Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am running fc12/xfce with outward facing SSH & VNC to provide login and graphical applications to remote users. Competent users can run VNC through an SSH tunnel, but I need a simpler solution for inexperienced and guest users.
I would like to provide a common password login to a secure restricted VNC session. I have created 'vncuser' and 'vncgroup', with vncserver starting from bootup in this account. I would like to add an encryption layer to the session, like ssh, but set from the server end, so the user does not have to think about it. I would also like to chroot the vncserver so the guests can't crap all over my system.
In the end, I see secure restricted VNC being a single landing strip for all remote users, allowing limited resources to guests and allowing established remote users to ssh -X onwards into their accounts.
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
As far as I am aware there is no way to encrypt a VNC session that way. I suppose you could try running the VNC through a web page that is SSL encrypted, I am not 100% positive that will work but I think it is the closest you are going to get to what you want. If you did not know tightvnc at least have a Java application that can be embedded in a web page to allow VNC. But even then I am not sure if the actual VNC traffic is encrypted by the SSL connection. Oh one other thought, you could consider a routed VPN solution ala OpenVPN, that has one certificate that allows multiple users to connect, you send out openVPN installer with the certificate and a pre-made configuration file some quick instructions for where to place the configuration files after they install openVPN (If they can install itunes why not openVPN) then they can connect with open vpn and use the internal DNS name to conenct and all the traffic is encrypted over the openVPN VPN connection. These are likly the easiest ways to accomplish this if it is even possible. With the openVPN solution and the I know you can close any open VNC ports on the firewall and only allow through the openVPN port, plus SSH of course.
Thanks, that sorta' makes sense. I think a solution might be to serve the TightVNC Java client from an SSL Web server. Transport layer encryption should fully envelop an application layer protocol like VNC. Any user could land on that with just a mouse click, and I am sure I will have a bagful of options for authentication after that. If I get that sorted, the only problem I am left with is chrooting VNCServer so that guests are contained. Is it feasible to create a thin installation tree with services and apps mirrored below the chroot directory and exposed to view?