I'm using Putty in Windows to connect to my remote RH 7.3 box. I log in as localhostortnumber to the Linux box, but I can also log in using IP address: XXX.XXX.XXX.XXXortnumber from a totally different machine at a totally different location and see the same screen!

The instructions (compared for consistency from several web sites) claim that my VNC connection is secured through SSH, but if I can see the same screen connecting through NONSECURE means, then how is this secure?

vnc does not use ssh on it's own. I believe it encrypts the username/password exchange but I might be wrong.

You can tunnel vnc through ssh.

SSH into your linux box and start with this:

ssh -L 5902:localhost:5901 localhost

then try connecting to your vnc server on port 5902 if all is well, ssh will tunnel it on to port 5901 where your vnc server is running at.

man ssh if all else fails

That is what I did to set up a secure tunnel; however, the problem is that I can log on to the same secure connection from another computer at a different location without setting up a SSH tunnel and still see what is on the secured connected. In other words, I do not think the connection is really secured.

That's correct...

Unless you MAKE the only way to access Vnc is thru a secure connection, the Vnc server is just waiting there for ANY request, regardless of how it gets there.

Best to use a firewall rule to deny access to Vnc directly, then the only way will be through the ssh tunnel described by turnip.

Regards,
Peter.

onother great tool is stunnel

Okay. I'm a little confused now. Is this what I do?

Set up IPChains to block out VNC ports in the range 5900-5999 for both source and destination.

SSH into Linux VNC server and type ssh -L 5902:localhost:5901 localhost. This essentially connects the server to itself, building that tunnel.

Connect from client-side to server-side without any port-forwarding set up on the client-side.

This is all theoretical to me at this point, so I have not yet tried it.

Almost,

Using ipchains, block access to the vnc ports for connections coming in the internet interface only, leave the lo interface unblocked, that's where ssh will connect, via lo.
You will only need to block the destination ports.

Putty has an option under 'Connection-SSH-Tunnel' which allows you to create the tunnelled connection.
Make sure your sshd_config on the destination server allows tunnelling. Now it's VERY important you have strong passwords...

On the remote host, after Putty has made the tunnel, look for your vnc connection locally, using whichever local port number you assigned with Putty... '127.0.0.1:590x'

Regards,
Peter

And a 2nd thought,
you will find iptables can do this more easily than ipchains.
Regards,
Peter

I used Redhat 7.3's GUI to set up IPChains to block on eth0 device destination ports 5900:5999 for all IP addresses.

Under Putty | Connection | SSH | Tunnel, I specify the source port to be 9000 and the destination as localhost:5901, then localhost:22, then xxx.xxx.xxx.xxx:5901.

All 3 instances fail to open up my VNC Viewer under Windows.

/etc/ssh/sshd_config is configured to allow port forwarding and strong passwords:

X11Forwarding yes

What am I missing??

Go back a step and do what you had working before, what turnip said.
ssh into the remote box, type
ssh -L 5902:localhost:5901 localhost

and point your vnc viewer to localhost:5902
this will make your vnc viewer look at your local machine to find the tunnel to the remote machine.
What you did with ipchains was to remove any OTHER access to the vnc server.

In Putty, you can set the same by specifying the local and remote names and ports, 5902 local, 5901 remote.

Regards,
Peter.

Thanks!!! That did it.

Could some one point out where I might be goinging wrong.

On my Linux box I have start a VNC server on port 5901 using 'vncserver :1'. I have set up the ssh tunnel on the Linux side using 'ssh -L 5902:localhost:5901 localhost'. On the MS-Windows, in the session section of PuTTY the hostname is set to my Linux box's IP, and protocol set to ssh. In the ssh tunnels section I have added 5901 as the source port and <LinuxIP>:5902 as the destination port giving 'L5901 <LinuxIP>:5902' in the forwarded ports memo box. I have clicked on open and entered my user name and passoword.

When I try to connect using WinVNC I enter 'localhost:1' as the the VNC Server. Then nothing happens at all, no error messages, nothing.

This is driving me crazy. Any help would be much appreciated.

Thanks.

For those of you who have RedHat 8.0 and want to VNC into your remote machine this is how I did it:

First I used the Putty application (putty.exe can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/ which is a free SSH client. Under host name type in the IP address of the remote machine. Make sure you check the SSH button for protocol. Also, go down to where it says SSH-->Tunnels and check the box to " Enable X11 forwarding".

Once connected, sign in your username and password.
Then type in the following: ssh -L 5902:type in your remote adrress here:5901 type in your remote adrress here (hit enter)

Then type: vncserver (hit enter) This starts up your vncserver. If all goes well you should see a response from the server that says:" New 'X' desktop is localhost.localdomain:1

Next, type: DISPLAY=localhost:1.0 (hit enter)
Then: export DISPLAY (hit enter)
Then: xhost +localhost (hit enter)

Afterwards, fire up your vncviewer and type: remote address:1 (hit OK)

You should be able to see your remote desktop.

***Nota bene***
1. Where I say remote address please use an IP address; for example, xxx.xxx.xxx.xxx

2. I used the KDE desktop because KDE as an option to turn off anti-aliased fonts which VNC has trouble displaying. (If anyone knows how to turn it off in Gnome and other window managers please let me know.

I would like to thank everyone on this website whose posts helped me greatly to use the remote connection . I wanted to write my own experience because many times in the posts advice was given but no response was returned as to whether the advice proved to be successful. Good luck to everyone.

This is what I got, so I can see your answer is a good one, but I din't see the gui desktop...


VNC authentication succeeded
Desktop name "usrname's X desktop (servername1:4)"
Connected to VNC server, using protocol version 3.3
VNC server default format:
8 bits per pixel.
True colour: max red 7 green 7 blue 3, shift red 0 green 3 blue 6
Using default colormap which is TrueColor. Pixel format:
8 bits per pixel.
True colour: max red 7 green 7 blue 3, shift red 0 green 3 blue 6
Using shared memory PutImage
Same machine: preferring raw encoding
vncviewer: VNC server closed connection
ShmCleanup called

well, first, zaseny's option isn't actually tunnelling vnc... Since all you did at the end was open vnc and connect to remoteort, you're just connecting directly through to the vnc server.

Here's a full walkthrough, enable tunnelling via PuTTY over SSH:

Download/install PuTTY on the local computer, and also the vncviewer.
Launch PuTTY. The opening window should have the Session option. Click on the SSH radio button. In the Host Name (or IP address) field, enter the IP address of the remote computer.
For the sake of argument, let's assume that the IP address is
123.456.789.123.
Choose Tunnels suboption in the SSH option.
In the Source port field, enter some arbitrary port number, e.g. 4901.
In the Destination field, enter the IP address of your remote computer and
the port, e.g. 123.456.789.123:5901.
The unix version of vnc uses the port 5900 + display number, so the
first display number is 5901 usually.
The format of the destination is the IP address, colon, port number, as
given in the example above. Make sure local is selected with the radio button at the bottom.
Now click on the Add button.
Go back and click on the Session option, and save this session so you
won't have to re-enter all the information.
Click on the Open button at the bottom of the window, and you'll be able
to connect to your home computer.
Enter the user name (case sensitive) and the password of your
user account (or passphrase for RSA/DSA keyusers)
If everything is fine, you'll be connected to your remote computer.
Now launch vncviewer on the local computer and enter localhost:4901 and
click the OK button.
If you're not prompted for the password for vnc, then either you're not
running vncserver on your remote computer or some information was
incorrectly entered in PuTTY setting.
Good luck.