Page 1 of 8 123 ... LastLast
Results 1 to 10 of 72

Thread: HOWTO: VNC over SSH using Public/Private keys From Windows

  1. #1
    Join Date
    Dec 2006
    Ubuntu 8.04 Hardy Heron

    Post HOWTO: VNC over SSH using Public/Private keys From Windows

    HOWTO: VNC over SSH using Public/Private keys From Windows


    - Condensed commands in step #3 to one line
    - Fixed typo in step #6
    - Added howto link for Xubuntu users
    Thanks to xunil76 for the above suggestions.

    1. Overview
    2. Why?
    3. Install SSH
    4. Generate key pairs
    5. Configure SSH
    6. Configure Remote Desktop
    7. Dealing with Dynamic IPs
    8. Portable Solutions
    9. Setup PortaPuTTY for port forwarding
    10. Conclusion
    1. Overview:

    You will learn how to set up a VNC sever using Ubuntu's built in "Remote Desktop" feature. You will also learn how to set up a SSH server using ONLY public/private keys, on a non standard port, and how to tunnel all of your VNC traffic over this SSH connection. Also, learn how to set up a permanent virtual domain name for your computer (ie so you don't have to remember your IP address (which usually changes).

    By the end of this Howto, you should be able to connect to your home computer from almost any PC that allows outboud connections (yes, even Windows Boxes, if you have a USB key).

    This guide assumes the following:
    • You have a router/firewall, and know how to open ports (for the ssh daemon)
    • You can transport your private key with you (which means you have some sort of portable media, like a USB thumb drive or CD).
    These instructions were tested on Dapper, but the theory works on all Linux boxes (excluding specific commands, of course).

    2. Why?

    Realistically, there really isn't a reason to encrypt VNC traffic. It's encoded, and many times encrypted anyway, and in order to sniff your traffic an attacker would have to have access to a machine in between the two connecting computers. So all in all, you probably DON'T need to encrypt VNC traffic (more), but there are a couple good selling points to this method:
    1. Security in depth. An attacker has to peel away more layers of security to compromise your system (and SSH is one heck of a layer).
    2. Less ports open to the world. Using the method described in this guide, you don't have to leave your VNC server listening on your external ports, only your internal ones (in other words, your router can block port 5900 and you'll still be able to use it).
    3. The only service attackers can even attempt to exploit your system from is SSH, and with public/private keys, that becomes very difficult (without stealing your key anyway).
    4. Security is a mindset, not a bunch of protocols and programs. If you think about security from the get-go, you will be better off in the future.
    Generally speaking VNC is an unencrypted protocol (it can be encrypted, but that's not the focus of this article). That means that any information you send over the internet can possibly be read by someone running a packet sniffer. There is a software package written in Perl called Chaosreader ( which allows you to sniff for VNC traffic (and almost everything else) and replay keystrokes in almost real time. A sample output from a test VNC session shows this:
    VNC: ->
     File out_20070212-1601.log, Session 1
     sudo cat /ectc/    oasshad    
    The above looks kinda weird, due to the fact that I used tab completions. But in a nutshell, this is what I did in my VNC session:
    • Opened a terminal window
    • typed in "sudo cat /etc/shadow"
    • it asked for my password, and I typed it in. My real password was displayed where "password" is, unencrypted.
    • I then exited the terminal and closed the VNC session
    This is why we are going to tunnel VNC over ssh. As a side note, I believe that if you don't encrypt your traffic, you deserve to get attacked. But that's just me *puts tinfoil hate back on*

    3. Installing SSH
    First, we will need to install the OpenSSH ( server and client.
    sudo apt-get install openssh-client openssh-server

    Generate Key Pairs

    Before we can set up SSH to use public/ private keys, we need to make them.

    Please take care when selecting your passphrase!
    This key will literally be the key to your machine. And if you're foolish enough to use the same password as your sudo account, if you loose this key the person who finds it could have full unrestricted access to your machine.

