From the articles by Bob Peers of <bobpeers.com />
Overview of VNC over SSH
Apart from the connection password VNC is not a secure protocol as all commands and information are passed unencrypted over the connection. In a home
network this is not such an issue but I would strongly recommend not doing this over the internet. In this tutorial I will show you how to connect
from a Windows or Linux client machine to a Linux server running the vncserver.
If you don’t know how to get vncserver set up you should refer to the
Configuring a vncserver in Linux
page on my site before continuing.
The host machine must be running the vncserver and must also have openssh server installed.
$ rpm -qa|grep openssh-server
Windows or Linux client machine.
If you are running Linux you probably already have openssh installed, to check type:
$ rpm -qa|grep openssh
The second line, openssh-4.3p2-4 is the client software required, if you don’t have it simply install it via yum since the package is available
in the Fedora repositories.
On Windows I use Putty as my ssh client program,
just download the file called putty.exe and save somewhere. It requires no installation, just click on the program to start.
As a vncviewer I use RealVNC, it’s free to download and very easy to
use. When installed just go to the programs menu > RealVNC > VNC Viewer 4 > Run VNC Viewer to open the viewer.
Setting up the host
On Fedora Core by default no connections are allowed to the ssh daemon so we need to allow our client machine to connect to the server. We need
to open the file /etc/hosts.allow as root and add the following line:
$ vi /etc/hosts.allow
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
This is just sshd: then the IP address of the client computer, if you wish you could add sshd:ALL to allow any connection access. You would need to
do this if you don’t know the IP address of the client machine or if it changes due to a DHCP server.
Next we need to open a port in the firewall for the ssh service to listen on, by default this is port 22. If you have system-config-security
installed then go to the Fedora start menu > Desktop > Administration > Security Level and Firewall click on the checkbox for ssh and click OK
to save your changes.
Alternatively add the following line to your /etc/sysconfig/iptables file as root:
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
If you edited the iptables by hand you need to restart the iptables service to load the changes:
$ sudo /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
Starting the ssh service and vncserver.
Next we need to start the ssh service, as root type:
$ /sbin/service sshd start
Starting sshd: [ OK ]
Finally start the vncserver, in this case we add the -localhost option so that the vncserver will only allow connections from localhost. This is done
because we will forward the port on the client machine over ssh so the vncserver does not need to listen for external connection. It’s for this reason
we do not need to open port 5900 or the usual vnc port.
$ vncserver :1 -localhost
New ‘linux.bobpeers:1 (bobpeers)’ desktop is linux.bobpeers:1
Starting applications specified in /home/bobpeers/.vnc/xstartup
Log file is /home/bobpeers/.vnc/linux.bobpeers:1.
Setting up the client.
To set up the port forwarding on a Linux machine, open a terminal and type:
$ ssh -N -T -L 5901:192.168.1.100:5901 &
This forwards our local port 5901 to the host computers port 5901, just replace 5901 with the port you normally use for VNC connections, i.e if
you use display 20 then it would read ssh -N -T -L 5920:192.168.1.100:5920. The middle part is the IP address of the host machine, replace with the
correct number for your network. The -L is the local port forward option while the -N option prevents a shell from opening so we cannot execute commands
and the -T option disables pseudo-tty allocation.
Run the putty.exe program and in the left column select the tunnels item under SSH, in the bottom boxes add 5901 where it says ‘Source port’
and add the line localhost:5901 where it says ‘Destination’. You can see a screenshot of this here
Next click on the ‘SSH’ menu item and check the 3 checkboxes listed under ‘Protocol’, these prevent the tty allocation, shell opening and allow
compression. You can see this screenshot here
Finally click on the ‘Session’ menu item right at the top and in the ‘Host name (or IP address)’ box enter the IP address of the machine you are
connecting to, in my case 192.168.1.100, in the ‘Port’ box enter 22 (the default ssh port we opened in the hosts firewall). If you wish to save this
configuration enter a name in the ‘Saved sessions’ box and click save. You can see this screenshot here
Now the connection has been configured we can start the ssh tunnel, just click on the ‘Open’ button at the bottom to start the ssh tunnel.
Connecting over the ssh tunnel.
Now that the ssh tunnel has been opened we can connect using the vncviewer using this tunnel. Note that now we have forwarded the vnc port we need
to connect using localhost as the host machine. This means that we connect to localhost port 5901 for example, but then this port is forwarded
to port 5901 on the host machine through the ssh tunnel we created in the previous step.
Open a terminal and type:
$ vncviewer localhost:5901
As normal this will open the dialog asking for the vnc password which once given will open the vnc session but now all the data sent between the
two machine is encrypted over ssh.
Start the Real VNC viewer and put the connection string as ‘localhost:5901’ replacing 5901 with the port you have forwarded over ssh. You will be
presented with the password dialog and once entered you should now be connected to the host machine over ssh.