I just discovered something today that I should have looked for months ago. I got curious after doing a lab here in the RH253 (RHEL Network Services and Security) class about whether or not Synergy does any type of encryption over the wire. What I found out is actually NO.
To test this I loaded up wireshark and did some sniffing. Sure enough the input between the two is cleartext and this as also validated by the Synergy man page:
Synergy has no built-in support for encryption or authentication. The server accepts connections from any computer. The server and clients send all data unencrypted which means the clipboard and mouse and keyboard events (e.g. typed passwords) are easily examined by anyone listening on the network. Therefore, do not run synergy on untrusted networks.
In this case I wanted to share a solution for encrypting your synergy traffic on the LAN. This, of course, uses everyone’s favorite application, ssh. You’ll need to setup an encrypted tunnel between the machines using a command such as:
ssh -f -N -L 24800:synergy-server:24800 synergy-server
Now let me explain quickly what these flags do.
-f requests ssh go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background.
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only)
-L [bind address]:port:hostname:hostport
24800, also, is the default port for synergy. So, if I wanted to create this tunnel between two of my machines on my LAN I would use something like:
ssh -f -N -L 24800:macbook:24800 macbook (note: macbook is defined in my /etc/hosts and will be running synergys)
Next I would then run the synergy client command which would forward over the encrypted tunnel to the server.
Also, you can run the synergys (server) as normal on the central machine.
synergys --config .synergy.conf
Now you also might want to use authorized_keys on the remote server to bypass the password authentication, but that is your preference. You can find a tip on doing that here (public key authentication).