[olug] VNC/SSH tunnel

David Walker olug at grax.com
Wed Oct 15 10:27:10 UTC 2008


You can set the alternate port number in your ~/.ssh/config file or in 
/etc/ssh/ssh_config file and vnc will use it.

The logic of locking Vino to localhost and then using the
 vncviewer -via "friend at 192.168.1.106" localhost:0
command seems correct.  I use kde so I can't test to see if it works for 
me though.


Eric P wrote:
> Hi all,
>
> I'm setting up VNC for a friend's computer so that I can help them learn Linux with their new box.  (I.e., friend's
> computer = VNC server; me = VNC client).
>
> I currently have their box at my place, and I can VNC onto their computer through an SSH tunnel just fine with something
> like this.
> vncviewer -via "friend at 192.168.1.106" localhost:0
>
> Can I secure this up anymore?  Here are the issues as I see them.
>
> 1. The VNC server (I'm using Vino) is still open to unencrypted connections.  I can log on unencrypted with this:
> vncviewer 192.168.1.106
> That seems bad, but if I try to lock Vino (Gnome's Remote Desktop) down to only allow local connections, I get
> connection refused when using vncviewer's -via command.
> Similarly, I can create the tunnel separately with: ssh -C -L 6000:localhost:5900 friend at 192.168.1.106
> And then log in through a separate terminal with: vncviewer localhost:6000
> But this also fails if the VNC server is set to only allow local connections.  I'm probably missing the conceptual boat
> with this.
>
> 2. Additionally, I tried changing the port SSH is running on (E.g., 2211), and I can still SSH into the machine, but
> then I can't figure out the syntax for the -via command with a special port.  Here's what I tried.
> vncviewer -via "friend at 192.168.1.106 -p 2211" localhost:0
> ssh: connect to host 192.168.1.106 -p 2211 port 22: Connection refused
>
> As you can see it's still using port 22.  I've searched around and cannot find a -via example that uses a non-standard port.
>
> I figure it'd be nice to get SSH on a non-standard port and then close down the VNC server port (5900 I think) so that
> no outside connections can be made to it (can't I do that with some iptables commands?)
>
> Anyway, thanks for reading.  I'm obviously a little lost here and totally open to any/all ideas.
>
> Thanks,
> Eric Pierce
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>   




More information about the OLUG mailing list