Using VNC (More) Securely...

Peter Bunn bunnz "at" mhtc.net
Wed Aug 20 18:54:01 2008 

Continuing the saga...

In a response to this thread, Lincoln Baxter recommended using SSH to 
'tunnel' VNC connections, and I have been struggling to make it work.  
Off list, he has been of great help, and I've made a simple SSH 
connection, but cannot figure out how to run VNC over the connection.

The target computer is on Windows XP Home SP1, and now has CopSSH (an 
OpenSSH package) installed.  I'm on a Mac using 10.4.11 and the 
'Terminal' application to set up the tunnel.  All VNC software is 
RealVNC... and current. 

In my SSH effort so far, I've been trying to use a non-standard VNC port 
I set previously which has been working fine for 'straight' VNC 
connections.

I'm also using a non-standard port for the SSH... and that has been 
working fine as well.

The Windows target computer has two active connections in Network 
Connections - LAN and Broadband (DSL) - both with firewall options.  
There is no router used.

Both the VNC server configuration and the Broadband firewall are set to 
use the non-standard port(s).  

The VNC server is set to accept only connections from a subnet that my 
own ISP usually assigns me.

When using VNC alone, I set the port in the Broadband firewall... and 
that was all I had to do to make VNC work.  Every port on the LAN 
firewall remained closed.

When I configured for SSH, I opened only a port in the Broadband 
firewall... and it seemed to work for the basic connection.  Every port 
on the LAN firewall remains closed.

--

It's not clear to me whether I need to open a port in the LAN firewall 
for the port redirection to work. 

It's not clear to me whether the VNC server should be set to "Only accept 
connections from the local machine."

It's not clear to me whether something needs to be changed in the 
sshd_config in order to permit the non-standard VNC port, but if so, 
neither is it clear to me what's required. 

-- 

Below is the command format I used to (try to) create the tunnel, a 
fragment of the (relevant) terminal output, and a portion of the current 
sshd_config file.  I also tried 'variations on themes', with no luck.  
Using the RealVNC viewer, I tried variations of the localhost address and 
port number as well.

Since I'm brand new to most all of this and don't understand a lot of it, 
I suspect I'm doing something patently and obviously wrong, and I'm 
hoping someone can point out what it is.

Thanks Again.

Peter B.

----------
---------------

Command Format

ssh -v -l [user_name] [remote_host_IP_address] -p [non_standard_SSH_port] 
-L [local_VNC_port]:localhost:[remote_VNC_port] 

-- Or, in this instance --

ssh -v -l [user_name] [remote_host_IP_address] -p [non_standard_SSH_port] 
-L 23456:localhost:23456

-----

Terminal Output

<snip>

debug1: Authentication succeeded (publickey).
debug1: Local connections to LOCALHOST:23456 forwarded to remote address 
localhost:23456
debug1: Local forwarding listening on ::1 port 23456.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 23456.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Entering interactive session.
Last login: Tue Aug 19 07:59:15 2008 from ab-cas1-95.dial.abcd.net

User_Name "at" Host_Name ~
$ 

<snip>

-----

VNC Viewer Address (Attempts)

localhost:23456

localhost::23456

-----

VNC Viewer Result

"Server closed connection unexpectedly."

-----

sshd_config

<snip>

Port [non_standard_ssh_port]
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

<snip>

---------------
-------------------------