Secure Synergy Configuration for HTPC Control

I've been experimenting with different configurations for controlling my HTPC. Since I typically have my laptop on the couch with me, one setup I'm trying is Synergy.

By itself, Synergy is completely insecure. However, it's easy enough to secure through the use of SSH tunnels. There are lots of tutorials for setting up Synergy through a tunnel, but I didn't find any that suit the HTPC use case I have. To use it with an HTPC, the Synergy server needs to be running on the laptop since that's where the keyboard and mouse is that you'd like to share across various computers.

Typically tutorials will have you create tunnels from the Synergy client computers to the Synergy server computer where sshd is also running. Since my Synergy server is a laptop, I don't want to run sshd on it. Instead, I have sshd running on my HTPC. To make that work, you need a reverse SSH tunnel:
ssh -f -R 24800:localhost:24800 htpc
Instead of forwarding connections from my laptop to the HTPC, this forwards connections from the HTPC to the laptop. When the Synergy client connects to localhost:24800 on the HTPC, it will be forwarded to localhost:24800 on the laptop. To make that work, you'll need to edit /etc/ssh/sshd_config by adding this to the end:
GatewayPorts yes
AllowTcpForwarding yes # Not strictly necessary, the default is yes.
Next you'll need a synergy.conf for your laptop. Here's mine:
section: screens
section: links
    up = htpc
    down = laptop
Finally, here's the script I use to make setting up the connection quick and easy:
synergys -a localhost -c ~/synergy.conf
ssh -f -R 24800:localhost:24800 htpc 'synergyc localhost:24800 && sleep 28800'
The sleep is in there so that the connection stays open for a few hours. Here's why this configuration is secure:
  • The Synergy server (synergys) on my laptop is bound to the loopback interface. That means that if I accidentally leave it running and then go online in a coffee shop, no one can connect to it.
  • I don't run sshd on the laptop which reduces the coffee shop attack surface.
Encrypting the connection to the HTPC is unnecessary since both it and the laptop are on the internal, trusted network behind my router. In this case, SSH is only used for its convenient tunneling ability.

No comments:

Post a Comment