VNC w/ SSH using Keys or Kerberos Authentication?
 

Can I use VNC with SSH and use keys instead of a password? And if so, would this be safer than VNC wit Kerberos Password Authentication?


What I want to do is to be able to VNC into my Linux PC(at home) from my laptop(Linux) at a coffee shop using it's public ISP.

Hi

To use SSH keys with VNC, you will have to set up VNC through SSH tunnel. Google "vnc ssh tunnel" for howtos.

Basically, your first open a SSH connection to your home PC authenticated with your SSH key, and then you connect your VNC client to your laptop end of the SSH tunnel. The home PC end of the SSH tunnel will relay the VNC connection you to it's local VNC server.

However, VNC server will still ask you for the VNC password, and while it is not recommended to leave it empty you might choose to do so.
And don't forget to configure your home PC to accept only SSH connections from the Internet ;)

SSH authentication is neither safer nor worst than Kerberos authentication, but it will offer you an encrypted connection to your home PC : remember plain VNC is in the clear, like FTP.

Cheers

Well, my main idea was to have VNC use SSH for the authentication which would be a key, but I can see now that that is not possible.

Even though VNC will do it's own authentication regardles, can VNC be set up where it can only be used through a SSH tunnel? That way the user(me) would have to have the ssh key?


Curious, which is more secure against a brute force attack....ssh with a AES encrypted key instead of password, or kerberos password authentication?

Hi

I set my home server to only accept key-based authentication for SSH, and I set up the external firewall (actually the router of my ISP box) to accept only SSH connections from Internet: VNC connections can go through.

I could even harden things by configuring the home server firewall to deny any connection to VNC not coming from localhost.

On my laptop, I load my SSH private key in SSH agent after I log in: I can start the SSH tunnel whenever I need it without typing the SSH private key passphrase every time.
And while the SSH tunnel is up, I connect and disconnect via VNC at leisure.

By default, VNC does no do any authentication. I does only if you explicitly set the security type to VncAuth and you give the path to the file containing the password created with vncpasswd. And VNC password is limited to 8 characters.
On the other, you can set VNC server to security type "none" to avoid this intermediate layer of password.

The size of the SSH key relates to its strength. Usually, 1024 to 2048 bits is a good enough protection. Less than 1024 bits it's too weak. More than 2048 bits is too time-consuming, because of the extra computing required, to be worth for an individual: it actually slow things down!

Password-wise, your SSH private key is as secure against brute force attack as the quality of the passphrase your lock it down with, as is your Kerberos password, or any other password for that matter.

Cheers