[olug] VNC/SSH tunnel
David Walker
olug at grax.com
Wed Oct 15 10:27:10 UTC 2008
You can set the alternate port number in your ~/.ssh/config file or in
/etc/ssh/ssh_config file and vnc will use it.
The logic of locking Vino to localhost and then using the
vncviewer -via "friend at 192.168.1.106" localhost:0
command seems correct. I use kde so I can't test to see if it works for
me though.
Eric P wrote:
> Hi all,
>
> I'm setting up VNC for a friend's computer so that I can help them learn Linux with their new box. (I.e., friend's
> computer = VNC server; me = VNC client).
>
> I currently have their box at my place, and I can VNC onto their computer through an SSH tunnel just fine with something
> like this.
> vncviewer -via "friend at 192.168.1.106" localhost:0
>
> Can I secure this up anymore? Here are the issues as I see them.
>
> 1. The VNC server (I'm using Vino) is still open to unencrypted connections. I can log on unencrypted with this:
> vncviewer 192.168.1.106
> That seems bad, but if I try to lock Vino (Gnome's Remote Desktop) down to only allow local connections, I get
> connection refused when using vncviewer's -via command.
> Similarly, I can create the tunnel separately with: ssh -C -L 6000:localhost:5900 friend at 192.168.1.106
> And then log in through a separate terminal with: vncviewer localhost:6000
> But this also fails if the VNC server is set to only allow local connections. I'm probably missing the conceptual boat
> with this.
>
> 2. Additionally, I tried changing the port SSH is running on (E.g., 2211), and I can still SSH into the machine, but
> then I can't figure out the syntax for the -via command with a special port. Here's what I tried.
> vncviewer -via "friend at 192.168.1.106 -p 2211" localhost:0
> ssh: connect to host 192.168.1.106 -p 2211 port 22: Connection refused
>
> As you can see it's still using port 22. I've searched around and cannot find a -via example that uses a non-standard port.
>
> I figure it'd be nice to get SSH on a non-standard port and then close down the VNC server port (5900 I think) so that
> no outside connections can be made to it (can't I do that with some iptables commands?)
>
> Anyway, thanks for reading. I'm obviously a little lost here and totally open to any/all ideas.
>
> Thanks,
> Eric Pierce
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list