You are not logged in.

#1 2009-06-15 16:03:38

calle
Member
From: Germany
Registered: 2008-11-14
Posts: 45

problem in understanding ssh and vnc

hi there,

i am heavily spreading out linux-desktops on my familymembers and friends machines, which now turns back at me, for i am the person asked when anything isn't working. still i'm gladly doing this for my urgent desire to prevent them from going to back to the not-so-good-os, but nonetheless i am sick of helping people out on telephone not actually being able to see what they are messing up again misunderstanding what i am saying. so i have come to the conclusion that being able to administrate their computers from my home machine would be a great relief for all of us. but as i still have some pedagogic intentions i want them to see what i am doing, so the next time a certain problems occurs, they might maybe be able to help themselves. so in this case i'm using x11vnc and not tightvnc, right?

anyway this is not my problem as i guess i can set these up properly. what IS a problem is that all of these computers are spread out throughout the country so i would have to access them somehow through the internet. and as i don't want any nasty hacker out there to mess around with something that isn't their business i want to secure the given connection through ssh.

for that in .x11vncrc i am adding:

localhost # Only accept local connections. This makes your x11vnc secure along with SSH.

now what i don't understand is, how does the remotely accessed computer verify that the incoming connection comes from a trusted machine? wouldn't anybody out there be able to access the servers through an ssh connection? where comes the encryption and decryption in? where do i set up a password?

so what i asked for is a short introduction into ssh tunneling. any ressources discussing ssh in combination with vnc in a more specific way would be also highly appreciated.

thank you again in advance

Last edited by calle (2009-06-15 16:07:00)

Offline

#2 2009-06-15 16:32:41

rine
Member
From: Germany
Registered: 2008-03-04
Posts: 217

Re: problem in understanding ssh and vnc

http://www.ibm.com/developerworks/aix/l … index.html
I haven't read the article, but it should work.

The data you transfer via ssh is encrypted. If you don't use keyfiles and someone has your password, he can ssh into the machine of course. I'd recommend using keyfiles and setting "PasswordAuthentication no" in sshd_config.

Last edited by rine (2009-06-15 16:33:16)

Offline

#3 2009-06-15 16:44:57

brisbin33
Member
From: boston, ma
Registered: 2008-07-24
Posts: 1,796
Website

Re: problem in understanding ssh and vnc

i short checklist for putting this together:

set up and start the ssh server on the remote box, i suggest you generate a private rsa key and use an odd port like 2022 or something

make sure you can get to the remote box if it's behind a router by setting up a static LAN IP and forwarding the chosen port to that IP

ssh in with your key and tunnelling 5900 (something like ssh -L 5900 localhost:5900 user@ip, but can't remember for sure -- i.e. man ssh)

start x11vnc with the --localhost option from inside your ssh session

connect to localhost with tightvnc on your local box

should be good to go!

Offline

#4 2009-06-15 17:57:34

MiCap
Member
From: Portugal
Registered: 2009-06-12
Posts: 10

Re: problem in understanding ssh and vnc

You could use SSL. Create your own certificates and make the server only accepting connections from computers that have the certificate you created.
I used that config on my VNC server #x11vnc -ssl ~/.vnc/certs/server.pem -sslverify CA
I tried to tunnel my SSL through SSH but it failed. I couldn't made the correct configurations.
My server(with only SSL) only accepts users that are trying to connect and have the CA certificate that I created. There are in the official x11vnc page explanations to do that.
The problem, is that I couldn't find a VNC viewer that supports all that stuff and works perfectly.

Offline

#5 2009-06-15 19:38:31

derelict
Member
Registered: 2006-07-25
Posts: 81

Re: problem in understanding ssh and vnc

This is the guide I used long ago when I had the same question. http://www.g-loaded.eu/2005/11/10/confi … in-fedora/. Check out the ssh integration toward the end of the guide. I really like the auto-closing bit. big_smile

I would agree about using key-authentication for added security. You could also configure iptables to only allow connections from your ip address, assuming it's static. There's a good guide for that on the wiki, here http://wiki.archlinux.org/index.php/Sim … wall_HOWTO

Offline

#6 2009-06-16 10:55:59

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: problem in understanding ssh and vnc

Here are some more thoughts:
Like brisbin33 said, setup an ssh server on the remote machine and make it listen on a non standard port. If the computer is directly exposed to the internet then setup iptables to block any incoming connection you don't need (you will need a few for things to work, including the port ssh is listening to).

If you want then to see what you are doing (and not having to teach then how to connect to a local running vnc server) then load the vnc module in your xorg.conf, this way it will serve the physical display and not a virtual display. As a (weak) security measure you can also setup a password.
Check more here http://www.realvnc.com/products/free/4.1/x0.html and also the page derelict mentions, it depicts the method of setting up a vnc server but with virtual screens.

Use the public key authentication scheme like suggested before, I guess it is more secure and a _lot_ more convenient big_smile

Then when connecting to the remote machine do the following

ssh -Cf -L someport:localhost:5900 username@remote_machine_ip sleep 10; vncviewer localhost:someport

The connection will go through ssh so it is secure.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#7 2009-06-16 11:13:06

calle
Member
From: Germany
Registered: 2008-11-14
Posts: 45

Re: problem in understanding ssh and vnc

ok, thanks a lot so far.

let's see now if i got that right:

1. i install openssh on my local machine and create a rsa-key pair with ssh-keygen.

2. i install openssh on the remote machine i want to take control of and make sure that rsaauthentication is enabled in the respective config-file.

3. i'm adding the generated public key id_rsa.pub to the ~/.ssh/authorized_keys file on the machine i want to control remotely, where ~ is the user's name whose account i wanna have acces to.

4. i am forwarding either port 22 or any other odd port i told the ssh daemon to use from the remote's machine firewall to the remote machine.

5. im starting the ssh daemon on the remote machine (or let that be done automatically on system startup or by the person sitting physically in front of the pc)
question: is this all that need to be done on the remote machine?

6. im ssh-ing into the remote machine by something like

ssh ID@remote.pc -L5900:localhost:5900 'x11vnc -auth `cat ~/.Xauth`'

where ID is the name of the user whose account i want to steer.

my private key is then compared to the public key mentioned above, access is granted and i'm getting into a commandline on the remote machine saying something like:

 controlleduser@remotemachine:~/ _

7. in that shell i am starting x11vnc wich is then running on the server.(?)

8. finally i am starting a vncviewer on my local machine and will be able to see and use the remote's desktop.

doing this i will not need to forward port 5900 from the router to the remote machine because everything tunnels through the ssh connection, right?

is everything right like that?
i'm sorry i have to ask so many questions, but i can't test the whole thing right now because i am sitting in front of the remote machine and need to set up everything properly before getting back home to the local one. and as there are about 300km between these computers i kind of wanna make sure that everything on this side works fine.

Offline

#8 2009-06-16 18:02:24

brisbin33
Member
From: boston, ma
Registered: 2008-07-24
Posts: 1,796
Website

Re: problem in understanding ssh and vnc

R00KIE wrote:

If you want the[m] to see what you are doing (and not having to teach then how to connect to a local running vnc server) then load the vnc module in your xorg.conf, this way it will serve the physical display and not a virtual display.

i could be wrong, but when i start x11vnc i use the following options:

> grep vncup .bash_alias
alias vncup='x11vnc -nopw -ncache 10 -display :0 -localhost'

and i thought '-display :0' took care of that whole virtual vs physical screen thing.  and it's a lot easier then messing with a xorg.conf

also,

callie wrote:

1. i install openssh on my local machine and create a rsa-key pair with ssh-keygen.

2. i install openssh on the remote machine i want to take control of and make sure that rsaauthentication is enabled in the respective config-file.

3. i'm adding the generated public key id_rsa.pub to the ~/.ssh/authorized_keys file on the machine i want to control remotely, where ~ is the user's name whose account i wanna have acces to.

i think you're a bit mixed here.

1.  install openssh on the remote machine, set up the config properly and generate the key pair with ssh-keygen on the remote machine

2.  bring the generated key file called id_rsa back home on a flash drive and copy it into ~/.ssh

3.  cross your fingers and try to connect.

Last edited by brisbin33 (2009-06-16 18:05:56)

Offline

#9 2009-06-16 20:05:53

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: problem in understanding ssh and vnc

@brisbin33
That may do as well, I have never tried it so I didn't mention it. I have tried the method in the page derelict mentioned and the one I have mentioned and I know them to work. About fiddling with xorg.conf, I don't think an Arch user will be afraid to do that big_smile but one should choose whatever is easier or works better. I'll give that one a try though.

Also I don't have x11vnc on my machine (I use tightvnc) or the remote machines I connect to (fedora 7 and centos 5) so I just use what is already there (and that I can find tutorials to help me, just using man sometimes doesn't help much).

About the key pair, usually I generate the pair locally and just copy the id_rsa.pub to the remote machine(s) with scp and add it to the authorized_keys there, just like calle says (cat or mv, check the permissions if anything doesn't work, when in doubt "chmod -R 700 .ssh"). I also change the ssh config on the local machine to try only the public_key and password authentication methods so I don't have to wait for it to try all the other methods (it either works with public key or falls back to password which should work always).

About the port forwarding, everything goes through ssh so you just need to set up the remote router so the connection to the ssh port goes through.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#10 2009-06-18 07:24:05

robmaloy
Member
From: Germany
Registered: 2008-05-14
Posts: 263

Re: problem in understanding ssh and vnc

use FreeNX / NX Free


☃ Snowman ☃

Offline

#11 2009-06-18 12:58:13

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,354

Re: problem in understanding ssh and vnc

Within my local network I also use port-knocking (knockd in the AUR) for minimal security. Of course, by itself it isn't fool-proof, but coupled with other security systems....


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#12 2009-06-24 12:59:46

calle
Member
From: Germany
Registered: 2008-11-14
Posts: 45

Re: problem in understanding ssh and vnc

hej there,

just wanted to inform you that back home now, i got everything working fine.
vnc through ssh works, but it was too slow for my taste, so i checked out freenx and it's perfectly what i was looking for. although i don't like all this untransparent gui stuff around it.

thanks a lot for all your help and thanks for the freenx hint

Last edited by calle (2009-06-24 13:00:04)

Offline

Board footer

Powered by FluxBB