Slashdot Mirror
Ask Slashdot: Options For FOSS Remote Support Software?
Albanach writes "I'm sure I'm not alone in being asked to help friends and family with computer issues. These folk typically run Windows (everything from XP onward) or OS X (typically 10.4 onward). Naturally, desktop sharing is often much easier than trying to talk the other end through various steps. I've found free sites like join.me but they don't work with OS X 10.4, neither does the Chrome plugin. I'd also prefer not to compromise security by using a third party in the middle of the connection. Is there a good, free solution I can run on my linux box that supports old and new clients that run Windows, OS X and possibly linux? I'd love it if the users could simply bring their systems up to date, but that doesn't solve the third party issue and it's not easy when it requires a non-trivial RAM upgrade on a Mac Mini."
Because that's what you want.
Hail Eris, full of mischief...
E pluribus sanguinem
VNC is probably the most prolific remote access client / server software in existence. It is open source, although some companies have created enhanced functionality on top of VNC which is available as commercial products. OSX supports VNC type remote access natively.
Better known as 318230.
The Google+ hangouts works for my students when they have software issues. I second-seat them and things run smoothly. If you are doing the maintenance on their computers, you can ensure that the plugin installs correctly and go from there. -TN
its free for non-commercial use. my mom lives almost 2000 miles away and that's what i use to help her.
Since VNC is notoriously insecure, it's good practice to only run it over ssh on an untrusted network.
So, the answer is both.
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
What you're looking for doesn't exist. VNC is great, but without the middleman you're never going to have ease-of-use for the people you're trying to help... they're going to give up trying to get port-forwards set up on their router long before you actually get in to help them.
Logmein / Teamviewer / etc is what is needed, and just plain works. If you have to choose one, it should be Teamviewer... can run client and support on all three specified platforms, and the QuickSupport option on Windows is a godsend - nothing like telling a client / grandma / whoever to simply download and run a small executable to let you in and help them.
Other posts have already mentioned VNC, naturally. But more specifically, what you want is reverse VNC. You set up a VNC listener, and firewall port forwarding etc. on you end. Then ask the user to download a simple server executable (e.g. tvnserver.exe in the case of Windows/TightVNC) and connect to your IP address.
Its not FOSS, and there is a middle man to negotiate things to get you connected.
It is however free for non-commercial use.
You can remote control -from- Windows, OSX, Linux, iphone, and android.
You can remote control -to- windows, OSX, Linux, and recently samsung androids.
It just works. The person you are trying to support can get connected to you by clicking the "Join Remote Support Session" URL, and running the quick support app. They don't have to install the software, or configure their firewall, or fiddle with various modes etc.
You can connect to pretty much anyone anywhere from pretty much anything anywhere.
How does it compare to the various VNCs? Its much easier to get a connection going, and you don't waste more time trying to get a remote session going than it takes to actually perform the remote support.
Now, VNC is great, and if you set up your own public VNC repeater, and bundle your own VNC client to use that repeater you can get most of the way towards what you get with teamviewer without any effort at all.
I've been helping my now 83-year-old dad since the Win2K days using this solution:
- On dad's machine, install VNC server and PuTTY SSH client
- Set the VNC server NOT to run in service mode.
- Set the VNC server to accept connections from localhost (That used to be a registry setting, but it might be the default now)
- Set up a user called "sonarman" on my Linux machine. sonarman's shell is a script that loops forever, printing the date and hostname, then sleep 60.
- Set up a public/private keypair so sonarman can log into my linux machine without a password
- Set up a PuTTY session for sonarman that uses the private key to connect, and that forwards some port on my linux machine to the VNC server port on my dad's computer (5901)
- If necessary, tell Windows to allow PuTTY.exe to go OUT through the Windows firewall.
- Created a folder on dad's desktop called "Get help from Mike" - inside are two windows shortcuts, one to start sonarman's ssh connection to form the encrypted tunnel, and one to start the VNC server.
So when dad has a problem, he calls me, he opens the "Get help from Mike" folder, and double-clicks the PuTTY shortcut. When he says "OK, it's showing me today's date", I tell him to double click the other shortcut, and he tells me when the VNC icon shows up in the notifications area.
