[olug] VNC/SSH tunnel

[Eric P]

Hi all,

I'm setting up VNC for a friend's computer so that I can help them learn Linux with their new box.  (I.e., friend's
computer = VNC server; me = VNC client).

I currently have their box at my place, and I can VNC onto their computer through an SSH tunnel just fine with something
like this.
vncviewer -via "friend at 192.168.1.106" localhost:0

Can I secure this up anymore?  Here are the issues as I see them.

1. The VNC server (I'm using Vino) is still open to unencrypted connections.  I can log on unencrypted with this:
vncviewer 192.168.1.106
That seems bad, but if I try to lock Vino (Gnome's Remote Desktop) down to only allow local connections, I get
connection refused when using vncviewer's -via command.
Similarly, I can create the tunnel separately with: ssh -C -L 6000:localhost:5900 friend at 192.168.1.106
And then log in through a separate terminal with: vncviewer localhost:6000
But this also fails if the VNC server is set to only allow local connections.  I'm probably missing the conceptual boat
with this.

2. Additionally, I tried changing the port SSH is running on (E.g., 2211), and I can still SSH into the machine, but
then I can't figure out the syntax for the -via command with a special port.  Here's what I tried.
vncviewer -via "friend at 192.168.1.106 -p 2211" localhost:0
ssh: connect to host 192.168.1.106 -p 2211 port 22: Connection refused

As you can see it's still using port 22.  I've searched around and cannot find a -via example that uses a non-standard port.

I figure it'd be nice to get SSH on a non-standard port and then close down the VNC server port (5900 I think) so that
no outside connections can be made to it (can't I do that with some iptables commands?)

Anyway, thanks for reading.  I'm obviously a little lost here and totally open to any/all ideas.

Thanks,
Eric Pierce