SSH, VNC, Windows

David Brodbeck DavidB "at" mail.interclean.com
Wed, 09 Jan 2002 16:31:24 +0000


Unless I misunderstand what you're saying, it has to happen from the client
side.  If you've already connected to the server directly with VNC, you've
got an unencrypted connection across the network, and SSH won't help you.

It works like this:

VNC viewer --> SSH client ======================> SSH server --> VNC server
-------------------------                         -------------------------
  Client computer                                   Server computer

-- Unencrypted loopback connection
== Encrypted network connection

-----Original Message-----
From: Boyd D. Mills [mailto:BMills "at" VCIControls.ca]
Sent: Wednesday, January 09, 2002 10:33 AM
To: vnc-list "at" uk.research.att.com
Subject: RE: SSH, VNC, Windows


Thanks Michael,

There is a key described at http://www.uk.research.att.com/vnc/winvnc.html
called LoopbackOnly.

I was a little surprised that this key was not already created with the
default of 0.  I had to create the key LocalMachine\Software\ORL\WinVNC\
key: LoopbackOnly value 1.

This does cause WinVNC to only accept connections from the local machine.

But that's only half the battle.

All the documentation I have found so far on SSH describes how to redirect
ports when initiated from the client side.

But I need to configure the OpenSSH server to redirect incoming Browser
connections to WinVNC.  That's the first major hurdle.

I still need help in this regard.

Thanks,
Boyd

mailto:BMills "at" VCIControls.ca
Sr. Software Project Manager
www.VCIControls.ca

On Tue, Jan 08, 2002 at 04:36:19PM -0500, Boyd D. Mills wrote:
>
> The requirement is to ENFORCE secure access to VNC through the web
> browser.  The first thing is to configure OpenSSH on the server
> machine to effectively sit between VNC server and the remote browser
> machine.  The second (hopefully two in the same) is to disable
> unsecure connections to VNC.

Take a look at the AllowLoopback and AuthHosts advanced options:

http://www.uk.research.att.com/vnc/winvnc.html

If you allow loopback access and deny all hosts except 127.0.0.1, you
can limit network access to those being forwarded by SSH.  This will
also allow unencrypted connections from the localhost, but that probably
is not a problem.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------