Once that's done, I connect a vncviewer to localhost:<whatever port I set up>, and I have a view of and control of Dad's desktop.
He can't do any harm to my system, because sonarman's shell doesn't accept any input.
Because his computer is initiating the connection, he doesn't need a fixed IP, nor any holes through the firewall besides the *outgoing* ssh connection.
My linux machine has an entry in DynDNS, and dad's PuTTY connects to my machine by hostname, so as long as my dyndnsd keeps the name up-to-date with Comcast's periodic re-assignments of my IP address, dad's computer can always find mine.
My firewall must be configured to allow incoming ssh connections (but I want that anyway).
I see most people here are recommending VNC. VNC and its brethren work, but can be very slow. A propriety alternative is Team Viewer. It is free as in beer and like VNC runs on all platforms under the sun (including Android and iOS). It is unlike VNC in that it is rock solid (I've never seen it hang), always quick enough to useable and requires no special setup to pierce NAT and firewalls.
I hope that one day open source figures our what the magic sauce is in Team View is and replicates it in VNC. Until that day arrives when I need to get shit down, I just use TeamView.
nonsense, no one is going to intercept your VNC stream during the time you are helping your relatives. get real, no one at your ISP is snooping traffice from home looking for a VNC session to tamper with. have your relatives turn off the server when done. you are more likely to get struck by lightening.
or entertain us by your laughingly improbable method by which you will intercept someone's VNC packets.
Exactly. That's why I use rsh on all my servers.
It's faster and easier and no one on the internet is possible sniffing my packets.
Mod me down, my New Earth Global Warmingist friends!
Logitech and best buy routinely sell cheap decent webcams. I've picked up regular ones, and 720p and 1080p HD versions for under ten bucks each shipped.
Bought one for each family member.
When they have a problem, I start a video chat with them, they take the webcam off the monitor and point it at the screen. On some cams you have to click the 'mirror' button to reverse the image. Then we work on the problem. If that computer is dead, put the webcam on a laptop and use that, or do a video chat with their phone or pad if they have one.
Securing software, poking hole in firewalls and all that seems like a waste of time when you can actually SEE whats going on for yourself.
The point being, the folks who need the help can't be relied upon to start/stop a VNC server, or carry out any other task
that isn't part of their normal routine. And leaving a VNC server running, with circa-1985 eight-character password, on a standard port,
is a security risk.
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
If your relatives leave the VNC server running, that's a VERY easy attack vector for anyone with a port scanner. If they leave an SSH server running (assuming you're smart and disable password authentication) and port-forward the VNC port over that (so the VNC port is never forwarded past the router), then there is VERY little chance anyone is going to use it against them.
Since VNC is notoriously insecure, it's good practice to only run it over ssh on an untrusted network.
So, the answer is both.
No, the solution is to have server initiated connections to a listening client that is launched on demand, which has the amazing added benefit that the techie is the one to configure his firewall/NAT appropriate rather than the noob. Consider the following secure handshake done over the telephone:
(Noob) Hi, can you help me with WinFooBarTunesExtreme? ...
(Techie) Sure, let me fire up my listening client and open a port on my local firewall and router
(Noob) I like turtles!
(Techie) Click on the little VNC icon near the clock, click "Connect to Listening Viewer" and type www.techiedomainname.com" then click OK
(Noob) Derp, OK, w-w-w-dot-t-e-c-h-i-e-d-o-m-a-i-n-n-a-m-e-dot-c-o-m, OK
(Techie) Cool, now I can see your screen, please reproduce the error while explaining to me what you are trying to do.
(Techie) Let's make sure that VNC is not set to accept connections, OK good, looks nice.
When the session is done, the noob drops the server connection and all is well. VNC server is not set to accept remote-initiated connections (trivial to configure right) so there's zero risk from that end. The techie closes the listening client and disables his port mappings (I hope).
Even the setup is easy, since the noob only has to click "Next" a bunch of time through the VNC server setup and then the techie can adjust the settings once he's connected. There's zero persistent open connections and so zero persistent attack surface. Since there's no passwords exchange, there's no risk of eavesdroppers stealing any credentials.
