SSH connection starts up slowly

The situation is: when connect to a server with SSH session, it starts up slowly (but the web connection is fast). For some tracing and debugging, it is due to the stupid DNS setting by someone.

The reference is – SSH session slow to start? It’s the DNS stupid!, and the solution listing:

1. Check for the DNS settings in /etc/resolv.conf or NetworkManger in Gnome or any management tools on desktop environment. Or
2. Set the ”UseDNS no” in sshd config: /etc/ssh/sshd_config, and then restart sshd.

Enjoy it. 🙂

How to Make a Custom Service on Windows

The next step is to make a custom start-up service for Windows. That is , if we reboot it remotely, the connection will also be established automatically.

First, for a startup service, the reference page is: Set up an SSH tunnel as a Windows service using putty (plink).

1. Download the kit and install it.

2. Use the command to insert a new service with srvany:

cmd > insrsrv {service name} {location of srvany program}

3. Install the service’s detail for register. Coping the following entries to a .reg file, modifying the corresponding commands, and then double-click it to install. Note: the reverse-slash (‘\’) must write twice for escape.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters]
“Application”=”{location of plink}\\plink.exe”
“AppDirectory”=”{location of directory of plink}
“AppParameters”=”{ssh arguments}

4. After install it. You can use this command for testing.

cmd > net [start/stop] {service name}

5. When start up the service, check at the server side by netstat.

Second, for the detail when plink could not detect the host ssh key, the reference here: Add host keys for putty (plink) for the system user.

In default the connection is established by the owner. But a service is ran by the system who cannot retrieve the host key we presently used. To overcome this problem, the steps listing:

1. Connect server by hand to get the host key in local pc (as a double check).

2. Open regedit and find out the key: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.

3. Export these entries from menu and modify the exported file’s entry header to:

[HKEY_USERS\.DEFAULT\Software\SimonTatham\PuTTY\SshHostKeys]

4. Save and install it by double click. Then check the service for correctness.

Till now, the auto-login ssh tunnel service on Windows constructed. Then the next step is to check its connection and may it keep alive.

SSH Tunnel and Auto-login with Plink and Puttygen

The first part to finish my own Remote Desktop environment is to established a reverse tunnel connection. And by the way, to use auto-login without a plain-text password shown on command line.

First, to established a ssh tunnel, the command and corresponding arguments are:

plink -ssh -2 -R {dest pc ip}:{dest pc port}:{local pc ip}:{local pc port} -l {username} -i {ppk file} {remote pc tunnel ip}

This command indicate that we construct a Reverse tunnel with version 2 protocol from SSH. We will also bind a tunnel of the two specific ip:port pair. And we use auto-login method with the key-pair file (-i) which was generated from PuttyGen.

The references for common ssh and the specific server setting is at Reverse Tunneling. It is more important for the GatewayPort and the ClientAliveInterval settings. The detail will be shown in the later articles.

Second, to the automatic login strategy, the hint is to use PuttyGen, which also provided by the same vendor of Putty. The reference is Use PuTTYgen to generate a private/public key pair. And the short brief steps are listing:

1. Open PuttyGen, and generate your own DSA or RSA key-pair.

2. You can input the phrase for protecting the saved private key-pair file.

3. Copy the text in the public key section and paste it into your server, the ~/.ssh/authorized_keys file (one key per line).

4. Use plink/putty to check the auto-login function.

Now, the reverse tunnel connection established. The next step is to make it as a start-up service.

Remote desktop behind NAT on Windows

My network accessing rights in the rental hosting is behind NAT. What IPs we have are all private (192.168.x.x). Although we can use SSH to build a tunnel (even reverse tunnel) to bind the port for remote accessing and ignore the effects of NAT, there are many issues need to be solved.

The whole view of my chosen configuration is:

HOME (192.168.x.x) <– NAT <–> NETWORK <–> DEST_TUNNELED (LINUX)

And here I list the problems I encounter here. The solution may be written as another topic and linked externally.

First, for the Remote Desktop (RDP) in Windows XP SP3 (seems since SP2), it does not support the lookback (127.0.x.x) connections. The reason may be to avoid some user to connect from the same PC locally. In this situation, the connection will be disconnected and the only way to recover is rebooting forcedly.

But we still need the loopback function. Because if we using SSH tunnel for connections, the binding port is localhost (127.0.0.1) in local. But the default policies of Windows is to denied this kind of connections.

So I turn to use UltraVNC, a well-known remote control application on Windows. Another reason for chosen VNC is that almost 90% of my work (and home)  PC environments are Linux-based. Despite of VNC and RDP, I don’t wanna to install another clients in which not provided by the distribution.

P.S. Although UltraVNC provided some plug-ins such as NAT-to-NAT, single-click and so on, they are not feasible for my environments. One reason is that my destination computer are all Linux (and Windows PC are still behind another firewall too). So the solution based on listen mode, the NAT-to-NAT plug-in are all revoked by myself.

Second, to simplify the software installation in Windows, the SSH application I used is plink. Plink is a command-line interface for Putty’s back-end where Putty is also another well-known SSH clients in Windows. Because it can be used within command line, it is the best choice – to be a Windows services on system start-up and auto-connection.

The main reason I chosen plink for connection are: 1) It is small but compact; 2) It is installed-free (green); And 3) it is well-known and still in maintenance.

Details of SSH Tunnel and Auto-login with Plink and Puttygen.

Third, to insert a new services for Windows, I use the Windows Resources Kit which provided by Microsoft. Because it is also produced from the same vendor, the compatibilities and stabilities may be the highest one, I think.

Details of How to Make a Custom Service for Windows.

Fourth, to check the connection established periodically, I wrote a simple batch script to achieve. The script will check for the connection from local. Restart the tunnel service when disconnected. And with the Windows’ scheduler abilities, it will check periodically.

Details of Script to check tunnel status periodically on Windows.

Fifth, to maintain the connection, we change the server setting for SSH. The parameter will ask the clients whether it is still alive. This will prevent the connection be disconnected by the network devices between the edges.

Details of how to avoid SSH connection closed. (TBD)

Finally, my own remote desktop environments built successfully. And it works fine. Although the uploading from my home is still slow, I can control its status remotely.

ClientAliveInterval