LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   secure restricted VNC (https://www.linuxquestions.org/questions/linux-security-4/secure-restricted-vnc-806210/)

steve_s 05-05-2010 09:39 PM

secure restricted VNC
 
I am running fc12/xfce with outward facing SSH & VNC to provide login and graphical applications to remote users. Competent users can run VNC through an SSH tunnel, but I need a simpler solution for inexperienced and guest users.

I would like to provide a common password login to a secure restricted VNC session. I have created 'vncuser' and 'vncgroup', with vncserver starting from bootup in this account. I would like to add an encryption layer to the session, like ssh, but set from the server end, so the user does not have to think about it. I would also like to chroot the vncserver so the guests can't crap all over my system.

In the end, I see secure restricted VNC being a single landing strip for all remote users, allowing limited resources to guests and allowing established remote users to ssh -X onwards into their accounts.

Help please, how do I do it?

scheidel21 05-06-2010 08:12 AM

As far as I am aware there is no way to encrypt a VNC session that way. I suppose you could try running the VNC through a web page that is SSL encrypted, I am not 100% positive that will work but I think it is the closest you are going to get to what you want. If you did not know tightvnc at least have a Java application that can be embedded in a web page to allow VNC. But even then I am not sure if the actual VNC traffic is encrypted by the SSL connection. Oh one other thought, you could consider a routed VPN solution ala OpenVPN, that has one certificate that allows multiple users to connect, you send out openVPN installer with the certificate and a pre-made configuration file some quick instructions for where to place the configuration files after they install openVPN (If they can install itunes why not openVPN) then they can connect with open vpn and use the internal DNS name to conenct and all the traffic is encrypted over the openVPN VPN connection. These are likly the easiest ways to accomplish this if it is even possible. With the openVPN solution and the I know you can close any open VNC ports on the firewall and only allow through the openVPN port, plus SSH of course.

steve_s 05-06-2010 05:20 PM

Thanks, that sorta' makes sense. I think a solution might be to serve the TightVNC Java client from an SSL Web server. Transport layer encryption should fully envelop an application layer protocol like VNC. Any user could land on that with just a mouse click, and I am sure I will have a bagful of options for authentication after that. If I get that sorted, the only problem I am left with is chrooting VNCServer so that guests are contained. Is it feasible to create a thin installation tree with services and apps mirrored below the chroot directory and exposed to view?

scheidel21 05-07-2010 07:52 AM

Glad I kinda helped you, as far as the other one goes, you got me whether it is feasible or how to do it.


All times are GMT -5. The time now is 01:05 PM.