I give my (almost) 80-year-old a desktop icon which is called "Call John" and it starts up the VNC server with the appropriate command line options to start up a reverse connection to my computer.
If my IP address changes, I just email her a new shortcut file to replace the one on her desktop.
you haven't looked at the logs and seen people knocking on vnc ports have you?
I use this commercially, and its a super product. In fact I am duplicating 1 TB across a vpn tunnel on it right now.
Now you may not have noticed, but on the team viewer web site, on the main page is a link for "Join Remote Control Session"
this requires no admin access at all, and is not a installable product. I use this for exactly the case you state. You walk them there
to the website, tell them to click and run that. Then ask for their numbers. Really that is as about as simple as it gets.
This is also the only product my "secure" customers trust. So we plunked down 1400 for a real license after using it for
several months. Great product.
A few years ago, I was sitting in front of two PCs, using just one, but after a minutes, I noticed the start menu opened on the other, and some commands started typing themselves in. I immediately noticed the VNC icon notifying me someone was connected.
My guess: there's thousands of bots looking for open VNC connections. You don't have to be targeted specifically. Lesson: don't leave VNC to an open internet connection, even with a strong password.
You probably imagine some cracker in his basement snooping your VNC connection.
That's not the usual case. If you leave a VNC server running long enough someone will crack it. And it's bots. Plain old bots, that scan the ports.
It's not some cracker interested in YOU or YOUR communications. It's a botnet trying to add another node. Or something very much alike that.
It's insecure, I talk of experience, I've seen how (in)secure it is.
1. Set up a secure VPN server at your site. This serves two purposes: getting access to external machines, and security.
OpenVPN is a good one to use, but if you can set up OpenVPN AS either on a Linux box or in a Linux VM you'll make life much simpler for everyone.
2. Set up the people you want to support with VPN access.
3. Set up VNC on their machines. TightVNC running as a service is ideal, but take the following precautions:
a. Set the service to Manual so they have to turn it on each time.
b. Have authentication.
4. Create easily-accessible shortcuts for them to use, and train them to use them.
5. At the start of a support session, get them to connect to the VPN, start the VNC service. You can either get them to tell you the IP address, or look at the currently-active VPN connections.
6. At the end of a support session, get them to shut down the VNC service and disconnect from the VPN.
I've found that even computer neophytes can be trained to do their part, and if they've got a minimal level of skill it's possible to talk them through the initial setup of the VPN and VNC client software. You just need to get them to the point that you can remote control, and then you can lock it down (changing service to Manual, etc).
http://code.google.com/p/gitso/
.
.
.
.
"Gitso is a frontend to reverse VNC connections. It is meant to be a simple two-step process that connects one person to another's screen. First, the support person offers to give support. Second, the person who needs help connects and has their screen remotely visible. Because Gitso is cross-platform (Linux, OS X and Windows) and uses a reverse VNC connection, it greatly simplifies the process of getting support. "
You do realize that there are automated port scanners running on botnets all over the internet all the time, right?
I get hit with thousands of SSH requests a day on the machines I administer, all with random username/password attempts (none of which will work because I only ever allow public key auth). When one of those port scanners notices 5900 open on your granny's computer, and the password is brute-forced in a few seconds, I think you'll rethink your perspective on the issue.
Interception isn't necessary to hack a connection. There's a reason we firewall people are so difficult.
PS you could just add your own netblock to your relatives' firewall software on port 5900 and limit exposure.
- Michael T. Babcock (Yes, I blog)
Just use VNC in reverse connection mode. Make the server connect to you, not the other way around. Then you're the one who opens a port briefly for the connection, not your relative.
- Michael T. Babcock (Yes, I blog)
I'll repeat Gitso just because of how useful it is. If you just need visual, Skype's screen-sharing can be invaluable if you already use Skype to communicate.
Parent is over-rated. Exactly how is VNC "notoriously insecure"? Because it is not encrypted? Do you really think someone is going to intercept the screen drawing compressed bitmap traffic during some ad-hoc session?
