Skip to main content

Secure Synergy Configuration for HTPC Control

I've been experimenting with different configurations for controlling my HTPC. Since I typically have my laptop on the couch with me, one setup I'm trying is Synergy.

By itself, Synergy is completely insecure. However, it's easy enough to secure through the use of SSH tunnels. There are lots of tutorials for setting up Synergy through a tunnel, but I didn't find any that suit the HTPC use case I have. To use it with an HTPC, the Synergy server needs to be running on the laptop since that's where the keyboard and mouse is that you'd like to share across various computers.

Typically tutorials will have you create tunnels from the Synergy client computers to the Synergy server computer where sshd is also running. Since my Synergy server is a laptop, I don't want to run sshd on it. Instead, I have sshd running on my HTPC. To make that work, you need a reverse SSH tunnel:
ssh -f -R 24800:localhost:24800 htpc
Instead of forwarding connections from my laptop to the HTPC, this forwards connections from the HTPC to the laptop. When the Synergy client connects to localhost:24800 on the HTPC, it will be forwarded to localhost:24800 on the laptop. To make that work, you'll need to edit /etc/ssh/sshd_config by adding this to the end:
GatewayPorts yes
AllowTcpForwarding yes # Not strictly necessary, the default is yes.
Next you'll need a synergy.conf for your laptop. Here's mine:
section: screens
   laptop:
   htpc:
end
section: links
  laptop:
    up = htpc
  htpc:
    down = laptop
end
Finally, here's the script I use to make setting up the connection quick and easy:
synergys -a localhost -c ~/synergy.conf
ssh -f -R 24800:localhost:24800 htpc 'synergyc localhost:24800 && sleep 28800'
The sleep is in there so that the connection stays open for a few hours. Here's why this configuration is secure:
  • The Synergy server (synergys) on my laptop is bound to the loopback interface. That means that if I accidentally leave it running and then go online in a coffee shop, no one can connect to it.
  • I don't run sshd on the laptop which reduces the coffee shop attack surface.
Encrypting the connection to the HTPC is unnecessary since both it and the laptop are on the internal, trusted network behind my router. In this case, SSH is only used for its convenient tunneling ability.

Comments

Popular posts from this blog

XBee ZNet 2.5 Wireless Accelerometer

I managed to put together a wireless accelerometer the other night using my two new XBees, an Arduino XBee shield, an XBee Explorer USB, an ADXL330, and some Python. I struggled a bit with some of it, so here's what I learned:

First, a parts list.
XBee 2mW Series 2.5 Chip AntennaArduino XBee (with XBee Series 2.5 module)XBee Explorer USBADXL330I'm not sure exactly what the specs are on the XBee that comes with the Arduino shield. But, it is definitely a series 2.5.

The first thing to do is to configure and upgrade the firmware on your XBees. To do that, you'll need X-CTU (for the firmware upgrade at least, but it's also nice for configuration) which, unfortunately, is only available for Windows. But, it works fine from VMware. First up, the XBee we'll hook up to the computer to read incoming data from the accelerometer:
Plug one of the XBees into the Explorer (it's also possible to do this from the Arduino shield by shifting the two XBee/USB jumpers to USB and remo…
Read more

Android Recipes and Snippets

I've put together a small collection of Android recipes. For each of these recipes, this is an instance of Context (more specifically, Activity or Service) unless otherwise noted. Enjoy :)

Intents
One of the coolest things about Android is Intents. The two most common uses of Intents are starting an Activity (open an email, contact, etc.) and starting an Activity for a result (scan a barcode, take a picture to attach to an email, etc.). Intents are specified primarily using action strings and URIs. Here are some things you can do with the android.intent.action.VIEW action and startActivity().Intent intent = new Intent(Intent.ACTION_VIEW);
// Choose a value for uri from the following.
// Search Google Maps: geo:0,0?q=query
// Show contacts: content://contacts/people
// Show a URL: http://www.google.com
intent.setData(Uri.parse(uri));
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);Other useful action/URI pairs include:Intent.ACTION_DIAL, tel://8675309Intent.ACTION_CALL…
Read more

Email Injection

Not so long ago, I ran a wiki called SecurePHP. On that wiki, there was one particular article about email injection that received a lot of attention. Naturally, with all the attention came lots of spam. As a result, I disabled editing of the wiki and content stagnated. Still, the email injection article remained popular. About a year later, the server that hosted SecurePHP died and I never had a chance to hook it all back up. I saved the article though and I'm reposting it now. It may be a bit old (I've been away from PHP for a long time), and I didn't write all of it, so feel free to leave comments about needed updates and corrections. Though this article focuses on PHP, it provides a lot of general information regarding email injection attacks.

The PHP mail() FunctionThere are a lot of ways to send anonymous emails, some use it to mass mail, some use it to spoof identity, and some (a few) use it to send email anonymously. Usually a web mailform using the mail() function …
Read more