Timbutku 8.0 Finally Adds Encryption

At 5:46 AM -0800 2005/03/02, Andrew Laurence wrote:
>If a Mac has sshd running, and you have an Admin user/pass, you can
>push a Timbuktu 8 install to that machine. If it has a prior
>version, it upgrades, otherwise it's a clean install. You can push
>preferences too.
>
>Basically they set up an SSH tunnel, then shove everything through
>that. The push install is an SSH session with (IIRC) rcp and shell
>commands; so simple, yet so clever.

        I have been waiting for someone clever to come up with a VNC
installer package that would do this for me, presumably through some magic
shell scripts. I would love to be able to have a client on the phone and
just have the check off a box in the "sharing" System Preferences and then
be able to "take control". Currently one can do this, but it requires me
to ssh to their system, and then from that end download, install and
configure the appropriate software, all from the command line. I know it
can be done (and I have done most of it for some clients) but it isn't as
quick and simple as it could be.

        Maybe it is time to justify the price of the Apple software?

        I understand that Apple's latest Remote Desktop Client can act as a
VNC server, so that might become my preferred software to install on
client's machines and it seems likely that this will become a standard part
of Mac OS X installs. Of course you should not install the latest ARDC if
you are using an earlier version of ARD which does not support the newer
client. If you are not using ARD, it doesn't matter.

        There are discussions of these sorts of things fairly frequently at
macosxhints.com - for example here is one on using a reverse SSH tunnel to
get around firewall issues:
<http://www.macosxhints.com/article.php?story=20050222062346277>



--
* Johann Beda - contact link: <http://public.xdi.org/=j-beda> *
* Johann's MostlyMac Computer Consulting - <http://mmcc.beda.ca/> *

On Fri, 4 Mar 2005 10:10:37 -0800, Johann Beda <st-tidbitsbeda.ca> wrote:
> be able to "take control". Currently one can do this, but it requires me
> to ssh to their system, and then from that end download, install and
> configure the appropriate software,

No, it doesn't. You can use ssh to "push" an install onto a remote machine.

for example,

cat mylocalfile |ssh remote.machine 'sh -c "cat - >> /path/to/remote/file"'

will append the contents of mylocalfile to remotemachine:/path/to/remote/file

ssh remote.machine 'sh -c "wget http://www.foo.tld/install.pacakge.tgz"'
ssh remote.machine 'sh -c "tar xzf install.pacakge.tgz"'
ssh remote.machine 'sh -c "cd install.package; ./configure"'
ssh remote.machine 'sh -c "cd install.pacakge; sudo make install"'

for example.

the best way to do this, if possible, is to have a ~/bin with the
executable you need and then simply push those executables onto the
target machine...

--
<http://2blog.kreme.com/>

At 10:17 AM -0700 2005/03/05, Cerebus the Aardvark wrote:
>On Fri, 4 Mar 2005 10:10:37 -0800, Johann Beda <st-tidbitsbeda.ca> wrote:
>> be able to "take control". Currently one can do this, but it requires me
>> to ssh to their system, and then from that end download, install and
>> configure the appropriate software,
>
>No, it doesn't. You can use ssh to "push" an install onto a remote machine.

        Well, that isn't substantially different from what I said, push or
pull you do need to download, install and configure the appropriate
software, all from the command line. Since the prepackaged VNC software all
comes with GUI installers and configuration, you need to figure out what
needs to be put where via the command line, and how to configure it all,
launch it, and tunnel through ssh, etc.

        I know all of this is possible, and even straight-forward. However
I do not want to do all the figuring out myself... I would be more than
happy take someone's already written script and use that... clearly my need
for remote admin is not so great that I have taken the time to get it all
done.

        And I thought that "wget" wasn't standard on Mac OS X anymore -
don't you need to use "curl"?

        Probably you are right that the easiest thing to do is to package
up the appropriate software binaries and config files and put them on a web
server to get via curl/wget. I had been playing around with using sftp to
get the .dmg file and then mounting it, then moving things to the right
place, then unmounting the image, etc. curl/wget would be a lot more
straightforward, and the vnc software probably does not have a lot of fork
issues that might get messed up with tgz. Certainly it is worth
experimenting.




--
* Johann Beda - contact link: <http://public.xdi.org/=j-beda> *
* Johann's MostlyMac Computer Consulting - <http://mmcc.beda.ca/> *

At 10:10 AM -0800 3/4/05, Johann Beda wrote:
> >Basically they set up an SSH tunnel, then shove everything through
>>that. The push install is an SSH session with (IIRC) rcp and shell
> >commands; so simple, yet so clever.
>
><snip>
> Maybe it is time to justify the price of the Apple software?

ARD doesn't do encryption either. To my knowledge, a with-encryption
implementation of VNC has yet to materialize. (I mentioned this in
my ARD review in Macworld.)

--
Andrew Laurence
atlaurenuci.edu

At 5:57 PM -0800 2005/03/06, Andrew Laurence wrote:
>ARD doesn't do encryption either. To my knowledge, a with-encryption
>implementation of VNC has yet to materialize. (I mentioned this in
>my ARD review in Macworld.)

        Probably nobody is working on that because people who want the
security just tunnel VNC through ssh such as in these instructions:

<http://www.macosxhints.com/article.php?story=2003061915425138>
<http://www.uk.research.att.com/vnc/sshvnc.html>
<http://www.macosxhints.com/article.php?story=20050222062346277>

        Probably one could use ssh tunnels to do the ARD stuff too.



--
* Johann Beda - contact link: <http://public.xdi.org/=j-beda> *
* Johann's MostlyMac Computer Consulting - <http://mmcc.beda.ca/> *

Note for completeness that Timbuktu for a while now has been at least encrypting keystrokes that are sent to the remote computer.

There was mention of Timbuktu using compression to increase
performance. I thought it always did this.

Is this a newer form of compression? If so, how much better is
performance compared to older versions or to Apple Remote Desktop or
VNC? Something that kills me with remote interfaces is the lag; if I
could find a solution that would work well off of a small upstream pipe
(such as my parent's 64K up DSL connection), it would be well worth a
couple hundred dollars.

--Nik

At 7:13 AM -0800 3/9/05, kohster wrote:
>Note for completeness that Timbuktu for a while now has been at
>least encrypting keystrokes that are sent to the remote computer.

Actually, in prior versions Timbuktu scrambled keystrokes, using a
randomly generated key for each session. It's not encryption per se.
8.0, however, shoves everything - keystrokes, graphics, file
transfers - through SSH encryption.

--
Andrew Laurence
atlaurenuci.edu

At 3:09 PM -0800 2005/03/07, Johann Beda wrote:
>At 5:57 PM -0800 2005/03/06, Andrew Laurence wrote:
>>ARD doesn't do encryption either. To my knowledge, a with-encryption
>>implementation of VNC has yet to materialize. (I mentioned this in
>>my ARD review in Macworld.)
>
> Probably nobody is working on that because people who want the
>security just tunnel VNC through ssh such as in these instructions:

        Yes.

> Probably one could use ssh tunnels to do the ARD stuff too.

        Yes, and no. ARD 2 uses 2 TCP ports and 2 UDP ports; ssh
tunneling only works for TCP, so the UDP bits can't be tunnelled. If
you VNC (using ARD) through an ssh tunnel, ARD thinks it's talking to
a (fast) VNC server on localhost, but can't discover it's an ARD
server on the other end because the discovery ports aren't tunnelled.

        Additionally, ARD has some nice discovery and multi-machine
management bits. Since ssh tunnels must be individually created per
machine:port, they don't work for discovery or network browsing...


                                                Chris Pepper
--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>