LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-21-2010, 02:19 PM   #1
deesto
Member
 
Registered: May 2002
Location: NY, USA
Distribution: FreeBSD, Fedora, RHEL, Ubuntu; OS X, Win; have used Slackware, Mandrake, SuSE, Xandros
Posts: 448

Rep: Reputation: 31
Question Multi-hop VNC tunnel over SSH


Is it possible to chain together multiple SSH tunnel hops in a single `ssh -L` command on the client side? I have two gateways I need to get through in order to access a remote host. For a normal SSH client connection, it's simple enough chain this all together by simply appending the additional SSH connection commands to the first one:
Code:
ssh gateway.1 ssh gateway.2 ssh remote.host
And for a normal (non-hopping) VNC session to a non-gateway host, create a tunnel:
Code:
ssh -L [local-port]:localhost:[remote-port|5900] remote.host && vncviewer localhost:[display]
But is it possible to chain together multiple gateway hops in order to reach the remote host, given SSH authentication is done via key on each host, and privileged ports are not accessible on the gateway machines? I've gotten close with the following, but tripped up by man-in-the-middle attack warnings:
Code:
ssh -tL 5900:localhost:22 gateway1 ssh -tL 50022:gateway2:22 remote.host 'some.vnc.viewer -localhost -display :0'

Last edited by deesto; 10-21-2010 at 02:29 PM.
 
Old 10-21-2010, 05:02 PM   #2
sys64738
Member
 
Registered: May 2008
Location: NRW/Germany
Posts: 105

Rep: Reputation: 30
Hi
how about this:
Code:
ssh -X gateway.1 ssh -X gateway.2 ssh -X remote.host
and then on remote.host you simply do a "vncviewer"?

Last edited by sys64738; 10-21-2010 at 05:04 PM.
 
Old 10-22-2010, 07:42 AM   #3
deesto
Member
 
Registered: May 2002
Location: NY, USA
Distribution: FreeBSD, Fedora, RHEL, Ubuntu; OS X, Win; have used Slackware, Mandrake, SuSE, Xandros
Posts: 448

Original Poster
Rep: Reputation: 31
Hi sys64738,

Yes: of course that works. But my question is whether it's possible to tunnel multiple hops and script everything entirely on the client side.
 
Old 10-22-2010, 10:36 AM   #4
sys64738
Member
 
Registered: May 2008
Location: NRW/Germany
Posts: 105

Rep: Reputation: 30
How about that:

Code:
ssh -X user@gateway.1 ssh -X user@gateway.2 ssh -X user@remote.host vncviewer
If you have public key authentication it will work in a script without passwords and there is no hassle with tcp ports (only 22 needed).

I hope that is OK?
 
Old 10-22-2010, 01:22 PM   #5
deesto
Member
 
Registered: May 2002
Location: NY, USA
Distribution: FreeBSD, Fedora, RHEL, Ubuntu; OS X, Win; have used Slackware, Mandrake, SuSE, Xandros
Posts: 448

Original Poster
Rep: Reputation: 31
Hi sys64738,
Quote:
Originally Posted by sys64738 View Post
How about that:
Code:
ssh -X user@gateway.1 ssh -X user@gateway.2 ssh -X user@remote.host vncviewer
If you have public key authentication it will work in a script without passwords and there is no hassle with tcp ports (only 22 needed).

I hope that is OK?
Yes, thanks, but ... really my question was more toward _understanding_ the "hassle" of using ports properly with a multi-hop tunnel, rather than working around them.
 
Old 10-23-2010, 08:57 AM   #6
sys64738
Member
 
Registered: May 2008
Location: NRW/Germany
Posts: 105

Rep: Reputation: 30
OK back to your ssh statement. If I got it right you said you got warnings about man in the middle attacks.
If you want to ignore those warnings add:
Code:
-o 'StrictHostKeyChecking=no'
which would lead to:
Code:
ssh -o 'StrictHostKeyChecking=no' -tL 5900:localhost:22 gateway1 ssh -o 'StrictHostKeyChecking=no' -tL 50022:gateway2:22 remote.host 'some.vnc.viewer -localhost -display :0'
But you must be sure that you address the right hosts along your tunnel.
BTW I think you have to tell the 'some.vnc.viewer' on remote.host to use port 50022.
 
1 members found this post helpful.
Old 10-25-2010, 07:38 AM   #7
deesto
Member
 
Registered: May 2002
Location: NY, USA
Distribution: FreeBSD, Fedora, RHEL, Ubuntu; OS X, Win; have used Slackware, Mandrake, SuSE, Xandros
Posts: 448

Original Poster
Rep: Reputation: 31
Thanks sys64738. `StrictHostKeyChecking` was the key, though it should not be used on untrusted systems. Note that you don't need to specify the vnc port on the remote host, but you do need to specify a display port:
Code:
ssh -o 'StrictHostKeyChecking=no' -ACtYL 5900:localhost:22 you@gateway1 ssh -o 'StrictHostKeyChecking=no' -ACtYL 50022:localhost:5900 you@gateway2 ssh -ACtY you@remotehost vncviewer localhost:0
 
1 members found this post helpful.
  


Reply

Tags
multiple, ssh, tunnel, vnc


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh tunnel and vnc question unix1adm Linux - General 1 03-02-2010 04:37 AM
VNC SSH tunnel firewall problem bitpail Linux - Networking 2 11-02-2006 08:37 AM
setting up ssh tunnel for vnc jr0 Linux - Networking 3 10-22-2005 11:38 AM
SSH tunnel reversed for VNC...Possible? silence Linux - Networking 1 07-22-2004 09:42 AM
VNC and SSH Tunnel Syncrm Linux - General 13 04-06-2003 04:46 PM


All times are GMT -5. The time now is 12:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration