You are not logged in.

#1 2017-10-07 21:01:51

samstarnes
Member
Registered: 2017-10-07
Posts: 10

SSH/SSL x11vnc on Arch setup problemss

I'm trying to connect to x11vnc server either using an SSL certificate or tunnel through ssh for a bit more security.
I don't want to use Teamviewer or Nomachine, strictly x11vnc. I've read everything under the wiki for x11vnc and through documentation on karlrunge.com/x11vnc/
From what I've found, doing SSL won't really work for me since I can't seem to find a client that works for both Windows & Android to connect with a certificate so I've opted for ssh tunneling.

I can get x11vnc to work unencrypted, just not over ssh.
Looking at the documentation for x11vnc, tunneling vnc through ssh would be:

sitting-here> ssh -t -L 5900:localhost:5900 far-away.east 'x11vnc -localhost -display :0'

and I run ssh -t -L 5900:localhost:5900 phoenix@domain -p 51973 'x11vnc -localhost -display :0 -auth guess -forever -noxdamage -repeat -rfbauth /home/phoenix/.vnc/passwd -shared'
x11vnc starts on PORT=5901 and when I attempt to connect to localhost:5901 I'll get an error (channel 1015 open failed: connect failed: open failed):

[phoenix@archphoenix ~]$ ssh -t -L 5900:127.0.0.1:5900 phoenix@domain -p 51973 'x11vnc -localhost -display :0 -auth guess -forever -noxdamage -repeat -rfbauth /home/phoenix/.vnc/passwd -shared'
- Arch Linux -
- You've entered the b o n e l e s s z o n e -
-                        ___
                        |  ~~--.
                        |%=@%%/
                        |o%%%/
                     __ |%%o/
               _,--~~ | |(_/ ._
            ,/'  m%%%%| |o/ /  `\.
           /' m%%o(_)%| |/ /o%%m `\
         /' %%@=%o%%%o|   /(_)o%%% `\
        /  %o%%%%%=@%%|  /%%o%%@=%%  \
       |  (_)%(_)%%o%%| /%%%=@(_)%%%  |
       | %%o%%%%o%%%(_|/%o%%o%%%%o%%% |
       | %%o%(_)%%%%%o%(_)%%%o%%o%o%% |
       |  (_)%%=@%(_)%o%o%%(_)%o(_)%  |
        \ ~%%o%%%%%o%o%=@%%o%%@%%o%~ /
         \. ~o%%(_)%%%o%(_)%%(_)o~ ,/
           \_ ~o%=@%(_)%o%%(_)%~ _/
             `\_~~o%%%o%%%%%~~_/'
                `--..____,,--'

- You've entered the b o n e l e s s z o n e
Verification code:
Password:
07/10/2017 16:25:37 passing arg to libvncserver: -rfbauth
07/10/2017 16:25:37 passing arg to libvncserver: /home/phoenix/.vnc/passwd
07/10/2017 16:25:37 x11vnc version: 0.9.14 lastmod: 2015-11-14  pid: 7946
07/10/2017 16:25:37 -auth guess: using default XAUTHORITY for display=':0'
07/10/2017 16:25:37 Using X display :0
07/10/2017 16:25:37 rootwin: 0x122 reswin: 0x800001 dpy: 0x468c0070
07/10/2017 16:25:37
07/10/2017 16:25:37 ------------------ USEFUL INFORMATION ------------------
07/10/2017 16:25:37 X COMPOSITE available on display, using it for window polling.
07/10/2017 16:25:37   To disable this behavior use: '-noxcomposite'
07/10/2017 16:25:37
07/10/2017 16:25:37 Wireframing: -wireframe mode is in effect for window moves.
07/10/2017 16:25:37   If this yields undesired behavior (poor response, painting
07/10/2017 16:25:37   errors, etc) it may be disabled:
07/10/2017 16:25:37    - use '-nowf' to disable wireframing completely.
07/10/2017 16:25:37    - use '-nowcr' to disable the Copy Rectangle after the
07/10/2017 16:25:37      moved window is released in the new position.
07/10/2017 16:25:37   Also see the -help entry for tuning parameters.
07/10/2017 16:25:37   You can press 3 Alt_L's (Left "Alt" key) in a row to
07/10/2017 16:25:37   repaint the screen, also see the -fixscreen option for
07/10/2017 16:25:37   periodic repaints.
07/10/2017 16:25:37
07/10/2017 16:25:37 XFIXES available on display, resetting cursor mode
07/10/2017 16:25:37   to: '-cursor most'.
07/10/2017 16:25:37   to disable this behavior use: '-cursor arrow'
07/10/2017 16:25:37   or '-noxfixes'.
07/10/2017 16:25:37 using XFIXES for cursor drawing.
07/10/2017 16:25:37 GrabServer control via XTEST.
07/10/2017 16:25:37
07/10/2017 16:25:37 Scroll Detection: -scrollcopyrect mode is in effect to
07/10/2017 16:25:37   use RECORD extension to try to detect scrolling windows
07/10/2017 16:25:37   (induced by either user keystroke or mouse input).
07/10/2017 16:25:37   If this yields undesired behavior (poor response, painting
07/10/2017 16:25:37   errors, etc) it may be disabled via: '-noscr'
07/10/2017 16:25:37   Also see the -help entry for tuning parameters.
07/10/2017 16:25:37   You can press 3 Alt_L's (Left "Alt" key) in a row to
07/10/2017 16:25:37   repaint the screen, also see the -fixscreen option for
07/10/2017 16:25:37   periodic repaints.
07/10/2017 16:25:37
07/10/2017 16:25:37 XKEYBOARD: number of keysyms per keycode 7 is greater
07/10/2017 16:25:37   than 4 and 51 keysyms are mapped above 4.
07/10/2017 16:25:37   Automatically switching to -xkb mode.
07/10/2017 16:25:37   If this makes the key mapping worse you can
07/10/2017 16:25:37   disable it with the "-noxkb" option.
07/10/2017 16:25:37   Also, remember "-remap DEAD" for accenting characters.
07/10/2017 16:25:37
07/10/2017 16:25:37 X FBPM extension not supported.
07/10/2017 16:25:37 X display is capable of DPMS.
07/10/2017 16:25:37 --------------------------------------------------------
07/10/2017 16:25:37
07/10/2017 16:25:37 Default visual ID: 0x21
07/10/2017 16:25:37 Read initial data from X display into framebuffer.
07/10/2017 16:25:37 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/5464
07/10/2017 16:25:37 WARNING: Width (1366) is not a multiple of 4. VncViewer has problems with that.
07/10/2017 16:25:37
07/10/2017 16:25:37 X display :0 is 32bpp depth=24 true color
07/10/2017 16:25:37
07/10/2017 16:25:37 Autoprobing TCP port
07/10/2017 16:25:37 Autoprobing selected TCP port 5901
07/10/2017 16:25:37 Autoprobing TCP6 port
07/10/2017 16:25:37 rfbListenOnTCP6Port: error in bind IPv6 socket: Address already in use
07/10/2017 16:25:37 Autoprobing selected TCP6 port 5901
07/10/2017 16:25:37 listen6: bind: Address already in use
07/10/2017 16:25:37 Not listening on IPv6 interface.
07/10/2017 16:25:37
07/10/2017 16:25:37 Xinerama is present and active (e.g. multi-head).
07/10/2017 16:25:37 Xinerama: number of sub-screens: 1
07/10/2017 16:25:37 Xinerama: no blackouts needed (only one sub-screen)
07/10/2017 16:25:37
07/10/2017 16:25:37 fb read rate: 2096 MB/sec
07/10/2017 16:25:37 fast read: reset -wait  ms to: 10
07/10/2017 16:25:37 fast read: reset -defer ms to: 10
07/10/2017 16:25:37 The X server says there are 12 mouse buttons.
07/10/2017 16:25:37 screen setup finished.
07/10/2017 16:25:37

The VNC desktop is:      localhost:1
PORT=5901

******************************************************************************
Have you tried the x11vnc '-ncache' VNC client-side pixel caching feature yet?

The scheme stores pixel data offscreen on the VNC viewer side for faster
retrieval.  It should work with any VNC viewer.  Try it by running:

    x11vnc -ncache 10 ...

One can also add -ncache_cr for smooth 'copyrect' window motion.
More info: http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching

channel 1015: open failed: connect failed: open failed
channel 1016: open failed: connect failed: open failed

My /etc/ssh/sshd_config file:

#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 51973
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none

# no default banner path
Banner /etc/issue

# override default of no subsystems
Subsystem       sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

Attempting to connect to the VNC with RealVNC on Windows.
However if I connect to localhost:5900 then it connects fine. It says it's not encrypted but I'm not too sure if RealVNC doesn't detect ssh tunneling?

Offline

#2 2017-10-07 21:25:53

samstarnes
Member
Registered: 2017-10-07
Posts: 10

Re: SSH/SSL x11vnc on Arch setup problemss

Also to make it clear, I want to be able to connect to the server remotely off LAN. If I'm on mobile or somewhere else not connected to the network, I'd like to be able to connect to the server on x11vnc securely. When I attempted to connect to the domain with VNC Viewer on Android, it said "The port on which the computer is listening for a connection could not be contacted." I imagine this is because there's no ssh connection to forward port 5900.

Offline

#3 2017-10-08 02:45:00

samstarnes
Member
Registered: 2017-10-07
Posts: 10

Re: SSH/SSL x11vnc on Arch setup problemss

I guess I've got it working? For Android I've used bVNC Pro to tunnel vnc through ssh. There is a free option available but I have to use the Pro version since I've setup 2-step verification with along with the ssh password. On mobile I could connect fine on wan. Also in the Configure AutoX settings on bVNC I had to use 'Find or create with Xvnc' in order for it to connect properly.

On Windows I've used both RealVNC and TightVNC and they both work fine to connect to localhost:5900. Now for RealVNC, when I connect it still says it's not encrypted... but I imagine it's still running under ssh under port 5900?
Is there any way to check if these connections are secure?

Last edited by samstarnes (2017-10-08 02:47:08)

Offline

Board footer

Powered by FluxBB