This site is best viewed in Mozilla Firefox or Google Chrome
Tue, 3rd Jun 2014 01:29:54
Never fear, this site is here  

#Setting up synergy auto-start securely

Synergy is a popular application for sharing a keyboard and mouse between multiple computers on multiple operating systems using your network. One of it's biggest flaws is that the underlying protocol is unencrypted. This means that people could potentially read what you type remotely. This article describes a method for setting up an encryption layer for Unix-like and Windows machines as well as automatically starting Synergy on system boot-up without user-prompts.

While I have no doubt there are several articles on this subject elsewhere, I'm going to give you a walk through from my point of view about how you can set up synergy across multiple Windows and Unix-like systems securely.

This walk through will be divided into two parts. First will be Unix-like setup and the second part will be Windows setup.

I make a few assumptions in this article. The first is that your synergy server will be running on a Unix-like machine. The second is that all Unix-like machines in your set up will have either xdm, kdm or gdm installed and set to start an X server on system boot. I use gdm so this article uses gdm specific examples but you should be able to adapt them using coresponding paths given in The Synergy Autostart Guide.

This procedure was tested on Debian and works fine but if you find this doesn't work for your system and you happen to have figured out why, please let me know and I'll update this post!

Unix-like setup

Step 1 and 2 seem long winded but once they're set up you don't have to do it again. The client set up is easier for both Unix-like and Windows.

Step 1: Preparing the synergy server system

Obviously you need synergys installed and configured here. That is beyond the scope of this article. There is some information on installation and configuration at the synergy2 website: Running Synergy.

After you've got synergy set up we must configure the server system to initialise the synergy daemon on boot up. My approach is adapted from The Synergy Autostart Guide. Before beginning make sure you shut down whatever display manager you use. Often this can be accomplished by running /etc/init.d/YOURDISPLAYMANAGENAMER stop as root. If you do not shut them down, I've found that some display managers like to reset your configuration changes.

I use gdm so I edited /etc/gdm/Init/Default and inserted the following snippet at the very start of the script.

/usr/bin/killall -9 synergys
sleep 1
/usr/bin/synergys

This gets ran as root. You've started a synergys as root later we'll kill this process. Be sure that you're comfortable with the consequences of this action. If you ever see a remote vulnerability in synergy you should disable this immediately (truth be told you should probably disable all of synergy until a patch can be released :P)

If you have your synergy.conf located in your home directory then make sure your home directory is readable to root and use the -c switch on synergys to provide the path. Better yet, consider moving your synergy.conf in /etc/synergy.conf so it's globally accessible to both your user accounts and to root. Remember that if the synergy daemon cannot find your configuration none of this will work.

The other files the synergy autostart guides indicates do not exist on my system. I did however create /etc/gdm/PostLogin/Default and placed this in it:

#!/bin/sh
 
/usr/bin/killall -9 synergys
sleep 1
/usr/bin/synergys

This gets ran as root but in the same groups as the user you're logging in as. Finally /etc/gdm/Xsession was edited with the following inserted at near the top

/usr/bin/killall -9 synergys
sleep 1
/usr/bin/synergys

As you would expect this one runs as the user you've logged in as.

Step 2: Preparing a SSH tunnel on the server system

Next step is to create a user called "synergy" that is used when remote clients wish to establish a SSH tunnel for the purposes of using synergy. The idea is that we'll create a tunnel that can automatically be established without user input but one that minimises risk to the server system from the outside.

First let's create the user. You will need root for this action. When you come to the password prompts just hit ctrl+D on them both, this should create a user account with a locked password (i.e. you can't authenticate as this user by any password).

root# adduser synergy
Adding user `synergy' ...
Adding new group `synergy' (1001) ...
Adding new user `synergy' (1001) with group `synergy' ...
Creating home directory `/home/synergy' ...
opying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error passwd: password unchanged
Try again? [y/N] N
Changing the user information for synergy
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root#

We will set the default shell later but for now we use the su command to change our user ID to that of our newly created user.

root# su synergy
synergy#

What we now need to do is generate a dsa key pair that doesn't require a paraphrase. Since there is no paraphrase the tunnel that we'll establish later does not require the user to input the paraphrase. When the prompt asks you for a paraphrase just hit enter. After we've created it we will rename the id_dsa.pub file to authorized_keys and do nothing with the private key - remember it exists though we will use this later during the client setup.

synergy$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/synergy/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/synergy/.ssh/id_dsa.
Your public key has been saved in /home/synergy/.ssh/id_dsa.pub.
The key fingerprint is: 19:02:c3:ef:0a:fe:0b:cd:9d:c4:c8:5c:5c:36:59:6f synergy@pride
The key's randomart image is:
+--[ DSA 1024]----+
|   .o   +o.      |
|    .+ o.. .     |
|     .+ .   E    |
|   o +.. o .     |
|    +.o S        |
|  .o o..         |
| ...o.o          |
|  ...            |
|   .o.           |
+-----------------+
synergy$ cd ~/.ssh
synergy$ mv id_dsa.pub authorized_keys
synergy$ exit
root#

Make sure that the /home/synergy/.ssh directory is set to the following permissions and ownership:

drwx------ 2 synergy synergy 4096 2009-08-23 17:21 .ssh

And that the authorized_keys file has the following permissions and ownership:

-rw------- 1 synergy synergy 717 2009-08-23 17:21 /home/synergy/.ssh/authorized_keys

If the permissions are different use chmod and chown to set the permissions properly.

