LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-06-2011, 09:14 PM   #1
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 223

Rep: Reputation: 8
VNC w/ SSH using Keys or Kerberos Authentication?


Can I use VNC with SSH and use keys instead of a password? And if so, would this be safer than VNC wit Kerberos Password Authentication?


What I want to do is to be able to VNC into my Linux PC(at home) from my laptop(Linux) at a coffee shop using it's public ISP.
 
Old 10-07-2011, 01:55 AM   #2
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 75

Rep: Reputation: 23
Hi

To use SSH keys with VNC, you will have to set up VNC through SSH tunnel. Google "vnc ssh tunnel" for howtos.

Basically, your first open a SSH connection to your home PC authenticated with your SSH key, and then you connect your VNC client to your laptop end of the SSH tunnel. The home PC end of the SSH tunnel will relay the VNC connection you to it's local VNC server.

However, VNC server will still ask you for the VNC password, and while it is not recommended to leave it empty you might choose to do so.
And don't forget to configure your home PC to accept only SSH connections from the Internet

SSH authentication is neither safer nor worst than Kerberos authentication, but it will offer you an encrypted connection to your home PC : remember plain VNC is in the clear, like FTP.

Cheers

Last edited by cendryon; 10-07-2011 at 01:57 AM.
 
Old 10-07-2011, 03:53 AM   #3
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 223

Original Poster
Rep: Reputation: 8
Well, my main idea was to have VNC use SSH for the authentication which would be a key, but I can see now that that is not possible.

Even though VNC will do it's own authentication regardles, can VNC be set up where it can only be used through a SSH tunnel? That way the user(me) would have to have the ssh key?


Curious, which is more secure against a brute force attack....ssh with a AES encrypted key instead of password, or kerberos password authentication?

Last edited by dman777; 10-07-2011 at 03:55 AM.
 
Old 10-07-2011, 02:29 PM   #4
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 75

Rep: Reputation: 23
Hi

Quote:
Originally Posted by dman777 View Post
Even though VNC will do it's own authentication regardles, can VNC be set up where it can only be used through a SSH tunnel? That way the user(me) would have to have the ssh key?
I set my home server to only accept key-based authentication for SSH, and I set up the external firewall (actually the router of my ISP box) to accept only SSH connections from Internet: VNC connections can go through.

I could even harden things by configuring the home server firewall to deny any connection to VNC not coming from localhost.

On my laptop, I load my SSH private key in SSH agent after I log in: I can start the SSH tunnel whenever I need it without typing the SSH private key passphrase every time.
And while the SSH tunnel is up, I connect and disconnect via VNC at leisure.

By default, VNC does no do any authentication. I does only if you explicitly set the security type to VncAuth and you give the path to the file containing the password created with vncpasswd. And VNC password is limited to 8 characters.
On the other, you can set VNC server to security type "none" to avoid this intermediate layer of password.

Quote:
Originally Posted by dman777 View Post
Curious, which is more secure against a brute force attack....ssh with a AES encrypted key instead of password, or kerberos password authentication?
The size of the SSH key relates to its strength. Usually, 1024 to 2048 bits is a good enough protection. Less than 1024 bits it's too weak. More than 2048 bits is too time-consuming, because of the extra computing required, to be worth for an individual: it actually slow things down!

Password-wise, your SSH private key is as secure against brute force attack as the quality of the passphrase your lock it down with, as is your Kerberos password, or any other password for that matter.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSH not working with Kerberos Authentication manyrootsofallevil Linux - Server 4 06-17-2011 09:28 AM
SSH with Kerberos Authentication vikas027 Linux - Software 1 06-15-2011 07:08 AM
ssh 2 keys authentication evil_empire Linux - Security 3 06-22-2009 12:10 PM
Multiple ssh authentication (kerberos, unix) to display different 'password:' true_atlantis Linux - Server 0 03-12-2009 03:02 PM
Open SSH authentication using public keys Xiiph Linux - Software 8 01-05-2007 08:58 AM


All times are GMT -5. The time now is 04:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration