VNC via SSH - loopbackonly & allowloopback problem

David Steele david.steele "at" nasdaqeurope.com
Thu, 21 Jun 2001 12:02:04 +0000


Hello All,

I'm attempting to connect via SSH port forwarding. Want to allow *_only_*
tunneled connections via SSH to VNC.

No matter what I try, I cannot get it tightened down to *_only_* tunneled
connections. The best I can get is tunneled & direct allowed at the same
time.

>From what I can see, I think that I have the SSH port forwarding set up
correctly - after all, it works if I connect to 127.0.0.1:1 when I have the
AllowLoopback registry entry set. But as to the actual cause of the problem
- I'm stumped. Any suggestions?

Below is what I hope is a complete description of my test environment and
the results.
-----------------------------------------------------------------------
VNC host is a WIN NT server, sp6a, 128bit encryption.
SSHd is Brandon Zehm's sshd1 for WinNT.

Client is a WIN NT workstation, sp6a, 128bit encryption.
SSH client is the ttssh extension to Tera Term 

I have established an SSH connection and set up the port forwarding:
5901:a.b.c.d:5900 (ie: I am forwarding calls to port 5901 from my client to
port 5900 on the server with ip address a.b.c.d). In Tera Term the
formatting of establishing this is different than shown here, but this is
the effect.

The actual fields in the TTSSH port forwarding window - 
Forward local port: 5901
to remote machine: a.b.c.d
port: 5900

If I create and set the HKLM\software\orl\winvnc3 Dword key AllowLoopback to
1, I can connect by specifying 127.0.0.1:1 or 127.0.0.1:5901 in the
connection details screen of the VNCviewer application.  However I can at
this stage still connect directly by specifying a.b.c.d only. 

Attempting to tighten it down, I implement the LoopbackOnly Dword key (same
path), setting it to 1 as well. At this stage I invariably get the message:
"A program on the local machine attempted to connect to a forwarded port.
The forwarding request was denied by the server. The connection has been
closed."

Setting the LoopbackOnly key back to 0 gives me tunnel access again. Note:
at each stage I have to restart the VNC server - it does not dynamically
read the registry settings for each connection attempt, so whenever I play
with them I need to do a stop and start of the VNC program.

A full table of my test results:
AL LO  tunnel   direct
0    0   disabled pass
0    1   denied	fail
1    0   pass	pass
1    1   denied	fail
-     1   denied	fail
1     -   pass	pass

An explanation of the results:
AL - AllowLoopback
LO - LoopbackOnly
disabled - a message from VNC (presumably from the server): "Local Loopback
Connections are disabled."
denied - message from Tera Term: "A program on the local machine attempted
to connect to a forwarded port. The forwarding request was denied by the
server. The connection has been closed."
fail - message back from VNCviewer application: "Failed to connect to
server."
pass - it connects (asks for session password)
A "-" is where I completely deleted the key from the registry (grasping at
straws time).

Rgds,
Dave.
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------