x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0

==== Using VNC with SSH ====
See [[#Port forwarding through SSH|Port forwarding through SSH]] for additional information.

=== Vinagre VNC client ===
[http://library.gnome.org/users/vinagre/stable/index.html.en Vinagre] is the default Gnome-based VNC client used in Ubuntu.
*Applications -> Internet -> Remote Desktop Viewer

=== Terminal Server Client ===
The Terminal Server Client is an Ubuntu/Gnome frontend for [http://www.rdesktop.org/ rdesktop] (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.
*Applications -> Internet -> Terminal Server Client

*To use it with VNC, one of the VNC clients must be installed first. For example, install the [http://www.tightvnc.com/ TightVNC] client:
 sudo apt-get install xtightvncviewer

:*Note that the TightVNC client can be used from the command line (or as a menu item) directly:
 vncviewer ''192.168.0.12''::''5900''

:where ''192.168.0.12'' is an example ''host'' location that is running a VNC server on port 5900. For more command-line options, use
 man vncviewer

=== Krdc VNC client ===
Krdc is the default VNC client in Kubuntu/KDE. It can be used for both VNC and RDP connections.
*K-Menu -> Internet -> Krdc

*The command-line connection (for use as a menu-item, for example) is:
 krdc vnc://<remote IP>

*If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
 krdc vnc://<remote IP>:<remote port>

*Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol). 
 krdc rdp://<remote IP>:<remote port>

==== Using a VNC client with SSH ====
See [http://jeltsch.org/node/209 this howto] for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an [[#Port forwarding through SSH|SSH tunnel with port forwarding]] using Putty or the command line:
 ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
::then you would start a VNC client such as Krdc:
 krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use
 krdc vnc://localhost

=== XVNC4Viewer VNC Client ===
XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:
 sudo apt-get install xvnc4viewer

== FreeNX ==
[https://help.ubuntu.com/community/FreeNX FreeNX] is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

=== FreeNX Server ===
The Free server .deb package can be downloaded from [http://www.nomachine.com/select-package.php?os=linux&id=1 No Machine free server downloads].

*Alternatively, [[#Add Extra Ubuntu Repositories|add the following repositories]]:
 sudo add-apt-repository ppa:freenx-team

*Install the package:
 sudo apt-get update
 sudo apt-get install freenx

=== FreeNX Client ===
Download the self-installing .deb file from [http://www.nomachine.com/select-package-client.php No Machine Client downloads].

== XDMCP ==
[http://www.tldp.org/HOWTO/XDMCP-HOWTO/index.html XDMCP] allows a separate remote login by an authorized user. This login is separate from the local user.
*XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:

 gedit /etc/gdm/custom.conf

*Find and change (or add) the line from false to true so that it reads:

 [Xdmcp]
 Enable=true

=== Telnet ===
SSH is, basically, secure Telnet.

== VPN clients ==
A [http://en.wikipedia.org/wiki/Virtual_private_network VPN] (Virtual Private Network) allows a secure encrypted  connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.
=== VPN through Network Manager ===
*The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
 sudo apt-get network-manager-vpnc

*To connect to a VPN network using OpenVPN (SSL), install the plugin:
  sudo apt-get network-manager-openvpn

*To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
 sudo apt-get install network-manager-pptp

*Configure:
::Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

=== Other VPN clients ===
Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):
:*[http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc vpnc], [http://grml.org/online-docs/grml-vpn.8.html grml-vpn] -- for Cisco-compliant (IPSec) VPN networks
:*[http://www.openswan.org/ openswan] -- for IPSec (OpenSwan) VPN networks
:*[http://pptpclient.sourceforge.net/ pptp-linux] -- for PPTP (MS Windows-compliant) VPN networks
:*[http://openvpn.net/ openvpn], gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

=== VPN servers ===
==== OpenVPN ====
[http://openvpn.net/ OpenVPN] is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):
 sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:
 sudo apt-get install gadmin-openvpn-server

Also see [[OpenVPN_server|these installation tips]].

==== Poptop (PPTP Server) ====
[http://www.poptop.org/ Poptop] is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:
 sudo apt-get install pptpd

==== OpenSwan ====
[http://www.openswan.org/ OpenSwan] is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:
 sudo apt-get install openswan linux-patch-openswan

= Security =
Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to [http://www.psychocats.net/ubuntu/security#bestpractices Ubuntu Security Best Practices] is available. Recommended reading includes the book ''[http://www.harpercollins.com/books/9780061962233/Cyber_War/index.aspx Cyber War]'' by [http://en.wikipedia.org/wiki/Richard_A._Clarke Richard Clark] and [http://news.cnet.com/8301-27080_3-20004505-245.html this interview] with Joe Weiss (IT advisor for the energy-sector smart grid).
 
== Firewall ==
Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify [http://en.wikipedia.org/wiki/Iptables iptables], which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.)

=== Firestarter ===
[http://www.fs-security.com/ Firestarter] is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI. 
 sudo apt-get install firestarter

=== Guarddog ===
[http://www.simonzone.com/software/guarddog/ Guarddog] is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners. 
 sudo apt-get install guarddog

=== Uncomplicated Firewall ===
[https://launchpad.net/ufw Uncomplicated Firewall] is installed in Ubuntu by default, but all ports are open initially. It is configurable through the [[#General_Notes|command-line interface]]. See [http://ubuntuforums.org/showthread.php?t=823741 this forum thread], [http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html or this usage tutorial], or [https://help.ubuntu.com/community/UFW Ubuntu community help] for tips on how to set up and use it.
If not installed, it can be installed:
 apt-get install ufw

==== Gufw ====
[http://gufw.tuxfamily.org/index.html Gufw] is a graphical user interface for Uncomplicated Firewall. Install:
 sudo apt-get install gufw

== Anti-virus ==
If you are running a file server, interface frequently with Windows drives, or use virtualization, you will want a virus checker for your Windows files.
=== ClamAV ===
[http://www.clamav.net/ ClamAV] is the open source virus tool for Linux. To install ClamAV:
 sudo apt-get install clamav

== Anti-spam ==
=== Spam Assasin ===
[http://spamassassin.apache.org/ SpamAssasin] is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:
 sudo apt-get spamassassin

== Rootkit checkers ==
[http://en.wikipedia.org/wiki/Rootkit Rootkits] are malicious [http://en.wikipedia.org/wiki/Trojan_horse_(computing) trojan]-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a [[#Run Ubuntu LiveCD from a USB pendrive|USB pendrive with a Ubuntu LiveCD installation]]. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).
=== Chkrootkit ===
[http://www.chkrootkit.org/ Chkrootkit] checks locally for signs of a rootkit. See the [http://www.chkrootkit.org/README chkrootkit manual] for usage instructions.
:Install:
 sudo apt-get install chkrootkit
:Run:
 sudo chkrootkit

=== Rootkit Hunter ===
[http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit Hunter] is compatible with (K)ubuntu systems. See the [http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 usage instructions].
:Install:
 sudo apt-get install rkhunter
:Run:
 sudo rkhunter