|
Written by TheCAT
|
|
Monday, 14 September 2009 |
VNC Overview:
VNC is a handy way to use the graphical interface of a computer remotely. Sadly, VNC itself has no built in encryption. This means that ALL of your data in a given session is vulnerable to network sniffing. This sniffing can easily reveal every character you type in a VNC session, including any passwords you enter. Happily, there is a fairly easy fix.
SSH Overview:
SSH, the Secure Shell, does have built in encryption. So making connections via SSH is secure, and all of the traffic sent over the SSH connection is protected from prying eyes by strong encryption. SSH in its simplest form is nothing more than a secure remote command shell, but it packs an impressive feature set that goes well beyond these simple capabilities. For the purpose of securing VNC, the feature we're most interested in is TCP connection tunneling. SSH allows us to create a secure, encrypted tunnel from one computer to another, and when operating in this mode it is similar to a VPN, but easier to set up. Once the tunnel is in place, we will direct our VNC traffic through it, protecting it from eavesdroppers.
Securing the VNC Server:
Restricting Access to Localhost:
When starting vncserver, you must use the -localhost option. This tells vncserver you wish it to only respond to connections originating from the same computer vncserver is running on. In this way you are restricting access to your vncserver to users who are already able to log in to the computer, locally or remotely. It is also a good idea to use password protection for vncserver, as while the combination of the SSH tunnel and only accepting local connections to vncserver will prevent eavesdropping and connections by unauthorized persons at large, other legitimate users of the machine can connect to your VNC server and control the box with your user account. So using a password is a must on a shared machine.
Password Protection:
When you run vncserver for the first time it will ask you for a password which will be required for clients trying to connect to your vncserver. This will store the password you specify in ~/.vnc/passwd where ~ represents your home directory. The password is stored in an obfuscated format, meaning that it isn't easily read by a human, but it is not stored in a secure manner. This means it should NOT be a password you use for anything else!
VNC Startup File:
You also need to create a startup file that tells the vnc server what to do when the server starts. Copy the text below (excluding --begin-- and --end--) as it appears into the file ~/.vnc/xstartup
--begin--
#!/bin/sh
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
gnome-session &
--end--
Ensure the permissions on the file allow you to run it. For example, by using the command:
chmod u+x ~/.vnc/xstartup
If you have different needs for your startup script, feel free to customize the above; it is just a known-good starting point, and should prove sufficient for most users.
Starting the VNC Server:
Once you have set a password and created an xstartup file, run vncserver by using the following command on the host you will be accessing remotely (this can be done remotely through ssh)
vncserver -localhost
When this command completes, it will show a VNC display number (often 1) which you need to remember.
Creating the SSH Tunnel:
The way to create the SSH tunnel between the vnc server and your computer is different depending on what operating system you are running locally.
Linux, OS X and Solaris:
Execute the following command in a terminal:
ssh -L 5901:localhost:590x username@servername
making sure to replace servername with the name of your remote system, and username with your username on the remote system. Also, the x in 590x must be replaced with the VNC display number returned by running vncserver on the remote system. If the display number that was returned to you by the vncserver command is a double digit number than 590x will become 59xx where xx is the display number you were provided earlier.
This will log you in to the remote system, and open an encrypted tunnel between it and your local machine.
Now you just need to launch your VNC client and point it to localhost:5901
Windows:
The Windows SSH client PuTTY is the recommended program for SSH on Windows. To create a tunnel to the VNC server from windows, perform the following:
- Launch PuTTY
- Enter the name of the remote server in the text field labeled "Host Name (or IP Address)"
- Expand the Connection item from the left pane, then expand its child item SSH, and click on the Tunnels item.
- Set the source port number to 5901
- Set destination to localhost:590x where x is the display number returned from vncserver above. If the display number that was returned to you by the vncserver command
is a double digit number than 590x will become 59xx where xx is the
display number you were provided earlier.
- Click the Add button
- Click the Open button and supply your username and password.
- Launch your VNC viewer and point it to localhost port 5901
There is a link detailing this procedure with screenshots in the Resources below.
Tips:
-
Some VNC clients think that this is a local connection and don't optimize for remote/low bandwidth connections. If performance is bad, try manually specifying low bandwidth, enable compression, etc.
Resources:
|
|
Last Updated ( Tuesday, 03 November 2009 )
|
Home 
Linux 