Finally edit authorized_keys to add the following directives at the start. This will restrict any ssh tunnels to only allowing the exit point to be localhost:24800 which is the address our synergy server runs at. We do this by use of the permitopen and command directive. Edit the authorized_keys files to look like this:

command="/usr/bin/python -c 'import time; while 1: print time.time(); time.sleep(30.0)'",permitopen="127.0.0.1:24800" ssh-dss AAAA .. AAC= synergy@pride

Where "ssh-dss AAAA .. AAC=" was the original key. For explanation the command given just keeps the tunnel open by sending the time once every 30 seconds. You can use any command that will send something every once in a while over the tunnel. The permitopen directive explicitly tells the sshd that anybody that is connecting via that key may only open connections to port 24800 on the localhost. This is the address that our synergy server runs by default. If you've reconfigured the listening port and host of synergy then adapt this to conform to your own configuration. This prevents somebody using the synergy server as a dynamic proxy. This is good.

In order to make sure that our authorized_keys set up will work you should make sure three lines in your /etc/ssh/sshd_config file are not commented out and if they are, uncomment them and restart the sshd.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     %h/.ssh/authorized_keys

You can restart the sshd by doing the following

root# /etc/init.d/ssh restart

After this we set the default shell of the synergy user to something that never exits and does not allow the user to execute any commands. Sleep Shell is a good example. Download the latest source code from their site and follow install.txt to install it. At the time of writing the procedure is dead simple. Execute the following commands as root to download, compile and set up the dummy shell for our synergy user:

# wget http://www.mariovaldez.net/software/sleepshell/files/sleepshell_0.0.2.tar.gz
--2009-09-02 17:07:16--  http://www.mariovaldez.net/software/sleepshell/files/sleepshell_0.0.2.tar.gz
Resolving www.mariovaldez.net... 72.249.17.151
Connecting to www.mariovaldez.net|72.249.17.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10274 (10K) [application/x-gzip]
Saving to: `sleepshell_0.0.2.tar.gz'
 
100%[================================================================================================================>] 10,274      32.7K/s   in 0.3s    
 
2009-09-02 17:07:17 (32.7 KB/s) - `sleepshell_0.0.2.tar.gz' saved [10274/10274]
# tar xzf sleepshell_0.0.2.tar.gz 
# cd sleepshell
# make
gcc -O2 -g sleepshell.c -o sleepshell
strip sleepshell
# cp sleepshell /usr/local/bin/sleepshell
# usermod -s /usr/local/bin/sleepshell synergy

As a summary of what we've done.

  • We installed and configured synergys
  • We configured synergys to start up with our display manager
  • We created a dummy user for ssh tunneling
  • We created an authorized_keys configuration that restricts ssh tunnels to the synergy daemon only
  • We set the shell of the dummy user to be a safe and neutral binary

Step 3: Preparing Unix-like synergy clients

Again I'll assume you've already installed and configured synergy on your client machine and again I'll point you towards the Running Synergy article from their website if you have not. I assume that you've followed step 1 and step 2 successfully and that you have a Unix-like system running a synergy server and SSH tunneling user.

First, we need to create another dummy synergy user for use as the tunnel. Follow the exact same approach as previous for adding that user. Hit ctrl+D for the password fields. Create a directory in the users home called /home/synergy/.ssh/

Remember that private DSA key we created earlier for the synergy tunnel user? Let's copy that over to our client machines and put it in /home/synergy/.ssh/. Make sure the permissions are set like before.

Now like we did with the synergy server we will set the clients to automatically run synergyc on start up. Once again my approach is adapted from The Synergy Autostart Guide but in addition opens the SSH tunnel as the "synergy" dummy user and then listens in the background. Create a file, call it /root/InitSynergyTunnel.sh and put the following in that file, replacing "YOURSERVERHOSTNAME" with the hostname of your synergy server.

#!/bin.bash
while true;
do /bin/su - synergy -c "/usr/bin/ssh -N -L 24800:127.0.0.1:24800 -i /home/synergy/.ssh/id_dsa -l synergy YOURSERVERHOSTNAME";
done;

This file will loop and constantly attempt to reestablish a tunnel in the event the tunnel is lost. Make sure /root/InitSynergyTunnel.sh is executable and insert the following near the top of /etc/gdm/Init/Default:

/root/InitSynergyTunnel.sh &
/usr/bin/killall synergyc
sleep 1
/usr/bin/synergyc localhost

Insert the following into /etc/gdm/PostLogin/Default:

#!/bin/sh
 
/usr/bin/killall -9 synergyc
sleep 1
/usr/bin/synergyc localhost

Finally insert the following near the top of /etc/gdm/Xsession:

/usr/bin/killall -9 synergyc
sleep 1
/usr/bin/synergyc localhost

If all goes well when you next start gdm an ssh tunnel should start up and then the synergy client application will connect to it which in turn will connect to the synergy server system and finally to the synergy server daemon itself.

Test the entire set up now by shutting down gdm on both machines and then restarting it. If the synergy server is not online the synergy client should sit and wait and keep trying.

Step 4: Preparing Windows clients

A note for Vista and later users: Before continuing in this section I should mention that there are issues with this section on Windows Vista and later. This is due to session 0 isolation which prevents services from interacting with the desktop of user login sessions. Since the Windows Synergy client by default requires this ability there are therefore known issues with Synergy on windows. There are work-arounds I've found but not tested that you attempt at your own risk. Fixing Problems with Synergy on Windows Vista, see also Make Windows 7 or Vista Log On Automatically and Disable User Account Control(UAC) For Administrators Only

For Windows I use putty as my ssh client. The people who make putty develop various other ssh tools including pscp (a scp tool), psftp (a sftp tool), plink (a command prompt ssh client), putty (a ssh client in a self contained window), as well as puttygen (a ssh keypair generator tool) and pageant (a ssh key agent). For this part of the tutorial I will make use of plink and puttygen. You can download these tools freely from here.

First thing we have to do is prepare a windows encryption key. plink, putty, etc all use a slightly different key format than the keys we've already generated. Luckily the puttygen tool allows us to convert our existing passwordless DSA private key to a putty private key.

Copy the id_dsa key file generated in the previous steps to the Windows machine and then run puttygen. From the menu select "Conversions" and then "Import Key". Locate the id_dsa key file in your file system and click Open. This should look something like this:

Converting openssh private key to putty private key

Click "Save Private Key". When It prompts to ask if you are sure you want to create a key with no passphrase click yes and save the key somewhere.

Next we need to start our tunnel at boot up. To do this we need a service to run at boot that opens the tunnel for us. I'm sure there are other ways to do this, perhaps some better for you (using AutoExNT, or the recommended methods for XP, NT/2000). The method I'm using is that of the XP method even though I'm using Vista myself. You'll need the windows resource kit if you don't already have it you can download it from here.

Once installed create a file somewhere called "SynergyTunnel.bat" that contains the following adapted for your set up.

start:
plink -i "c:\PATH\TO\YOUR\PRIVATE\KEY.ppk" -L 24800:localhost:24800 -N synergy@THE-SYNERGY-SERVER-HOST
goto start

Create a service called "Synergy Tunnel" that will set up the tunnel to the synergy server by running the following:

sc create "Synergy Tunnel" binPath= "C:\Program Files\Windows Resource Kits\Tools\srvany.exe"

Substitute the path to the resource kit where appropriate. Srvany is a tool that allows you to run any Windows application as a service. What we've done so far is just create a dummy service. Now we need to tell the service specifically what application to run. To do this we run regedit and then navigate to the register key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Synergy Tunnel. We then create a new sub key called "Parameters". Then navigate into HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Synergy Tunnel\Parameters and add two string values. The first is called "AppDirectory" and the second is "Application". Once created set the values. "Application" should be the path to your "SynergyTunnel.bat" file and "AppDirectory" should be the path to the directory that contains the batch file.

Then to set it to start automatically we run services.msc, find our new service go to properties and set it to start automatically. We can then start our service by clicking start.

After that has been done you can test it works by either restarting Windows or running services.msc and starting the service then start the Synergy client and connect it to localhost:24800. If it connects to your Synergy server then it's working. If not you might need to change the Synergy Tunnel service to run under your user account rather than the default Local System Account. To do this go to the service properties then to the "Log On" tab, "browse", "Advanced", "Find Now", then select your user name and click OK and then OK again, enter your password and apply. Then try again.

Next is to set up Synergy to start automatically. This should work on XP and older. Open the Synergy client and click on the "AutoStart..." button. You can choose to run Synergy when you log in or when your computer starts. Click on whatever option you want and then click close. You can again ensure the service is started by running services.msc. For fixing this to work on Vista see Fixing Problems with Synergy on Windows Vista.

There is 1 comment on this post. Make a comment.
Powered by Debian, Jack Daniels, Guinness, and excessive quantities of caffeine and sugar.