VNC over SSH : securing the remote desktop
I was discussing VNC this afternoon with some students and the question came up on how to secure VNC. As you may have noticed most network protocols do not have much for built in security. Many rely on other programs for their network security needs, such as ssh. This is also the case with VNC.
If you use VNC regularly to connect to other Linux machines you may want to consider adding a lower-layer of encryption with ssh. Here is a quick run-down on how that is done:
If you look at the man page for vncviewer (man (1) vncviwer) you’ll notice there is a small section for -via. The -via option, as outlined in the man page will do:
Makes the connection go through SSH to a gateway host. The gateway should be the target host for best connection secrecy.
Basically this is saying that you can tunnel VNC over SSH within your connection command. Let’s give it a try.
vncviewer -via user@host localhost:0
This, of course, will require that you have both ssh and vnc access to a remote machine.
If this article has been helpful, please consider linking to it.
Christer, nice post. Just one comment on your blog. Would it be possible to move the top Google ads lower or on the right? It always throws me off as the beginning is a skinny little column of text on the right that’s only 3-4 words wide. It makes it a bit difficult to read for me.
So how do you setup vnc on a server or desktop to accept connections using ssh?
Hey Christer,
I’d say that you didn’t ready my post from a while back on this same subject. I like that you are learning though. Linux rocks!!
http://fedora-tutorials.com/2007/03/14/vnc-seeing-linux-in-linux/
Cheers,
Clint
I didn’t know vncviewer had that option.
I’ve been manually setting up ssh port forwarding of port 5900 for years.
So, when will this be added into rdesktop, the most usually installed application for the task of connecting remote desktops via rdp and vnc?
For the last 2 years i’ve always manually set up a port forward for VNC. This is ingenious.
Chris, nice blog, keep it going…
Carmelo Lisciotto
Good call on the -via command. While it’s a considerably heavier setup, nx server seems worth mentioning.
https://help.ubuntu.com/community/FreeNX
for more advanced vnc over setup : http://users.rcn.com/tushar.manglik/
Nice article! I assume the ‘via’ option causes vncviewer to connect to remote port 22? How would you go about doing this if you were running SSH on another port?
In my case, remote ssh is listening on 22, but the machine is behind a router forwarding port xxx to machine:22..
Just managed to achieve the above:
vncviewer -via “user@host -p port” localhost:0
does it mean, someone has to be always logged into remote machine.
like in ssh, if someone else is logged on, i can still make login with my own account,
whereas in vnc , can i do that? i mean, if u have used windows remote desktop ever, you know what i am talking
Nice… Did not know about the -via option, how elegant!!!!