VNC via SSH - loopbackonly & allowloopback problem

Brent Horowitz horowitb "at" newschool.edu
Mon, 25 Jun 2001 08:42:08 +0000


I thought it was.

>>> luptak "at" snt.sk 06/21/01 07:58 AM >>>
Isn't it possible that you used LoopbackOnly set to 1 and Teraterm
forwarding to a.b.c.d instead of 127.0.0.1? This is important ...

Regards,

Miroslav Luptak

> 
> Hello All,
> 
> I'm attempting to connect via SSH port forwarding. Want to allow
*_only_*
> tunneled connections via SSH to VNC.
> 
> No matter what I try, I cannot get it tightened down to *_only_*
tunneled
> connections. The best I can get is tunneled & direct allowed at the
same
> time.
> 
> >From what I can see, I think that I have the SSH port forwarding set
up
> correctly - after all, it works if I connect to 127.0.0.1:1 when I
have the
> AllowLoopback registry entry set. But as to the actual cause of the
problem
> - I'm stumped. Any suggestions?
> 
> Below is what I hope is a complete description of my test environment
and
> the results.
>
-----------------------------------------------------------------------
> VNC host is a WIN NT server, sp6a, 128bit encryption.
> SSHd is Brandon Zehm's sshd1 for WinNT.
> 
> Client is a WIN NT workstation, sp6a, 128bit encryption.
> SSH client is the ttssh extension to Tera Term 
> 
> I have established an SSH connection and set up the port forwarding:
> 5901:a.b.c.d:5900 (ie: I am forwarding calls to port 5901 from my
client to
> port 5900 on the server with ip address a.b.c.d). In Tera Term the
> formatting of establishing this is different than shown here, but this
is
> the effect.
> 
> The actual fields in the TTSSH port forwarding window - 
> Forward local port: 5901
> to remote machine: a.b.c.d
> port: 5900
> 
> If I create and set the HKLM\software\orl\winvnc3 Dword key
AllowLoopback to
> 1, I can connect by specifying 127.0.0.1:1 or 12.0.0.1:5901 in the
> connection details screen of the VNCviewer application.  However I can
at
> this stage still connect directly by specifying a.b.c.d only. 
> 
> Attempting to tighten it down, I implement the LoopbackOnly Dword key
(same
> path), setting it to 1 as well. At this stage I invariably get the
message:
> "A program on the local machine attempted to connect to a forwarded
port.
> The forwarding request was denied by the server. The connection has
been
> closed."
> 
> Setting the LoopbackOnly key back to 0 gives me tunnel access again.
Note:
> at each stage I have to restart the VNC server - it does not
dynamically
> read the registry settings for each connection attempt, so whenever I
play
> with them I need to do a stop and start of the VNC program.
> 
> A full table of my test results:
> AL LO  tunnel   direct
> 0    0   disabled pass
> 0    1   denied	fail
> 1    0   pass	pass
> 1    1   denied	fail
> -     1   denied	fail
> 1     -   pass	pass
> 
> An explanation of the results:
> AL - AllowLoopback
> LO - LoopbackOnly
> disabled - a message from VNC (presumably from the server): "Local
Loopback
> Connections are disabled."
> denied - message from Tera Term: "A program on the local machine
attempted
> to connect to a forwarded port. The forwarding request was denied by
the
> server. The connection has been closed."
> fail - message back from VNCviewer application: "Failed to connect to
> server."
> pass - it connects (asks for session password)
> A "-" is where I completely deleted the key from the registry
(grasping at
> straws time).
> 
> Rgds,
> Dave.
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscrbe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------