Security
Contents |
Authentication and Encryption
Synergy does not do any authentication or encryption. Any computer can connect to the synergy server if it provides a screen name known to the server, and all data is transferred between the server and the clients unencrypted which means that anyone can, say, extract the key presses used to type a password. Therefore, synergy should not be used on untrusted networks.
However, there are tools that can add authentication and encryption to synergy without modifying either those tools or synergy. One such tool is SSH (which stands for secure shell). A free implementation of SSH is called OpenSSH and runs on Linux, many Unixes, and Windows (in combination with Cygwin).
Configuring the Server
Install the OpenSSH server on the same computer as the synergy server. Configure the OpenSSH server as usual (synergy doesn't demand any special options in OpenSSH) and start it. Start the synergy server as usual; the synergy server requires no special options to work with OpenSSH.
Configuring the Clients
Install the OpenSSH client on each synergy client computer. Then, on each client, start the OpenSSH client using port forwarding:
ssh -f -N -L localhost:24800:server-hostname:24800 server-hostname
Or, if that does not work, try:
ssh user@server-hostname -L 24800:localhost:24800 -N
The server-hostname is the name or address of the computer with the OpenSSH and synergy servers. The 24800 is the default network port used by synergy; if you use a different port then replace both instances of 24800 with the port number that you use. Finally, start the synergy client normally except use localhost as the server host name. For example:
synergyc -f localhost
Synergy will then run normally except all communication is passed through OpenSSH which decrypts/encrypts it on behalf of synergy.
(Optional) Configuring the Clients with autossh
Autossh is a tool for the OpenSSH to automatically monitor and re-establish ssh tunnels.
An example script for creating the ssh-tunnel and connecting the Synergy client through it:
#!/bin/sh #Start SSH-tunnel to destination server autossh -f -n -q -L 24800:localhost:24800 username@server #Start synergy client synergyc localhost
Now both synergy and ssh runs as a background service. I use this script in my X session startup.
Setting up synergy through SSL tunneling
Sometimes you would like to choose SSL instead of SSH, for example if you don't want or can't run ssh service on the host. This means that you actually have to set up your own CA/PKI infrastructure, which sounds terribly cumbersome, but actually not really that bad (if using correct tools).
Creating certificates using certtool from gnutls-bin package
Server: create CA private key
certtool -p --outfile ca.key
Server: create CA certificate. Make sure you answer "y" to "Does the certificate belong to an authority?" and "Will the certificate be used to sign other certificates?" question.
certtool -s --load-privkey ca.key --outfile ca.crt
Server: generate server key
certtool -p --outfile srv.key
Server: generate server certificate. Answer "Y" to questions about certificate usage for signing and encryption.
certtool -c --load-ca-privkey ca.key --load-ca-certificate ca.crt --load-privkey srv.key --outfile srv.crt
Client: generate private key
certtool -p --outfile client.key
Client: generate certificate request
certtool -q --outfile client.req --load-privkey client.key
Transfer client.req from client to server. socat and netcat are your friends ;)
srv$ socat -d -d tcp-l:1234,reuseaddr - > client.req client$ socat tcp:srv.local:1234 - < client.req
Server: sign client request. Answer "Y" to questions about certificate usage for signing and encryption.
certtool -c --load-ca-privkey ca.key --load-ca-certificate ca.crt --load-request client.req --outfile client.crt
Transfer client.crt and ca.crt from server to client.
VoilĂ ! Now we have working PKI infrastructure. For additional security you might use completely different machine for CA stuff ;)
Running synergy over SSL using socat
Current example assumes that you have working configuration in $HOME/.synergy.conf
At server:
synergys -a 127.0.0.1 socat -d -d openssl-listen:1234,reuseaddr,fork,cert=srv.crt,key=srv.key,cafile=ca.crt tcp:localhost:24800
At client (replace srv.local with your appropriate server name/ip):
synergyc localhost socat -d -d tcp-l:24800,bind=127.0.0.1,reuseaddr,fork openssl:srv.local:1234,cafile=ca.crt,key=client.key,cert=client.crt
