I covered VNC this afternoon in my Linux system administration course and the question came up on how to secure VNC. You may or may not be aware than VNC is not encrypted by default, which could be a security concern.
If you use VNC regularly to connect to other Linux machines you may want to consider adding a level of encryption with SSH. Here is a quick run-down on how that is done:
If you look at the man page for vncviewer (man vncviewer) you’ll notice there is a small section for -via. The -via option, as outlined in the man page will do:
Makes the connection go through SSH to a gateway host. The gateway should be the target host for best connection secrecy.
Basically this is saying that you can tunnel VNC over SSH within your connection command. Let’s give it a try.
vncviewer -via user@host localhost:0
This, of course, will require that you have both ssh and vnc access to a remote machine.
This is a much simpler method than many other tutorials I’ve found which generally suggest creating a tunnel with ssh -L and then using that tunnel.
You can also use the VNC_VIA_CMD environment variable to override the ssh command used (if, for example, you run sshd on a non-standard port), eg:
VNC_VIA_CMD=’/usr/bin/ssh -p 22222 -f -N -L “$L”:”$H”:”$R” “$G”‘ vncviewer -via user@host localhost:0
But can you stop vino from allowing clear vnc sessions? Always seemed weak to me that all you needed to take control of someone’s whole screen if you had vino running was their password which can’t be more than 8 digits anyways.
This is a good idea. Do you know if this is available from other standard GUI clients? For example, Remote Desktop Connections on Ubuntu, or Windows clients like UltraVNC? Also, can you restrict your VNC server to *only* accept secure connections?
Why is this so slow compared to un-encrypted VNC? I just posted a question in the forums like 2 days ago and no one has responded to it? Please, if you have any info, post it in the forum. Thanks.
http://ubuntuforums.org/showthread.php?t=826182
It is slower encrypted because encryption takes a simple word, like “password” and encrypts it often with much overhead, to something like, “ijfvxmiqie3fndn”.
Now show us how to have a login VNC session that goes back to a login screen after closing, so one can login or different user can login. That’s what is needed. Something that works like Windows Remote Desktop. Remote Desktop is already encrypted, by the way.
Why does everyone write an article about VNC over ssh? Been around for many years.
Write an analysis if encryption is necessary in most cases. Now that would be worth reading.
Forget VNC. Use NX. It uses SSH already, it has many advantages over VNC, and it’s a whole lot faster over any connection, especially slow ones.
@Hans – only problem is FreeNX isn’t packaged by Ubuntu so it would require some more work and the current clients either don’t work or are not free software.
Perhaps it’ll make for a tutorial sometime, but sticking with the “default” tools, vnc over ssh is a good option.
Would this method honor the
*Compression* and *CompressionLevel* directives in a local $HOME/.ssh/config file? If so, this might help with the slowness that Bob noted, above.