LinuxQuestions.org - [SOLVED] Connecting to vnc over an SSH tunnel

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Connecting to vnc over an SSH tunnel (https://www.linuxquestions.org/questions/linux-networking-3/connecting-to-vnc-over-an-ssh-tunnel-4175718373/)

Connecting to vnc over an SSH tunnel

Yes, I have googled. But nothing is working.

I have a vnc server running with a certain user configured.
I have created the same vnc user name in the local machine to simplify everything.
Now I am trying to connect with this command:

Code:

ssh -L 59000:localhost:5901 -p 8922 -C -N -l user 188.177.166.155

(fake IP, of course)

Nothing happens. It just waits forever.

I don't remember if there is an active firewall. If there is, it's iptables. So I ran this on the remote machine:

Code:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

And nothing happens. Connecting just waits forever.

Of course, I can SSH to that remote machine.

The output of ps aux on the remote machine tells me that the vnc server is running.

So the usual question is: what am I doing wrong?

MTIA

Messing with IPTables is unnecessary.

Which 'display' is your VNC utility on? 5901 will be 1, 5900 will be 0, 5902 will be 2, etc.

ssh can be used with -v (or -vvv) to make it verbose. Otherwise I don't really know how is this setup configured, where are those port numbers coming from (and how did you configure/start the client).

Quote:

Originally Posted by Turbocapitalist (Post 6389935)

Which 'display' is your VNC utility on? 5901 will be 1, 5900 will be 0, 5902 will be 2, etc.

I honestly don't know. I just know what is in the command line.

Quote:

Originally Posted by pan64 (Post 6389938)

Code:

# ssh -vvv -L 59000:localhost:5901 -p 8922 -C -N -l root 188.177.166.155



OpenSSH_7.4p1 Debian-9

debug1: Reading configuration data /root/.ssh/config

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug2: resolving "188.177.166.155" port 8922

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 188.177.166.155 [188.177.166.155] port 8922.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type 2

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-9

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-9

debug1: match: OpenSSH_7.9p1 Debian-9 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 188.177.166.155:8922 as 'root'

debug3: put_host_port: [188.177.166.155]:8922

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:65

debug3: load_hostkeys: loaded 1 keys from [188.177.166.155]:8922

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: zlib@openssh.com,zlib,none

debug2: compression stoc: zlib@openssh.com,zlib,none

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: [elided: [Server host key]]

debug3: put_host_port: [188.177.166.155]:8922

debug3: put_host_port: [188.177.166.155]:8922

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:65

debug3: load_hostkeys: loaded 1 keys from [188.177.166.155]:8922

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:65

debug3: load_hostkeys: loaded 1 keys from [188.177.166.155]:8922

debug1: Host '[188.177.166.155]:8922' is known and matches the ECDSA host key.

debug1: Found key in /root/.ssh/known_hosts:65

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: /root/.ssh/id_rsa (key)

debug2: key: /root/.ssh/id_dsa (key)

debug2: key: /root/.ssh/id_ecdsa ((nil))

debug2: key: /root/.ssh/id_ed25519 ((nil))

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /root/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 60

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279

debug2: input_userauth_pk_ok: fp SHA256:[elided]

debug3: sign_and_send_pubkey: RSA SHA256:[elided]

debug3: send packet: type 50

debug3: receive packet: type 52

debug1: Enabling compression at level 6.

debug1: Authentication succeeded (publickey).

Authenticated to 188.177.166.155 ([188.177.166.155]:8922).

debug1: Local connections to LOCALHOST:59000 forwarded to remote address localhost:5901

debug3: channel_setup_fwd_listener_tcpip: type 2 wildcard 0 addr NULL

debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY

debug1: Local forwarding listening on ::1 port 59000.

debug2: fd 4 setting O_NONBLOCK

debug3: fd 4 is O_NONBLOCK

debug1: channel 0: new [port listener]

debug1: Local forwarding listening on 127.0.0.1 port 59000.

debug2: fd 5 setting O_NONBLOCK

debug3: fd 5 is O_NONBLOCK

debug1: channel 1: new [port listener]

debug2: fd 3 setting TCP_NODELAY

debug3: ssh_packet_set_tos: set IP_TOS 0x10

debug1: Requesting no-more-sessions@openssh.com

debug3: send packet: type 80

debug1: Entering interactive session.

debug1: pledge: exec

debug3: receive packet: type 80

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug3: receive packet: type 4

debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug3: receive packet: type 4

debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug3: send packet: type 1

debug1: channel 0: free: port listener, nchannels 2

debug3: channel 0: status: The following connections are open:



debug1: channel 1: free: port listener, nchannels 1

debug3: channel 1: status: The following connections are open:



debug1: Killed by signal 2.

Quote:

Originally Posted by lucmove (Post 6389943)

[CODE]
# ssh -vvv -L 59000:localhost:5901 -p 8922 -C -N -l root 188.177.166.155

debug1: Connection established.

It is ok

Quote:

Originally Posted by lucmove (Post 6389943)

Code:

debug1: Killed by signal 2.

You terminated it.
ssh itself is not a vnc client, just a tunnel. You will need to run your client too.

Quote:

Originally Posted by pan64 (Post 6389948)

It is ok
You terminated it.
ssh itself is not a vnc client, just a tunnel. You will need to run your client too.

