Thursday, December 02, 2004
Setting up VNC through an SSH tunnel
On the server:
Edit /etc/ssh/sshd_config. Make sure X11forwarding=yes is uncommented.
Make sure compression=yes is uncommented. Restart the server.
Make sure your firewall is off. If you use shorewall, run shorewall clear after shutting it off, otherwise all access is denied by default.
If you use tcpwrappers, make sure you have the proper access controls for the remote clients. If you want to test it from the same machine, you need to add 127.0.0.1 to /etc/hosts.allow
emerge tightvnc (i used ~x86), make sure tcpd is enabled for extra security (assuming you configured /etc/hosts.allow and /etc/hosts.deny
Comment out these two lines in /etc/security/pam_env.conf
REMOTEHOST ......
DISPLAY .....
Make sure those lines are commented out, or X11 forwarding will not work!
run Xvnc :1 as root (not 100% sure this is necessary, but had problems until I did this)
This will create a config file in /root/.vnc/ . If you want to run a window manager you will want to edit this file. It's obvious what to do, just put your windowmanger of choice in place of twm. Run something light like fluxbox, everything else is very slow when you use ssh.
After the config is created just run vncserver to start the server.
On the client:
emerge tightvnc
You want to create an encrypted ssh tunnel.
To do this, do something like this.
ssh -C -L 5902:vnc-server1:5901 vnc-server1
This uses compression (-C) and sets up a tunnel that starts at port 5902 on your client and ends at port 5901 on the vnc server.
Now the cool part...
vncviewer localhost:5902
that connects to port 5092 on your client (over the loopback interface so no unencrypted traffic hits the net), then ssh captures the traffic and encrypts it, transmitting through the tunnel to 5901 on your vnc server.
If all goes well you will be prompted for the password on your server and get the window manager you configured to run previously (twm is the default if you don't change it).
Just remember once you create the ssh tunnel in a command window, you are connected to the server in that console. You need to open another console to run the vncviewer, otherwise you will be running it on the server.
I think this documentation is pretty complete, but let me know if I missed something.
On the server:
Edit /etc/ssh/sshd_config. Make sure X11forwarding=yes is uncommented.
Make sure compression=yes is uncommented. Restart the server.
Make sure your firewall is off. If you use shorewall, run shorewall clear after shutting it off, otherwise all access is denied by default.
If you use tcpwrappers, make sure you have the proper access controls for the remote clients. If you want to test it from the same machine, you need to add 127.0.0.1 to /etc/hosts.allow
emerge tightvnc (i used ~x86), make sure tcpd is enabled for extra security (assuming you configured /etc/hosts.allow and /etc/hosts.deny
Comment out these two lines in /etc/security/pam_env.conf
REMOTEHOST ......
DISPLAY .....
Make sure those lines are commented out, or X11 forwarding will not work!
run Xvnc :1 as root (not 100% sure this is necessary, but had problems until I did this)
This will create a config file in /root/.vnc/ . If you want to run a window manager you will want to edit this file. It's obvious what to do, just put your windowmanger of choice in place of twm. Run something light like fluxbox, everything else is very slow when you use ssh.
After the config is created just run vncserver to start the server.
On the client:
emerge tightvnc
You want to create an encrypted ssh tunnel.
To do this, do something like this.
ssh -C -L 5902:vnc-server1:5901 vnc-server1
This uses compression (-C) and sets up a tunnel that starts at port 5902 on your client and ends at port 5901 on the vnc server.
Now the cool part...
vncviewer localhost:5902
that connects to port 5092 on your client (over the loopback interface so no unencrypted traffic hits the net), then ssh captures the traffic and encrypts it, transmitting through the tunnel to 5901 on your vnc server.
If all goes well you will be prompted for the password on your server and get the window manager you configured to run previously (twm is the default if you don't change it).
Just remember once you create the ssh tunnel in a command window, you are connected to the server in that console. You need to open another console to run the vncviewer, otherwise you will be running it on the server.
I think this documentation is pretty complete, but let me know if I missed something.
