Configuring VNC over SSH in Linux

From the articles by Bob Peers of < />

Overview of VNC over SSH

Apart from the connection password VNC is not a secure protocol as all commands and information are passed unencrypted over the connection. In a home
network this is not such an issue but I would strongly recommend not doing this over the internet. In this tutorial I will show you how to connect
from a Windows or Linux client machine to a Linux server running the vncserver.

If you don’t know how to get vncserver set up you should refer to the
Configuring a vncserver in Linux
page on my site before continuing.


Linux Host

The host machine must be running the vncserver and must also have openssh server installed.

$ rpm -qa|grep openssh-server

Windows or Linux client machine.

If you are running Linux you probably already have openssh installed, to check type:

$ rpm -qa|grep openssh

The second line, openssh-4.3p2-4 is the client software required, if you don’t have it simply install it via yum since the package is available
in the Fedora repositories.

On Windows I use Putty as my ssh client program,
just download the file called putty.exe and save somewhere. It requires no installation, just click on the program to start.

As a vncviewer I use RealVNC, it’s free to download and very easy to
use. When installed just go to the programs menu > RealVNC > VNC Viewer 4 > Run VNC Viewer to open the viewer.

Setting up the host

Editing /etc/hosts.allow.

On Fedora Core by default no connections are allowed to the ssh daemon so we need to allow our client machine to connect to the server. We need
to open the file /etc/hosts.allow as root and add the following line:

$ vi /etc/hosts.allow
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.

This is just sshd: then the IP address of the client computer, if you wish you could add sshd:ALL to allow any connection access. You would need to
do this if you don’t know the IP address of the client machine or if it changes due to a DHCP server.

Opening ports.

Next we need to open a port in the firewall for the ssh service to listen on, by default this is port 22. If you have system-config-security
installed then go to the Fedora start menu > Desktop > Administration > Security Level and Firewall click on the checkbox for ssh and click OK
to save your changes.

Alternatively add the following line to your /etc/sysconfig/iptables file as root:

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

If you edited the iptables by hand you need to restart the iptables service to load the changes:

$ sudo /sbin/service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Starting the ssh service and vncserver.

Next we need to start the ssh service, as root type:

$ /sbin/service sshd start
Starting sshd:                                             [  OK  ]

Finally start the vncserver, in this case we add the -localhost option so that the vncserver will only allow connections from localhost. This is done
because we will forward the port on the client machine over ssh so the vncserver does not need to listen for external connection. It’s for this reason
we do not need to open port 5900 or the usual vnc port.

$ vncserver :1 -localhost

New ‘linux.bobpeers:1 (bobpeers)’ desktop is linux.bobpeers:1

Starting applications specified in /home/bobpeers/.vnc/xstartup
Log file is /home/bobpeers/.vnc/linux.bobpeers:1.

Setting up the client.


To set up the port forwarding on a Linux machine, open a terminal and type:

$ ssh -N -T -L 5901: &

This forwards our local port 5901 to the host computers port 5901, just replace 5901 with the port you normally use for VNC connections, i.e if
you use display 20 then it would read ssh -N -T -L 5920: The middle part is the IP address of the host machine, replace with the
correct number for your network. The -L is the local port forward option while the -N option prevents a shell from opening so we cannot execute commands
and the -T option disables pseudo-tty allocation.


Run the putty.exe program and in the left column select the tunnels item under SSH, in the bottom boxes add 5901 where it says ‘Source port’
and add the line localhost:5901 where it says ‘Destination’. You can see a screenshot of this here

Next click on the ‘SSH’ menu item and check the 3 checkboxes listed under ‘Protocol’, these prevent the tty allocation, shell opening and allow
compression. You can see this screenshot here

Finally click on the ‘Session’ menu item right at the top and in the ‘Host name (or IP address)’ box enter the IP address of the machine you are
connecting to, in my case, in the ‘Port’ box enter 22 (the default ssh port we opened in the hosts firewall). If you wish to save this
configuration enter a name in the ‘Saved sessions’ box and click save. You can see this screenshot here

Now the connection has been configured we can start the ssh tunnel, just click on the ‘Open’ button at the bottom to start the ssh tunnel.

Connecting over the ssh tunnel.

Now that the ssh tunnel has been opened we can connect using the vncviewer using this tunnel. Note that now we have forwarded the vnc port we need
to connect using localhost as the host machine. This means that we connect to localhost port 5901 for example, but then this port is forwarded
to port 5901 on the host machine through the ssh tunnel we created in the previous step.


Open a terminal and type:

$ vncviewer localhost:5901

As normal this will open the dialog asking for the vnc password which once given will open the vnc session but now all the data sent between the
two machine is encrypted over ssh.


Start the Real VNC viewer and put the connection string as ‘localhost:5901’ replacing 5901 with the port you have forwarded over ssh. You will be
presented with the password dialog and once entered you should now be connected to the host machine over ssh.



6 responses to “Configuring VNC over SSH in Linux

  1. This is a very good article and very helpful too. I followed the document and now I am able to see the Linux desktop on my PC remotely. But one problem I have is when I use 5901 port on my PC in VNC Viewer I get a terminal window only. But if I use 5900 it shares the desktop on linux to PC like a netmeeting session. How can I view the linux desktop on my PC without even log in to Linux like remote desktop?

    Thanks you.

  2. Thank, I found this article to be informative!

  3. It was very useful info for me. Thanks for the info.

  4. It helps for some forgotten points. Not too bad. Thanks.

  5. 4.

    helps for some forgotten points. Not too bad. Thanks.

    Leave a Reply Cancel reply
    Enter your comment here…

    * Guest
    * Log In
    * Log In
    * Log In

    Email (required) Your email address will not be published.
    Name (required)
    Website Logo

    Please log in to to post a comment to your blog.
    Twitter picture

    You are commenting using your Twitter account. (Log Out)
    Facebook photo

    You are commenting using your Facebook account. (Log Out)

    Connecting to %s

    Notify me of follow-up comments via email.

    Notify me of new posts via email.

    Search It!
    Search for:
    Recent Entries
    o A Short Introduction To Cron Jobs
    o OpenVPN Server On CentOS 5.2
    o Configure HTTPD (Apache) for PAM Authentication for Backuppc
    o BackupPC Setup Manual
    o Using Unison with BackupPC to backup laptops
    o BackupPC Install Guide for Windows XP/Vista Clients
    o BackupPC How-to on CentOS
    o Partitioning RAID / LVM on RAID
    o Installing PowerDNS (With MySQL Backend) And Poweradmin On CentOS 5.2
    o Set Up A Linux PlayStation 3 Media Server (CentOS 5.2)

  6. You are really a just right webmaster. The web site loading speed is amazing. It kind of feels that you are doing any unique trick. Furthermore, The contents are masterwork. you’ve done a great task in this topic!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s