This is exactly the thing I really hate to see up here. People doling out advice when they clearly have absolutely no clue. Some belief that "if it's for 30 seconds it's too fast for them to react". Packet monitoring is done by computers. It is done any time. It is done automatically. The network guys on your network have the right to do it "for network maintenance reasons". The professional ones a) wouldn't want to see and b) earn too much to risk it. Unfortunately they have all been outsourced to the lowest paid guy in India for whom the risk of being caught is nill and the benefit of selling your bank details; or even just enough information to make a "this is Microsoft and we know you have a virus" call is huge.
And what exactly will they get?
They want exactly only one thing. Your VNC password. They will then use that next time to start an automated session which does a small install just before you log in. After that you will never see them use your VNC ever again. Please hand in your computer operating license. None of this will involve a single person.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Or, possibly someone is sniffing around for unsecured vnc traffic, spots yours and sets up packet sniffing for the next time you use it and gets your cleartext password. So easy it could be automated and thus most likely is.
Just tunnel through SSH and you're good to go.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Bimbo Newton Crosby, if they'd ever tried to actually support a completely clueless user they'd know that VNC would be a BAD idea.
Honestly i just don't see how he is gonna be able to pull it off on both Windows AND OSX without some service in the middle, i really don't. Everything else is gonna require the user to at least have enough skills to start the thing up which is far from assured and leaving it running 24/7 is just asking for trouble.
This is why I'm glad I have all my family and customers on Win 7, MSFT may have made plenty of dumb moves but EasyConnect is a fricking Godsend, its the easiest damned thing I've ever dealt with for remote assistance. I simply pin Remote Assistance to the start menu and its as easy as "Hit start, see that thing at the top that says remote assistance? Yeah click on that, hit next, see my name? Yeah click on my name...hold on...okay I'm hooked up, see that little box that popped up that asks if I can have full control? Just click yes...okay I've got it now" and then I can just sit in my comfy chair and work the system like i was sitting right in front of it.
I wish there was something truly universal and that simple to use but if its out there so far I haven't found it. Just remember when you suggest programs we are talking normal folks, the stuff YOU would think is trivial to do is often so completely over their head it would literally be quicker to simply drive out to where they are and do the work than to sit their on the phone trying to talk them through it.
Oh and one final bit of advice for those that have to support the clueless...get Comodo Time Machine and install it NOW, you'll be glad you did. Think of it as a system restore that actually works and which doesn't get infected by malware. When my GF had to go across the state to take care of a sick relative and her niece screwed her laptop up so bad the thing wouldn't even boot to desktop it took me less than 15 minutes to get her back up and running thanks to CTM. Just set it to use around 10%-15% of the HDD space for snapshots and have it take a snapshot at boot (if you boot more than once a day it'll only take one snapshot so you won't run out of space) and you are golden. You can even lock a snapshot so you can have your own version of a factory refresh that will put the system right back to the way you had it with no muss or fuss. Just have them hit the Home key when they see the big clock, tell them what day you want them to go back to and voila! Instant fix.
ACs don't waste your time replying, your posts are never seen by me.
You all are trying to go at this the wrong way.
You should run a 'listening server' on your end, and send them a VNC single click binary.
http://www.uvnc.com/products/uvnc-sc.html
Single click binary does need to be setup by the admin (Ultra VNC has a webpage that generates the executable, the admin can do anything from having a single entry that just connects to your IP (on the listening server) upto having pretty graphics and customized greeter screens.). Having a dns entry that always points to your domain (johnsupport.dyndns.com in the worst case for example) also makes those single click instances working for quite some time.
I'm quite surprised so little people know about SC, even though VNC is quite well known here.
And again, TeamViewer is nice (albeit closed source) one always has to wonder, why would a company give you such a service, for free. Yes, they also have commercial offerings where there bread and butter comes from I'm sure. So does google/facebook, yet we all know what they really sell.
I see TeamViewer mentioned a lot. Another proprietary but free as in beer alternative is CrossLoop: http://www.crossloop.com/. I have no experience with TeamViewer, but I am very happy with CrossLoop, which is also free for personal use, very easy to use (start it, and read a name and twelve digit code over the phone), automagically punches through NAT routers and firewalls, and is based on VNC under water. They don't have a native client for Linux, but the Windows version runs fine under Wine.