    The ssh-keygen suggests a passphrase of at least 10 - 30 characters. A very simple but effective method for generating passphrases (one that I use) is to make up a very odd sentence, not something you would find in a book or movie. For example:
    Sally attacked Normon with the purple fish, bashing him about his yellow head with an equally yellow dog in an attempt to dislodge his thoughts.
    Yes, it makes no sense what-so-ever; thats ok. Now we're going to take the first letter of each word (which are in bold) and the punctuation and create a string of characters out of them:
    Go ahead, guess that. I dare you. If you wanted to make it a little more secure, you could "leet speak it" (convert some letters to numbers and symbols) and add some capital letters in there. A final version of your password could look like:
    Now that might be a little overkill for you, but you can make your sentence longer or shorter to your liking, just an idea. Anyway, on with the key generation.

    Generating the keys is a very simple process. First create a directory to store them in, then start ssh-keygen. Note, this needs to be done by the user you want to login through SSH as, not root!
    mkdir -p ~/.ssh
    chmod 700 ~/.ssh
    cd ~/.ssh
    ssh-keygen -t rsa
    Something like the following should appear:
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/USER/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/USER/.ssh/id_rsa.
    Your public key has been saved in /home/USER/.ssh/
    The key fingerprint is:
    Obviously, USER will be replaced with your actual user name. Now your private key is called id_rsa, and your public key is

    The key idea here is you need both of these keys to log in. Your public key will be kept on your machine in the .ssh directory. Your private key will (ideally) be on your person, kept safe from the evil doers (I keep mine on my USB keychain).

    In order to conform to a default ssh server configuration, we're going to append your public key to another file.

    cat ~/.ssh/ >> authorized_keys
    chmod 600 authorized_keys
    Now we're ready to configure sshd

    5. Configuring SSH

    Before we configure the ssh server, we have a couple of things to think about. First is where you're going to be connected to your computer from. Work? School? The local Starbucks? Now ask yourself, do they allow outbound connections on any port? If you're at school or work, the answer is mostly likely no. My school blocks all outbound ports <1024 (except for DNS, HTTP and HTTPS of course), but the higher number unassigned ports they tend to leave open. For instance, they block port 5900 (VNC), but they do not block port 47000 (unassigned).

    This is important information because we need to know what port to set up our ssh server on so that we CAN connect to it, no matter what. Here are some good guidelines (they don't apply in all situations of course)
    • High numbered ports (>1024) are blocked less than low ports (privileged ports)
    • Some ports will almost always be open, like HTTP (80) and HTTPS (443). If all else fails, try running your SSH server on one of those.
    • Last but not least, port 53 (DNS) will always be open.
    I run a web server on port 80, with SSL on port 443, so those options are out for me. So i chose a high numbered port (specifically 47000), and I have not had problems connecting from anywhere *yet*.

    Now we're going to set SSH up to be a little more secure, and possibly to help us bypass any filters your school/work has set up.

    First, let's make a backup of our SSH configuration (which we're going to change), in case anything goes wrong.

    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.working
    Now, using your favorite text editor, open up /etc/ssh/sshd_config. A couple of changes are going to be made to this file. Find the line:
    Port 22
    And change it to
    Port 47000
    Make sure there is no # in front of Port. You don't have to pick 47000, but keep in mind what was said before.

    Now we disable remote logins with the root account, find:

    PermitRootLogin yes
    and change yes to no. Even though the default Ubuntu install does not enable the root account, it is a good idea to disable remote logins in case you decide to enable the root account at a later time (like I did).

    Now we will disable password authentication all together. We do this for a couple of reasons:
    • You can't crack a password that doesn't exist.
    • By doing this, we are forcing users to use public/private key authentication.
    #PasswordAuthentication yes
    and change it to
    PasswordAuthentication no
    note that I removed the #.

    That's it for ssh config, now restart the server daemon and onto the next step:
    /etc/init.d/ssh restart
    6. Configure Remote Desktop (VNC)

    This is easy. Using the menus, goto System->Preferences->Remote Desktop. A dialog should pop up, select the following check boxes:
    • Allow other users to view your desktop
    • Allow other users to control your desktop
    • Require the user to enter this password
    Do not check "Ask for your confirmation", you won't be able to login remotely if you do that. Also, select a good password as always, even though VNC will only be accessible from inside your network.

