Configuring VNC over SSH in Linux.

Post date: 03-May-2010 13:36:30

Overview of VNC over SSH

Apart from the connection password VNC is not a secure protocol as all commands and information are passed unencrypted over the connection. In a home network this is not such an issue but I would strongly recommend not doing this over the internet. In this tutorial I will show you how to connect from a Windows or Linux client machine to a Linux server running the vncserver.

If you don't know how to get vncserver set up you should refer to the Configuring a vncserver in Linux page on my site before continuing.

Requirements

Linux Host

The host machine must be running the vncserver and must also have openssh server installed.

$ rpm -qa|grep openssh-server openssh-server-4.3p2-4

Windows or Linux client machine.

If you are running Linux you probably already have openssh installed, to check type:

$ rpm -qa|grep openssh openssh-server-4.3p2-4 openssh-4.3p2-4 openssh-clients-4.3p2-4 openssh-askpass-4.3p2-4

The second line, openssh-4.3p2-4 is the client software required, if you don't have it simply install it via yum since the package is available in the Fedora repositories.

On Windows I use Putty as my ssh client program, just download the file called putty.exe and save somewhere. It requires no installation, just click on the program to start.

As a vncviewer I use RealVNC, it's free to download and very easy to use. When installed just go to the programs menu > RealVNC > VNC Viewer 4 > Run VNC Viewer to open the viewer.

Setting up the host

Editing /etc/hosts.allow.

On Fedora Core by default no connections are allowed to the ssh daemon so we need to allow our client machine to connect to the server. We need to open the file /etc/hosts.allow as root and add the following line:

$ vi /etc/hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd:192.168.1.109

This is just sshd: then the IP address of the client computer, if you wish you could add sshd:ALL to allow any connection access. You would need to do this if you don't know the IP address of the client machine or if it changes due to a DHCP server.

Opening ports.

Next we need to open a port in the firewall for the ssh service to listen on, by default this is port 22. If you have system-config-security installed then go to the Fedora start menu > Desktop > Administration > Security Level and Firewall click on the checkbox for ssh and click OK to save your changes.

Alternatively add the following line to your /etc/sysconfig/iptables file as root:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

If you edited the iptables by hand you need to restart the iptables service to load the changes:

$ sudo /sbin/service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

Starting the ssh service and vncserver.

Next we need to start the ssh service, as root type:

$ /sbin/service sshd start Starting sshd: [ OK ]

Finally start the vncserver, in this case we add the -localhost option so that the vncserver will only allow connections from localhost. This is done because we will forward the port on the client machine over ssh so the vncserver does not need to listen for external connection. It's for this reason we do not need to open port 5900 or the usual vnc port.

$ vncserver :1 -localhost New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1 Starting applications specified in /home/bobpeers/.vnc/xstartup Log file is /home/bobpeers/.vnc/linux.bobpeers:1.

Setting up the client.

Linux

To set up the port forwarding on a Linux machine, open a terminal and type:

$ ssh -N -T -L 5901:192.168.1.100:5901 &

This forwards our local port 5901 to the host computers port 5901, just replace 5901 with the port you normally use for VNC connections, i.e if you use display 20 then it would read ssh -N -T -L 5920:192.168.1.100:5920. The middle part is the IP address of the host machine, replace with the correct number for your network. The -L is the local port forward option while the -N option prevents a shell from opening so we cannot execute commands and the -T option disables pseudo-tty allocation.

Windows

Run the putty.exe program and in the left column select the tunnels item under SSH, in the bottom boxes add 5901 where it says 'Source port' and add the line localhost:5901 where it says 'Destination'. You can see a screenshot of thishere

Next click on the 'SSH' menu item and check the 3 checkboxes listed under 'Protocol', these prevent the tty allocation, shell opening and allow compression. You can see this screenshot here

Finally click on the 'Session' menu item right at the top and in the 'Host name (or IP address)' box enter the IP address of the machine you are connecting to, in my case 192.168.1.100, in the 'Port' box enter 22 (the default ssh port we opened in the hosts firewall). If you wish to save this configuration enter a name in the 'Saved sessions' box and click save. You can see this screenshot here

Now the connection has been configured we can start the ssh tunnel, just click on the 'Open' button at the bottom to start the ssh tunnel.

Connecting over the ssh tunnel.

Now that the ssh tunnel has been opened we can connect using the vncviewer using this tunnel. Note that now we have forwarded the vnc port we need to connect using localhost as the host machine. This means that we connect to localhost port 5901 for example, but then this port is forwarded to port 5901 on the host machine through the ssh tunnel we created in the previous step.

Linux

Open a terminal and type:

$ vncviewer localhost:5901

As normal this will open the dialog asking for the vnc password which once given will open the vnc session but now all the data sent between the two machine is encrypted over ssh.

Windows

Start the Real VNC viewer and put the connection string as 'localhost:5901' replacing 5901 with the port you have forwarded over ssh. You will be presented with the password dialog and once entered you should now be connected to the host machine over ssh.