Thanks. Now I understand better what is going on, and I've connected successfully. It works.

However, the screen I get is too small to be useful to my interests. So I clicked Monitor Settings on Openbox (I don't know what that icon launches) and it says

"Unable to get monitor information!"

So I tried arandr and it says:

Code:

Xlib:  extension "RANDR" missing on display ":1.0".

Traceback (most recent call last):

  File "/usr/bin/arandr", line 42, in <module>

    main()

  File "/usr/lib/python2.7/dist-packages/screenlayout/gui.py", line 319, in main

    force_version=options.force_version

  File "/usr/lib/python2.7/dist-packages/screenlayout/gui.py", line 157, in __init__

    self.widget = widget.ARandRWidget(display=randr_display, force_version=force_version)

  File "/usr/lib/python2.7/dist-packages/screenlayout/widget.py", line 48, in __init__

    self._xrandr = XRandR(display=display, force_version=force_version)

  File "/usr/lib/python2.7/dist-packages/screenlayout/xrandr.py", line 43, in __init__

    version_output = self._output("--version")

  File "/usr/lib/python2.7/dist-packages/screenlayout/xrandr.py", line 64, in _output

    raise Exception("XRandR returned error code %d: %s"%(status,err))

Exception: XRandR returned error code 1: RandR extension missing

Any idea on how to fix this? I really need a larger view.

most probably you need to adjust your vnc server and/or viewer. From the other hand what you posted is not enough to help you. You need to give us more details. Posting an error message without context is useless.
(and if you really want to say thanks just click on yes)

Yes, more information is needed regarding how you are launching VNC on the remote system.

However, VNC might not be the best choice if you wish to run just a single application. If just one graphical program is needed, you can do X11 forwarding:

Code:

ssh -X -p 8922 -l lucmove 188.177.166.155 'xeyes'

ssh -X -p 8922 -l lucmove 188.177.166.155 'firefox'

ssh -X -p 8922 -l lucmove 188.177.166.155 'sudo gparted'

Compression might or might slow things down. Root should never (or almost never) be accessed directly remotely. In the very few cases where it is accessed remotely, using a key and turning off passwords is de rigueur. Then even in those cases with password authentication turned off and keys in use, graphical programs must not be run as root. So perhaps would be relevant to ask what problem you are really trying to solve?

Quote:

Originally Posted by pan64 (Post 6389962)

Sorry, but I really have no idea what other context or more details you think are necessary.

Quote:

Originally Posted by Turbocapitalist (Post 6389964)

Code:

ssh -X -p 8922 -l lucmove 188.177.166.155 'xeyes'

ssh -X -p 8922 -l lucmove 188.177.166.155 'firefox'

ssh -X -p 8922 -l lucmove 188.177.166.155 'sudo gparted'

I'm launching VNC on the remote system this way:

Code:

# /usr/bin/vncserver -localhost

I am told (googling) that the -localhost option causes vncserver to outright refuse connections from outside. Only local conections are accepted. That is good and seems to be true by my tests. I can't connect remotely without the SSH tunnel. I want it that way.

Then I access the vnc session from my local machine:

Code:

xtightvncviewer localhost:59000

Running a single application is a nice idea, but I actually need at least two windows, possibly three. Maybe I will be able to simplify things in the future and run only one thing, but alas it doesn't really work:

Code:

ssh -X -p 8922 -l lucmove 188.177.166.155 'xeyes'

ssh -X -p 8922 -l lucmove 188.177.166.155 'leafpad'

ssh -X -p 8922 -l lucmove 188.177.166.155 'synaptic'

Nothing happens. shrug

Thanks. Try specifying a display:

Code:

/usr/bin/vncserver -localhost :0

Then connect on the matching port:

Code:

ssh -vvv -L 59000:localhost:5900 -p 8922 -C -N -l root 188.177.166.155

Though I am curious as to why there are graphical programs being run as root, and why remote root access via SSH has been turned on.

Quote:

Originally Posted by Turbocapitalist (Post 6389973)

Thanks. Try specifying a display:

Code:

/usr/bin/vncserver -localhost :0

Then connect on the matching port:

Code:

ssh -vvv -L 59000:localhost:5900 -p 8922 -C -N -l root 188.177.166.155

You approach works, except that I get that all grey reticulate X screen instead of the desktop manager. Not useful.

Quote:

Originally Posted by Turbocapitalist (Post 6389973)

Though I am curious as to why there are graphical programs being run as root, and why remote root access via SSH has been turned on.

I always begin by doing everything as root, will change later. If it works as root, it has to work as non-root later or I know that permissions are getting in the way as they so often do. And root access via SSH is disabled with a password. I use a key. If even that is not secure enough, what the hey, let's just stop using passwords altogether or throw all computers in the garbage heap.

Quote:

Originally Posted by lucmove (Post 6389986)

If it works as root, it has to work as non-root later or I know that permissions are getting in the way as they so often do.

That's an incorrect assumption and complicates the approach unnecessarily.

Again, what problem are you really trying to solve?

Quote:

Originally Posted by Turbocapitalist (Post 6389991)

Again, what problem are you really trying to solve?

I need a larger view. Larger resolution, I guess.