    Click close and you're set!

    As Xubuntu doesn't come with the gnome vino-server installed by default, you'll have to install it or another VNC server. Check out this howto for instructions:

    7. Dealing with Dynamic IPs

    Unless you own a domain name and have set up your computer to respond to DNS queries for it, you probably have a dynamic IP address. Most cable and DSL subscribers do. You can pay extra to get a static line, but you can have your own hostname for free!

    Go over to DynDNS ( and sign up for a "Free Dynamic DNS account". What this will do is give you the option of selecting a virtual domain name from one of their domains (such as This way, when you want to connect to your computer from somewhere, you can simply type in that address rather than your confusing and changing IP!

    There is a *nix client that is supposed to tell the DynDns server when your IP address changes at I don't use this, as my router has this functionality built in. There are plenty of howtos on their website, you should be able to figure it out.

    8. Portable Solutions

    In order to connect to your machine, you're going to need to do a couple of things.

    First, you'll need to open the port on your firewall/router on which your ssh daemon is running (47000 in the example). For examples on how to do this, see

    Now you're going to need some portable software, which will be for windows computers (as *nix and macs have ssh built in).

    An awesome tool. The power of ssh on your thumb drive! This is a portable version of PuTTY, the infamous ssh client for windows. Stick this on your thumb drive.

    TightVNC Viewer:
    This is a VNC client for Windows (also a Linux version available). Get the "" version, as it does not require an installation and can sit on your thumb drive. There are alternatives, like UltraVNC and RealVNC, but I like this one the best.

    Your Private Key: Located in ~/.ssh/
    Remember the file from above, named id_rsa? You're going to put this file on your USB drive, and import the key into PuTTY. To do that:

    1) Run the file called "puttygen.exe" on the USB drive
    2) Goto Conversions | Import Key
    3) Click on your private key and enter your passphrase
    4) Update the key fingerprint, comment and passphrase as desired
    5) Save the keys using the "Save public key" and "Save private"

    If you didn't notice, it generated another public key.This is the same key as is on your computer, as you can always generate your public key from your private key (but not the other way around).

    OK, we're almost done, one more step!

    9. Set up PortaPuTTY for port forwarding

    On your USB drive, open up putty.exe and do the following:
    • On the left hand menu, select "Session". Fill in your brand spanking new dynamic hostname under "Host Name (or IP address)". Note: Do not use the URL here, instead use the hostname by itself. For instance, if your dynamic hostname's URL is, put in the "Host Name (or IP address)" box.
    • Fill in the "Port"
    • Now select "Connection->SSH->Auth" on the left menu.
    • Under "Private key file for authentication:" browse for your private key ending in .ppk.
    • Now select "Tunnels" on the left menu. Under "Source Port" pick a large number that isn't a service port (like 50000).
    • Under "Destination" type in "". That tells ssh to tunnel any service connected to port 50000 to port 5900 (VNC) on the local interface (and the local interface will be your home computer, once we connect to it),
    • Now click the "Add" button.
    • Go back to "Session", type in a name under "Saved Sessions" and click "Save". This way you can just load that profile and you don't have to type that all out again.
    OK, we're ready to connect. Drum roll please....

    Click on the "Open" button, type in your private key passphrase when asked, You will see a normal looking shell prompt, that's ok. Now go back to the USB drive, and find your TightVNCviewer.exe. Open it, and under "VNC server:" type in "", note that there are 2 ::. This will connect the view to the "proxy server" created by PuTTY, and then tunnel us home to our machine. If you set up the VNC server to use a password, it will ask you for it. Enter that, press enter and congrats! You should be looking at your own home desktop.

    Don't expect it to be blazing fast, VNC is kinda slow. A faster solution would be FreeNX, perhaps I'll write a tutorial about that later if there is interest.

    10. Conclusion

    That was kinda long, I know. But you should have a good understanding on both services, and how to configure them.

