diff --git a/FAQ b/FAQ index 8805d1d1..c007188b 100644 --- a/FAQ +++ b/FAQ @@ -57,12 +57,31 @@ Answers 5. What security/encryption does synergy provide? - None. Synergy currently does no encryption or authentication. + Synergy provides no built-in encryption or authentication. Given that, synergy should not be used on or over any untrusted network, especially the Internet. It's generally fine for home - networks. Future versions will provide encryption and + networks. Future versions may provide built-in encryption and authentication. + Strong encryption and authentication is available through SSH + (secure shell). Run the SSH daemon (i.e. server) on the same + computer that you run the synergy server. It requires no + special configuration to support synergy. On each synergy + client system, run SSH with port forwarding: + + ssh -f -N -L 24800::24800 + + where is the name of the SSH/synergy server. + Once ssh authenticates itself, start the synergy client + normally except use `localhost' or `127.0.0.1' as the server's + address. SSH will then encrypt all communication on behalf of + synergy. Authentication is handled by the SSH authentication. + + A free implementation of SSH for Linux and many Unix systems + called OpenSSH is available from http://www.openssh.com/. For + Windows there's a port of OpenSSH using Cygwin + (http://www.cygwin.com/). + 6. What should I call my screens in the configuration? You can use any unique name in the configuration file for each diff --git a/INSTALL b/INSTALL index 1f8f3188..1e2f25b9 100644 --- a/INSTALL +++ b/INSTALL @@ -365,6 +365,42 @@ prevent a synergy client from synthesizing mouse and keyboard input, though. +Network Security +---------------- + +Synergy has no built-in support for encryption or authentication. +The server accepts connections from any computer. The server and +clients send all data unencrypted which means the clipboard and +mouse and keyboard events (e.g. typed passwords) are easily +examined by anyone listening on the network. Therefore, do not +run synergy on untrusted networks except as follows. + +You can use SSH (secure shell) to provide strong authentication +and encryption to synergy without modifying either SSH or synergy. +On Linux and Unix a free implementation of SSH called OpenSSH is +available at http://www.openssh.com/. On Windows you can use the +Cygwin version of OpenSSH. + +First, install the SSH server (sshd) on the computer running the +synergy server. Next, install the SSH client (ssh) on each +synergy client computer. Start the SSH and synergy servers +normally. Then, for each client, start the SSH client with port +forwarding: + + ssh -f -N -L 24800::24800 + +where is the name or address of the SSH and +synergy server host. 24800 is the default synergy port; replace +it with whichever port you use if you don't use the default. Once +ssh authenticates with the server, start the synergy client as +usual except use `localhost' or `127.0.0.1' for the server +address. Synergy will then pass all communication through SSH +which encrypts it, passes it over the network, decrypts it, and +hands it back to synergy. Authentication is provided by SSH's +authentication. + + + Common Command Line Options --------------------------- -d, --debug use debugging level diff --git a/README b/README index cec0cd53..13d5d4d4 100644 --- a/README +++ b/README @@ -240,6 +240,11 @@ Tips and Tricks * A client's keyboard and mouse are fully functional while synergy is running. You can use them in case synergy locks up. +* Strong authentication and encryption is available by using SSH. See + the INSTALL file for more information. Synergy does not otherwise + provide secure communications and it should not be used on or over + untrusted networks. + Bug Reports ----------- diff --git a/TODO b/TODO index 51016ffa..b6f13e8e 100644 --- a/TODO +++ b/TODO @@ -54,7 +54,8 @@ Then there are major new features: * Add encryption and authentication - Make synergy is safe to use on untrusted networks. + Make synergy is safe to use on untrusted networks. Using synergy + through SSH can provide this until synergy has it built-in. * Support for limited drag and drop between systems