[olug] VNC/SSH tunnel

Will Langford unfies at gmail.com
Wed Oct 15 04:55:16 UTC 2008 

Depending on what you want.
Maybe setting up a public facing ssh server of your own.  Then write a
script or something on his box he can double click that:

ssh -R port_you_pick:127.0.0.1:5900 your_host

Setting up his own key for your box would be a decent idea while you're at
it :).

And then, on the ssh box you can setup some port forwarding or other
firewall rules to secure port_you_pick, and then you connect to
port_you_pick either from the ssh-serving-machine or via port forwarding
goodness (I would NOT suggest enabling GatewayPorts or whatever the
sshd_config option is).

This also has the added advantage that your friend can choose when people
can connect to their VNC server by clicking on the icon -- and closing the
window when he's done.  Changing 5900 to something else probably wouldn't be
a bad idea either... just to avoid any semi-intelligent port
sniffing/scanning things that might get installed on the local machine.

-Will


On Tue, Oct 14, 2008 at 11:49 PM, Eric P <eric.maillist at gmail.com> wrote:

> Hi all,
>
> I'm setting up VNC for a friend's computer so that I can help them learn
> Linux with their new box.  (I.e., friend's
> computer = VNC server; me = VNC client).
>
> I currently have their box at my place, and I can VNC onto their computer
> through an SSH tunnel just fine with something
> like this.
> vncviewer -via "friend at 192.168.1.106" localhost:0
>
> Can I secure this up anymore?  Here are the issues as I see them.
>
> 1. The VNC server (I'm using Vino) is still open to unencrypted
> connections.  I can log on unencrypted with this:
> vncviewer 192.168.1.106
> That seems bad, but if I try to lock Vino (Gnome's Remote Desktop) down to
> only allow local connections, I get
> connection refused when using vncviewer's -via command.
> Similarly, I can create the tunnel separately with: ssh -C -L
> 6000:localhost:5900 friend at 192.168.1.106
> And then log in through a separate terminal with: vncviewer localhost:6000
> But this also fails if the VNC server is set to only allow local
> connections.  I'm probably missing the conceptual boat
> with this.
>
> 2. Additionally, I tried changing the port SSH is running on (E.g., 2211),
> and I can still SSH into the machine, but
> then I can't figure out the syntax for the -via command with a special
> port.  Here's what I tried.
> vncviewer -via "friend at 192.168.1.106 -p 2211" localhost:0
> ssh: connect to host 192.168.1.106 -p 2211 port 22: Connection refused
>
> As you can see it's still using port 22.  I've searched around and cannot
> find a -via example that uses a non-standard port.
>
> I figure it'd be nice to get SSH on a non-standard port and then close down
> the VNC server port (5900 I think) so that
> no outside connections can be made to it (can't I do that with some
> iptables commands?)
>
> Anyway, thanks for reading.  I'm obviously a little lost here and totally
> open to any/all ideas.
>
> Thanks,
> Eric Pierce
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list