    SSH provides to us a great resource for secure communications. Any TCP protocol can be forwarded in this way (FTP, POP, HTML). There are many uses for SSH tunneling, and this little HOWTO is just the tip of the iceburg. Using prublic and private keys provides us with increased security via two factor authentication (meaning that to access your system, you need to have your key, and know the passphrase to that key).

    For some further reading, try:


    The above link is a MUCH better tutorial than this one Pictures and everything.


    Please let me know what you think about this how to. Is it confusing? Too much information? Too little?

    Any questions, comments or corrections you can either post here, send an email to education.kills [at] gmail dot com or find me on Freenode IRC (usually in #ubuntu-offtopic). Thanks.
    Last edited by gaten; April 7th, 2008 at 04:33 PM.

  2. #2
    Join Date
    Mar 2006
    South Africa
    Ubuntu 7.04 Feisty Fawn

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    Absolutely super HOWTO! I was been battling to get the SSH stuff working for myself, and putty made it a lot easier, but the explanation of the keys cleared up a few things for me. Well done!

  3. #3
    Join Date
    Jun 2006
    Ubuntu 8.04 Hardy Heron

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    Perfect! I'd like to THANK YOU for this howto. It's so helpful and well-organized
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side-effect." -- Linus Torvald.

  4. #4
    Join Date
    Dec 2006
    Ubuntu 8.04 Hardy Heron

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    Perfect! I'd like to THANK YOU for this howto. It's so helpful and well-organized
    Absolutely super HOWTO! I was been battling to get the SSH stuff working for myself, and putty made it a lot easier, but the explanation of the keys cleared up a few things for me. Well done!
    No problem, thanks for the feed back and I'm glad you liked it.

  5. #5
    Join Date
    Sep 2005
    Ubuntu 9.10 Karmic Koala

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    server is refusing the keys... what can be wrong???
    checked everything... its all like the tutorial... running edgy

  6. #6
    Join Date
    Sep 2005
    Ubuntu 9.10 Karmic Koala

    Thumbs up Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    dunno what i did but now seens to be working.

  7. #7
    Join Date
    Jul 2006
    Hardy Heron (Ubuntu Development)

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    Great tutorial! I'll try this as soon as I get home.

    Finally I'll be able to access my machine from school!

  8. #8
    Join Date
    Mar 2006

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    That's it for ssh config, now restart the server daemon and onto the next step:

    /etc/init.d/sshd restart
    shouldn't it actually be

     /etc/init.d/ssh reload
    /etc/init.d/ssh restart
    Can you restart and not reload? Does the order matter? (reload then restart)? Also I do not think there should be a letter d after ssh. My machine did not like that.

    My other question is that once putty is running it asks for a login id and password. Is this the ubuntu login id and password or something else?

    I think I have everything running correctly but I have no idea what to use as a login.

    Thanks so much for answering my original email so quickly! My original problem was that I did not change the connection type in putty from RAW (which is the default) to SSH. Once I made that change putty prompted me for login info.

  9. #9
    Join Date
    Mar 2006

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    So I think my assumption was correct, that the ssh username/passsword is whatever your ubuntu u/p is.

    Now I think I ran into a bigger problem. When on my home network putty does prompt me for login info ( I have not tried login in yet, no time lately) but at work it does not. Putty just times out.

    I was thinking that this was due to the port I was trying to use (port 47001) not open on my work network. I used shieldsup at grc and noted that the port in quesiton is showing up as closed.

    So the next step I am going to take is to try and use port 443 since I am not running a webserver at home.

    The weird thing is that the sheildsup scan also notes that port 443 along with other common ports (80 and 53) are closed. This can not be since I can access http and HTTPS websites freely. Is sheilds up confused?

    thanks, REM

  10. #10
    Join Date
    Aug 2006

    Re: HOWTO: VNC over SSH using Public/Private keys From Windows

    I love your how to. It was great and works, for the most part.

    I can't get Putty to work with the web address though. I can verify that my dyndns account is working. When I go to the page forwarded by my router I get my login prompt. I also verified the ports are forwarding correctly.

    I can connect with putty through if I just use the ip as well. So there's some setting in Putty that I don't have right just concerning the webpage.

    Any clues?


Page 1 of 8 123 ... LastLast

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts