Security

From Synergy Wiki
Jump to: navigation, search

Contents

For 1.4.12 and above

Synergy 1.4.12 features encryption, which can be configured using the Synergy GUI. For users in security critical environments, we recommend using the Synergy encryption, along with additional security precautions (such as SSH tunnelling described below).

For 1.4.11 and below

Synergy version 1.4.11 and below does not support any authentication or encryption. Any computer can connect to the synergy server if it provides a screen name known to the server, and all data is transferred between the server and the clients unencrypted which means that anyone can, say, extract the key presses used to type a password. Therefore, synergy should not be used on untrusted networks.

However, there are tools that can add authentication and encryption to synergy without modifying either those tools or synergy. One such tool is SSH (which stands for secure shell). A free implementation of SSH is called OpenSSH and runs on Linux, many Unixes, and Windows (in combination with Cygwin).

Configuring the Server

Install the OpenSSH server on the same computer as the synergy server. Configure the OpenSSH server as usual (synergy doesn't demand any special options in OpenSSH) and start it. Start the synergy server as usual; the synergy server requires no special options to work with OpenSSH.

Configuring the Clients

Install the OpenSSH client on each synergy client computer. Then, on each client, start the OpenSSH client using port forwarding:

ssh -f -N -L localhost:24800:server-hostname:24800 server-hostname

Or, if that does not work, try:

ssh user@server-hostname -L 24800:localhost:24800 -N

The server-hostname is the name or address of the computer with the OpenSSH and synergy servers. The 24800 is the default network port used by synergy; if you use a different port then replace both instances of 24800 with the port number that you use. Finally, start the synergy client normally except use localhost as the server host name. For example:

  synergyc -f localhost

Synergy will then run normally except all communication is passed through OpenSSH which decrypts/encrypts it on behalf of synergy.

(Optional) Configuring the Clients with autossh

Autossh is a tool for the OpenSSH to automatically monitor and re-establish ssh tunnels.

An example script for creating the ssh-tunnel and connecting the Synergy client through it:

#!/bin/sh

#Start SSH-tunnel to destination server
autossh -f -N -q -L 24800:localhost:24800 username@server

#Start synergy client
synergyc localhost

Now both synergy and ssh runs as a background service. I use this script in my X session startup.

Setting up synergy through SSL tunneling

Sometimes you would like to choose SSL instead of SSH, for example if you don't want or can't run ssh service on the host. This means that you actually have to set up your own CA/PKI infrastructure, which sounds terribly cumbersome, but actually not really that bad (if using correct tools).

Creating certificates using certtool from gnutls-bin package

Server: create CA private key

certtool -p --outfile ca.key

Server: create CA certificate. Make sure you answer "y" to "Does the certificate belong to an authority?" and "Will the certificate be used to sign other certificates?" question.

certtool -s --load-privkey ca.key --outfile ca.crt

Server: generate server key

certtool -p --outfile srv.key

Server: generate server certificate. Answer "Y" to questions about certificate usage for signing and encryption.

certtool -c --load-ca-privkey ca.key --load-ca-certificate ca.crt --load-privkey srv.key --outfile srv.crt

Client: generate private key

certtool -p --outfile client.key

Client: generate certificate request

certtool -q --outfile client.req --load-privkey client.key

Transfer client.req from client to server. socat and netcat are your friends ;)

srv$ socat -d -d tcp-l:1234,reuseaddr - > client.req
client$ socat tcp:srv.local:1234 - < client.req

Server: sign client request. Answer "Y" to questions about certificate usage for signing and encryption.

certtool -c --load-ca-privkey ca.key --load-ca-certificate ca.crt --load-request client.req --outfile client.crt

Transfer client.crt and ca.crt from server to client.

VoilĂ ! Now we have working PKI infrastructure. For additional security you might use completely different machine for CA stuff ;)

Running synergy over SSL using socat

Current example assumes that you have working configuration in $HOME/.synergy.conf

At server:

 synergys -a 127.0.0.1
 socat -d -d openssl-listen:1234,reuseaddr,fork,cert=srv.crt,key=srv.key,cafile=ca.crt tcp:localhost:24800

At client (replace srv.local with your appropriate server name/ip):

 synergyc localhost
 socat -d -d tcp-l:24800,bind=127.0.0.1,reuseaddr,fork openssl:srv.local:1234,cafile=ca.crt,key=client.key,cert=client.crt
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox