Hi all,

I have a client who is looking to provide their consultants with remote access to their internal machines via VNC. They do not want to provide any other access to them. I did a bit of research and looked into tunneling VNC over SSH but that would still enable the external consultant to have an ssh login/shell. Is there away to prevent that and just provide them with VNC access only?
Thanks!

Ron.

OK, if you want to have that architecture, but do it all real slick likes, then look at a freenx implementation instead. no actual ssh possible, no vnc sessions idling around. Basically you have a special user which is logged into over ssh. once that user is logged in, a vnc server for the actual user is started up and tunnelled over the existing ssh connection so there is no additional services running - something that really made me smile when I first saw it.

I'm sure there's a certain formal shell you can run which will also give this behaviour. Ideally you just don't want to allow execution of a remote command. If you check the ssh manpage you'll see the -N option which is the behaviour you want to force from the server side right? No sign of a sshd_config option for that. You can write a script such as:

which will open a terminal for 3 minutes and, apparently, close *IF* there is nothing runnign over the tunnel, so that's quite nice. You could expand this and start the vnc server before the sleep incase it's not running. freenx is nicer though.