LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2002, 04:50 PM   #1
LinuxHaven
Member
 
Registered: Jul 2002
Posts: 35

Rep: Reputation: 15
VNC with Putty Tunnel


I'm using Putty in Windows to connect to my remote RH 7.3 box. I log in as localhostortnumber to the Linux box, but I can also log in using IP address: XXX.XXX.XXX.XXXortnumber from a totally different machine at a totally different location and see the same screen!

The instructions (compared for consistency from several web sites) claim that my VNC connection is secured through SSH, but if I can see the same screen connecting through NONSECURE means, then how is this secure?
 
Old 08-16-2002, 05:22 PM   #2
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
vnc does not use ssh on it's own. I believe it encrypts the username/password exchange but I might be wrong.

You can tunnel vnc through ssh.

SSH into your linux box and start with this:

ssh -L 5902:localhost:5901 localhost

then try connecting to your vnc server on port 5902 if all is well, ssh will tunnel it on to port 5901 where your vnc server is running at.

man ssh if all else fails
 
Old 08-17-2002, 05:09 PM   #3
LinuxHaven
Member
 
Registered: Jul 2002
Posts: 35

Original Poster
Rep: Reputation: 15
That is what I did to set up a secure tunnel; however, the problem is that I can log on to the same secure connection from another computer at a different location without setting up a SSH tunnel and still see what is on the secured connected. In other words, I do not think the connection is really secured.
 
Old 08-19-2002, 02:25 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
That's correct...

Unless you MAKE the only way to access Vnc is thru a secure connection, the Vnc server is just waiting there for ANY request, regardless of how it gets there.

Best to use a firewall rule to deny access to Vnc directly, then the only way will be through the ssh tunnel described by turnip.

Regards,
Peter.
 
Old 08-20-2002, 06:57 PM   #5
klickibunti
LQ Newbie
 
Registered: Aug 2002
Distribution: Red Hat Psyche
Posts: 18

Rep: Reputation: 0
onother great tool is stunnel
 
Old 08-20-2002, 09:33 PM   #6
LinuxHaven
Member
 
Registered: Jul 2002
Posts: 35

Original Poster
Rep: Reputation: 15
Okay. I'm a little confused now. Is this what I do?

Set up IPChains to block out VNC ports in the range 5900-5999 for both source and destination.

SSH into Linux VNC server and type ssh -L 5902:localhost:5901 localhost. This essentially connects the server to itself, building that tunnel.

Connect from client-side to server-side without any port-forwarding set up on the client-side.

This is all theoretical to me at this point, so I have not yet tried it.
 
Old 08-21-2002, 05:51 AM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Almost,

Using ipchains, block access to the vnc ports for connections coming in the internet interface only, leave the lo interface unblocked, that's where ssh will connect, via lo.
You will only need to block the destination ports.

Putty has an option under 'Connection-SSH-Tunnel' which allows you to create the tunnelled connection.
Make sure your sshd_config on the destination server allows tunnelling. Now it's VERY important you have strong passwords...

On the remote host, after Putty has made the tunnel, look for your vnc connection locally, using whichever local port number you assigned with Putty... '127.0.0.1:590x'

Regards,
Peter
 
Old 08-21-2002, 05:53 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
And a 2nd thought,
you will find iptables can do this more easily than ipchains.
Regards,
Peter
 
Old 08-22-2002, 06:47 PM   #9
LinuxHaven
Member
 
Registered: Jul 2002
Posts: 35

Original Poster
Rep: Reputation: 15
I used Redhat 7.3's GUI to set up IPChains to block on eth0 device destination ports 5900:5999 for all IP addresses.

Under Putty | Connection | SSH | Tunnel, I specify the source port to be 9000 and the destination as localhost:5901, then localhost:22, then xxx.xxx.xxx.xxx:5901.

All 3 instances fail to open up my VNC Viewer under Windows.

/etc/ssh/sshd_config is configured to allow port forwarding and strong passwords:

X11Forwarding yes

What am I missing??

Quote:
Originally posted by peter_robb
Almost,

Using ipchains, block access to the vnc ports for connections coming in the internet interface only, leave the lo interface unblocked, that's where ssh will connect, via lo.
You will only need to block the destination ports.

Putty has an option under 'Connection-SSH-Tunnel' which allows you to create the tunnelled connection.
Make sure your sshd_config on the destination server allows tunnelling. Now it's VERY important you have strong passwords...

On the remote host, after Putty has made the tunnel, look for your vnc connection locally, using whichever local port number you assigned with Putty... '127.0.0.1:590x'

Regards,
Peter
 
Old 08-29-2002, 10:29 AM   #10
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Go back a step and do what you had working before, what turnip said.
ssh into the remote box, type
ssh -L 5902:localhost:5901 localhost

and point your vnc viewer to localhost:5902
this will make your vnc viewer look at your local machine to find the tunnel to the remote machine.
What you did with ipchains was to remove any OTHER access to the vnc server.

In Putty, you can set the same by specifying the local and remote names and ports, 5902 local, 5901 remote.

Regards,
Peter.
 
Old 08-29-2002, 02:18 PM   #11
LinuxHaven
Member
 
Registered: Jul 2002
Posts: 35

Original Poster
Rep: Reputation: 15
Thanks!!! That did it.
 
Old 10-20-2002, 08:11 PM   #12
nonamenobody
Member
 
Registered: Oct 2002
Posts: 138

Rep: Reputation: 22
Could some one point out where I might be goinging wrong.

