Performing a remote installation of SUSE over VNC poses a possible security as the installation traffic travels over the wire unencrypted.
Perform a remote installation over SSH which will encrypt traffic traveling over the wire.
Remote installation of SUSE with SSH
The installation of SUSE over SSH (Secure Shell) is as simple as installing SUSE over VNC (Virtual Network Computing). The major difference between installing SUSE over SSH is that SSH provides encryption throughout the duration of the installation, whereas VNC uses encryption just for the initial connection thereafter the data is transmitted in clear text.
This article shows the security weakness in a SUSE installation over VNC and why SSH is a better choice security wise. The first section of this article shows VNC and SSH security differences by sniffing the network traffic of a VNC and SSH installation revealing possible security threats. If you are just interested in setting up SUSE over SSH jump to the “Installing SUSE over SSH” section.
SSH vs VNC
In this section of the article you will see why I recommend performing a SSH installation of SUSE rather than a VNC installation. One of the major factors that you are probably wondering is, if you do a SSH installation will it have to be a text based installation and the answer is “NO”. SSH has the capabilities of forwarding X11 traffic to your screen similar to VNC, however you will not be able to access the installation screen via a web browser which VNC provides and you will need a SSH client when installing SUSE over SSH.
Sniffing VNC traffic
When sniffing VNC traffic it is possible to gather sensitive data, Table 1 shows what type of data can be gathered from sniffing a SUSE installation over VNC. The data that can be captured could prove useful to a cracker.
|Authentication result.||Mouse position.|
|Screen width.||Text stored in the servers cut/copy clip board.|
|Desktop name.||Share desktop flat which indicates whether the installation can be accessed by more than one client.|
|Mouse button.||Authentication response which is the clients encrypted response to the servers authentication challenge.|
Table 1: Sensitive data.
The data that is listed in Table 1 is not encrypted as VNC only encrypts the initial connection which is when the password is sent over the wire, after that traffic is send in clear text. Figure 1 shows a screenshot of the data listed in Table 1 being captured on a private network with Wireshark.
Figure 1: Sniffing VNC traffic.
As you can see from Figure 1 the desktop name has been captured: “root’s installation desktop (192.168.0.2:0)” and has not been encrypted, which shows the data has been transmitted over the network in clear text.
Sniffing SSH traffic
When performing an installation of SUSE over SSH the data is encrypted before it is sent over the network thus revealing no useful data for crackers. All traffic that is transmitted between the two machines is encrypted even after the initial connection the data is still encrypted. Figure 2 shows the traffic that was captured while performing an installation of SUSE over SSH.
Figure 2: Sniffing of a SSH installation.
Installing SUSE over SSH
The installation of SUSE over SSH is very simple and just requires two arguments to be passed into the boot options. The two arguments that are to be passed into the boot options are “UseSSH=1” and “SSHPassword=<Password to be used>”. The first argument sets the installation to use SSH the second argument sets a temporary password for the SSH installation, Figure 3 shows the two arguments in the boot options. If you are paranoid of shoulder surfers it is possible to not specify the “SSHPassword=” argument and when you start the installation you will be asked for a temporary SSH password which will be echoed on the screen as asterisk characters (*).
Figure 3: SUSE boot screen.
Once you have typed the two arguments into the boot options you can press the return key and SUSE will begin setting up a SSH server. Once the machine has network connectivity you can move to another machine and being the installation. The user you need to SSH in as is “root” and you will also need to use the -X qualifier to forward the X11 traffic to your machine as shown in Figure 3.1.
If you have a busy network or just what to compress the data being transmitted between the two machines you can use the -C qualifier, which will compress the data being transmitted using the gzip compression algorithm.
damian@server2:~ # ssh -X email@example.com The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established. DSA key fingerprint is d3:8e:48:6c:5a:e4:45:ac:80:d9:7f:bc:16:a3:7a:a3. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.2' (DSA) to the list of known hosts. firstname.lastname@example.org's password: SUSE Linux Enterprise Server 10 Installation /usr/X11R6/bin/xauth: creating new authority file /root/.Xauthority #[11;0]Welcome to the inst-sys... Linux 192.168.0.2 184.108.40.206-0.8-default #1 Mon Jul 3 18:25:39 UTC 2006 i686 athlon i386 GNU/Linux /root run yast to start the installation inst-sys:~ #
Figure 3.1: SSH into the server.
Once you have connected to your server you can begin the installation by issuing the “yast” command which will begin the installation and forward the X11 traffic to your machine as shown in Figure 3.2.
Now that you know how easy it is to install SUSE over SSH I hope you will choose this method over the traditional VNC. I would also recommend reading the SSH man pages to see what other qualifiers you can use to aid you with your installation.
This article was tested on SUSE Linux Enterprise Server 10