Limiting winvnc incoming connections to sshd only.

James "Wez" Weatherall jnw22 "at" cam.ac.uk
Thu, 11 Nov 1999 12:58:24 +0000 

> Yes, I've tried "-:127.0.0.1" and "-:127.0.0" as AuthHost filters.  As

The above won't work at all, since the + is missing.

> I said, I had to disable LookbackOnly, yet I had to enable
> AllowLoopback.  That's the puzzle.  If I have to enable AllowLoopback,
> then it means the server at one point thinks the connection is coming
> in from the loopback interface (or it's misnamed and is simply
> checking that it comes from the same box).  I know there is a SEPERATE
> loopback interface in most systems.  If AllowLoopback is required to
> service all local connections (not just on the loopback interface),
> then it should be renamed "AllowLocal".

Good point.  AllowLoopback is automatically enabled when LoopbackOnly is
set.

> Perhaps I wasn't explicit enough.  sshd is running on the same box as
> the vnc server.  A netstat shows the following
>
> Active Connections
>
>   Proto  Local Address          Foreign Address        State
>   TCP    NT_Box:1026             localhost:1028         ESTABLISHED
>   TCP    NT_Box:1028             localhost:1026         ESTABLISHED
>   TCP    NT_Box:22               my.unix.box:1023       ESTABLISHED
>   TCP    NT_Box:1432             NT_BOX:5900            ESTABLISHED
>   TCP    NT_Box:5900             NT_BOX:1432            ESTABLISHED
>
> So, it looks like the sshd->winvnc connection is not going across the
> loopback after all.

Yes, I think you're correct there.  The point I was making is that when you
put in a local forward with SSH, you shouldn't have something like
"ssh -L5999:nt_box:5900 nt_box" from the remote box - ytou should have
"ssh -L5999:localhost:5900 nt_box", to make sure that the SSHD daemon on the
server machine uses the loopback interface.

Cheers,

James "Wez" Weatherall
--
          "Xenophobes should go back to Xenophobia"
Laboratory for Communications Engineering, Cambridge - Tel : 766513
AT&T Labs Cambridge, UK                              - Tel : 343000




---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------