For 1.7.0 and above
Synergy 1.7.0 introduces SSL based encryption as a plugin to synergy. This is much more secure than the previous in-house encryption.
Normally, the plugin in installed during the setup wizard for Synergy Pro users. The SSL plugin can be installed manually, if installed from the source code. To compile the source code see compiling. After compiling, the plugin can be found in
sourceDir/bin/plugins/. To manually install a plugin, just copy the plugin from the
bin folder to the plugin directory. To find the plugin directory see plugins.
OpenSSL also needs to be installed. On most linux distros OpenSSL can be installed through the package manager.
Generating Certificate and Fingerprint
The following commands 1) make the directories, 2) create the certificate, 3) create the local fingerprint, 4) clean up the fingerprint file
mkdir -p ~/.synergy/SSL/Fingerprints openssl req -x509 -nodes -days 365 -subj /CN=Synergy -newkey rsa:1024 -keyout ~/.synergy/SSL/Synergy.pem -out ~/.synergy/SSL/Synergy.pem openssl x509 -fingerprint -sha1 -noout -in ~/.synergy/SSL/Synergy.pem > ~/.synergy/SSL/Fingerprints/Local.txt sed -e "s/.*=//" -i ~/.synergy/SSL/Fingerprints/Local.txt
For 1.4.12 to 1.6.*
Synergy 1.4.12 features encryption, which can be configured using the Synergy GUI. For users in security critical environments, we recommend using the Synergy encryption, along with additional security precautions (such as SSH tunnelling described below).
For 1.4.11 and below
Synergy version 1.4.11 and below does not support any authentication or encryption. Any computer can connect to the synergy server if it provides a screen name known to the server, and all data is transferred between the server and the clients unencrypted which means that anyone can, say, extract the key presses used to type a password. Therefore, synergy should not be used on untrusted networks.
However, there are tools that can add authentication and encryption to synergy without modifying either those tools or synergy. One such tool is SSH (which stands for secure shell). A free implementation of SSH is called OpenSSH and runs on Linux, many Unixes, and Windows (in combination with Cygwin).
Configuring the Server
Install the OpenSSH server on the same computer as the synergy server. Configure the OpenSSH server as usual (synergy doesn't demand any special options in OpenSSH) and start it. Start the synergy server as usual; the synergy server requires no special options to work with OpenSSH.
Configuring the Clients
Install the OpenSSH client on each synergy client computer. Then, on each client, start the OpenSSH client using port forwarding:
ssh -f -N -L localhost:24800:server-hostname:24800 server-hostname
Or, if that does not work, try:
ssh user@server-hostname -L 24800:localhost:24800 -N
The server-hostname is the name or address of the computer with the OpenSSH and synergy servers. The 24800 is the default network port used by synergy; if you use a different port then replace both instances of 24800 with the port number that you use. Finally, start the synergy client normally except use localhost as the server host name. For example:
synergyc -f localhost
Synergy will then run normally except all communication is passed through OpenSSH which decrypts/encrypts it on behalf of synergy.
(Optional) Configuring the Clients with autossh
Autossh is a tool for the OpenSSH to automatically monitor and re-establish ssh tunnels.
An example script for creating the ssh-tunnel and connecting the Synergy client through it:
#!/bin/sh #Start SSH-tunnel to destination server autossh -f -N -q -L 24800:localhost:24800 username@server #Start synergy client synergyc localhost
Now both synergy and ssh runs as a background service. I use this script in my X session startup.
Setting up synergy through SSL tunneling
Sometimes you would like to choose SSL instead of SSH, for example if you don't want or can't run ssh service on the host. This means that you actually have to set up your own CA/PKI infrastructure, which sounds terribly cumbersome, but actually not really that bad (if using correct tools).
Creating certificates using certtool from gnutls-bin package
Server: create CA private key
certtool -p --outfile ca.key
Server: create CA certificate. Make sure you answer "y" to "Does the certificate belong to an authority?" and "Will the certificate be used to sign other certificates?" question.
certtool -s --load-privkey ca.key --outfile ca.crt
Server: generate server key
certtool -p --outfile srv.key
Server: generate server certificate. Answer "Y" to questions about certificate usage for signing and encryption.
certtool -c --load-ca-privkey ca.key --load-ca-certificate ca.crt --load-privkey srv.key --outfile srv.crt
Client: generate private key
certtool -p --outfile client.key
Client: generate certificate request
certtool -q --outfile client.req --load-privkey client.key
Transfer client.req from client to server. socat and netcat are your friends ;)
srv$ socat -d -d tcp-l:1234,reuseaddr - > client.req client$ socat tcp:srv.local:1234 - < client.req
Server: sign client request. Answer "Y" to questions about certificate usage for signing and encryption.
certtool -c --load-ca-privkey ca.key --load-ca-certificate ca.crt --load-request client.req --outfile client.crt
Transfer client.crt and ca.crt from server to client.
Voilà! Now we have working PKI infrastructure. For additional security you might use completely different machine for CA stuff ;)
Running synergy over SSL using socat
Current example assumes that you have working configuration in $HOME/.synergy.conf
synergys -a 127.0.0.1 socat -d -d openssl-listen:1234,reuseaddr,fork,cert=srv.crt,key=srv.key,cafile=ca.crt tcp:localhost:24800
At client (replace srv.local with your appropriate server name/ip):
synergyc localhost socat -d -d tcp-l:24800,bind=127.0.0.1,reuseaddr,fork openssl:srv.local:1234,cafile=ca.crt,key=client.key,cert=client.crt