On my Linux box I have start a VNC server on port 5901 using 'vncserver :1'. I have set up the ssh tunnel on the Linux side using 'ssh -L 5902:localhost:5901 localhost'. On the MS-Windows, in the session section of PuTTY the hostname is set to my Linux box's IP, and protocol set to ssh. In the ssh tunnels section I have added 5901 as the source port and <LinuxIP>:5902 as the destination port giving 'L5901 <LinuxIP>:5902' in the forwarded ports memo box. I have clicked on open and entered my user name and passoword.

When I try to connect using WinVNC I enter 'localhost:1' as the the VNC Server. Then nothing happens at all, no error messages, nothing.

This is driving me crazy. Any help would be much appreciated.

Thanks.
 
Old 04-18-2003, 11:13 AM   #13
zaseny2002
LQ Newbie
 
Registered: Apr 2003
Location: Jersey City, N.J.
Distribution: RedHat 8.0
Posts: 11

Rep: Reputation: 0
Smile

For those of you who have RedHat 8.0 and want to VNC into your remote machine this is how I did it:

First I used the Putty application (putty.exe can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/ which is a free SSH client. Under host name type in the IP address of the remote machine. Make sure you check the SSH button for protocol. Also, go down to where it says SSH-->Tunnels and check the box to " Enable X11 forwarding".

Once connected, sign in your username and password.
Then type in the following: ssh -L 5902:type in your remote adrress here:5901 type in your remote adrress here (hit enter)

Then type: vncserver (hit enter) This starts up your vncserver. If all goes well you should see a response from the server that says:" New 'X' desktop is localhost.localdomain:1

Next, type: DISPLAY=localhost:1.0 (hit enter)
Then: export DISPLAY (hit enter)
Then: xhost +localhost (hit enter)

Afterwards, fire up your vncviewer and type: remote address:1 (hit OK)

You should be able to see your remote desktop.

***Nota bene***
1. Where I say remote address please use an IP address; for example, xxx.xxx.xxx.xxx

2. I used the KDE desktop because KDE as an option to turn off anti-aliased fonts which VNC has trouble displaying. (If anyone knows how to turn it off in Gnome and other window managers please let me know.

I would like to thank everyone on this website whose posts helped me greatly to use the remote connection . I wanted to write my own experience because many times in the posts advice was given but no response was returned as to whether the advice proved to be successful. Good luck to everyone.
 
Old 07-15-2003, 10:40 AM   #14
vonbayern
LQ Newbie
 
Registered: Jul 2003
Posts: 1

Rep: Reputation: 0
Excellent info but.....

This is what I got, so I can see your answer is a good one, but I din't see the gui desktop...


VNC authentication succeeded
Desktop name "usrname's X desktop (servername1:4)"
Connected to VNC server, using protocol version 3.3
VNC server default format:
8 bits per pixel.
True colour: max red 7 green 7 blue 3, shift red 0 green 3 blue 6
Using default colormap which is TrueColor. Pixel format:
8 bits per pixel.
True colour: max red 7 green 7 blue 3, shift red 0 green 3 blue 6
Using shared memory PutImage
Same machine: preferring raw encoding
vncviewer: VNC server closed connection
ShmCleanup called
 
Old 08-30-2003, 02:12 AM   #15
SchreibG
LQ Newbie
 
Registered: Aug 2003
Posts: 3

Rep: Reputation: 0
well, first, zaseny's option isn't actually tunnelling vnc... Since all you did at the end was open vnc and connect to remoteort, you're just connecting directly through to the vnc server.

Here's a full walkthrough, enable tunnelling via PuTTY over SSH:

Download/install PuTTY on the local computer, and also the vncviewer.
Launch PuTTY. The opening window should have the Session option. Click on the SSH radio button. In the Host Name (or IP address) field, enter the IP address of the remote computer.
For the sake of argument, let's assume that the IP address is
123.456.789.123.
Choose Tunnels suboption in the SSH option.
In the Source port field, enter some arbitrary port number, e.g. 4901.
In the Destination field, enter the IP address of your remote computer and
the port, e.g. 123.456.789.123:5901.
The unix version of vnc uses the port 5900 + display number, so the
first display number is 5901 usually.
The format of the destination is the IP address, colon, port number, as
given in the example above. Make sure local is selected with the radio button at the bottom.
Now click on the Add button.
Go back and click on the Session option, and save this session so you
won't have to re-enter all the information.
Click on the Open button at the bottom of the window, and you'll be able
to connect to your home computer.
Enter the user name (case sensitive) and the password of your
user account (or passphrase for RSA/DSA keyusers)
If everything is fine, you'll be connected to your remote computer.
Now launch vncviewer on the local computer and enter localhost:4901 and
click the OK button.
If you're not prompted for the password for vnc, then either you're not
running vncserver on your remote computer or some information was
incorrectly entered in PuTTY setting.
Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
tunnel vnc through openssh disorderly Linux - Security 9 08-22-2005 03:56 PM
SSH tunnel using PuTTy - Samba jackster Linux - Security 4 02-12-2005 05:07 PM
Help with VNC and PuTTY rfkhickory Linux - Newbie 5 04-14-2004 11:16 PM
VNC with Putty Tunnel port ziggie216 Linux - Software 10 12-02-2003 09:32 PM
VNC and SSH Tunnel Syncrm Linux - General 13 04-06-2003 05:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration