VNC over SSH question.

[theDaveTheRave]

Hi all,

I previously had a problem with VNC not recognising my keyboard input, and during the discussion on that thread I got the impression that my method for VNC-ing to my box was potentially not secure.

My solution was to change to using FreeNX, or exporting X over my SSH connection - depending on the circumstance.

However my concern on my methodology still stands, so I would like your input.

Here is how I started my VNC server, and then logged into the connection....

1. SSH into my box from my laptop.
[ ssh davem@MyHomeServer ]

2 now at my server connection I start the VNC server
[ tightvncserver start ]

3 open up the VNC client on my laptop pointing it toward 'MyHomeServer' - using xvnc4server

The discussion on the other thread gives me the feeling that this method isn't secure?

Please note that this is no longer an issue as I am now using FreeNX - I am asking this question purely from a position of wanting to better understand why what I was doing was wrong.

Thanks in advance

[movieman]

1. Configure the VNC server to only listen on localhost.
2. Start the server.
3. SSH from anywhere into the machine running the VNC server and tell ssh to forward localhost:5901 on your local machine to localhost:5901 on the machine running the VNC server.
4. Run VNC viewer on your local machine and tell it to connect to localhost:1.

You then connect to localhost:5901 and ssh forwards that to the remote machine through an encrypted tunnel.

I think the command is ssh -L localhost:5901:localhost:5901 user@remote, but don't quote me on that .

[bodhi.zazen]

Please note that this is no longer an issue as I am now using FreeNX - I am asking this question purely from a position of wanting to better understand why what I was doing was wrong.

Thanks in advance

VNC has two security flaws:

1. The connection is not encrypted by default.

2. The only thing that prevents an intruder from using the connection is a password. All too often people either use weak passwords or what they though was a strong password is actually weak.

If you use ssh, you should use keys and disable password logins.

[cgb]

Are we talking about connecting to your Desktop from inside or outside your LAN? If inside the LAN then security is not much of a concern, just make sure all ports are blocked to the outside world. If outside then like bodhi.zazen mentioned, if you want to use VNC Server securely you really need to be establishing a SSH tunnel with private keys, no password authentication, or you could also setup a VPN connection to the network and block any other external ports. Then local security is not much of a concern if this is a private controlled network. Even with using FreeNX I would typically connect through a VPN tunnel so that no ports are open to local PC's directly.

[CharlesA]

Are we talking about connecting to your Desktop from inside or outside your LAN? If inside the LAN then security is not much of a concern, just make sure all ports are blocked to the outside world. If outside then like bodhi.zazen mentioned, if you want to use VNC Server securely you really need to be establishing a SSH tunnel with private keys, no password authentication, or you could also setup a VPN connection to the network and block any other external ports. Then local security is not much of a concern if this is a private controlled network. Even with using FreeNX I would typically connect through a VPN tunnel so that no ports are open to local PC's directly.

That's a good point. I hardly even use VNC even inside my lan at home. It's either FreeNX or nothing.

If I am working remotely (which I have been lately), I connect to my server with SSH (key-auth only) and then create a tunnel to whatever machine I want to connect to, then connect with localhost:someportnumber.

FreeNX really is way better then VNC when it comes to high latency links.

[theDaveTheRave]

Hi guys.

Thanks for the input, you've definately cleared things up for me.

So here is my current understanding.

Although I was connecting through SSH (using rsa_id keys and not a password) I was then starting VNC in an insecure method.

I should have continued to pass the command

ssh -L localhost:5901:localhost:5901 user@remote

to my vnc server from within my ssh shell effectively creating the required tunnel.

As I would like to just point out. I am now using FreeNX (which was very easy to set up, once I had the SSH working) or if I only need to view a few output lines and not do any 'it is easier using the GUI' stuff I would simply forward X for my ssh login (which again is very cool).

Also I mostly only use this from within my local 'home' network. Although I'm thinking of setting up port forwarding for my SSH so as I can log in from anywhere, but I don't require it yet so I'm not going to set it up.

Thanks again to the community for being so cool with 'relative newbs' - we are all newbs at something!

David

[HermanAB]

Howdy,

Once you got SSH working, you don't really need VNC.

Try this:
$ ssh -C -c blowfish -X user@server gnome-panel

VNC should not be lightly discarded. It should be thrown, with great force.

[CharlesA]

Howdy,

Once you got SSH working, you don't really need VNC.

Try this:
$ ssh -C -c blowfish -X user@server gnome-panel

I've seen you mention that many, many times and it works really well.

I've been using FreeNX, myself, but that's cuz I like suspending the session instead of having to close everything.

[bodhi.zazen]

I've been using FreeNX, myself, but that's cuz I like suspending the session instead of having to close everything.

that is what screen is for =)

[CharlesA]

that is what screen is for =)

Even the graphical apps that were forwarded over X?

I've used screen many times for CLI apps, but not for graphical apps.