I'm running the server on a solaris boxes, the users home directories are
not correctly secured (ie no Kerberos or DH security). It's too easy to grab
someones ~/.vnc/vncpasswd or even put in your own (vnc reads this file at
connection time, not server startup time).
I'd considered forcing users to start the server with the rfbauth file local
to the host instead of there home directory, (perhaps in the same directory
as the socket that ssh creates if the agent is forwarded), but I'm now
starting to think that I'll try and start the server with rfbauth =
/dev/null (not checked yet if the server would startup with this) and then
make the connection in reverse.
I'd like to tighten up the security, for this installation, I believe using
a reverse connection does this, but I also want to tunnelling the
communications too.
btw. dont know how portable this is, but it works nicely for solaris,
1. Start the ssh-agent before starting VNC server,
2. Start the VNC server.
3. kill the agent,
4. each time you connect, start pageant 1st and forward the agent,
5. run a simple perl script (that I'll submit to this list, once its
100% finished ) that hunts (via /usr/ucb/ps -wwaxe) for where the agent
socket was makes a hard link to where it is
6. The script then kill its parent shell
The end result of this is that you have the full benefit of an SSH agant
connected to the SSH server but the moment the VNC session disconnects for
whatever reason the path back to the agent is lost, this is far more secure
that leaving a VNC server running and also the agent on the same box.
Tim McGarry
----- Original Message -----
From: "William Hooper" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 23, 2002 3:58 AM
Subject: Re: VNC and SSH tunneling
> ----- Original Message -----
> From: "Tim McGarry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, July 22, 2002 1:56 PM
> Subject: VNC and SSH tunneling
>
>
> > I'm running the VNC server on a Solaris 8 box with OpenSSH.
> >
> > Normally I use vncviewer.exe (Windows NT/98) forwarded through an SSH
> > connection (PuTTY) . this works fine. I start the server with -localhost
> > (port 5900 is forwarded locally)
> >
> > What I'd like to do is start the vncviewer in listen mode and make a
> server
> > initiated connection tunnelled through a remotely forwarded port.
> >
> > The reverse connections work fine without the SSH tunnel, but I've had
> > absolutely no success in opening a reverse connection to vncviewer
through
> a
> > remote port forward.
> >
> > Does anyone have experience of this, what remote ports (5500? 5900?) do
I
> > need to forward and where do I forward them to (localhost? 127.0.0.1?
> > ipaddress?) are there any configs that I need to take care of in OpenSSH
> or
> > PuTTY
> >
> >
> > Tim McGarry
>
> Disclaimer - I've never tried so I reserve the right to be wrong!
>
> The vncviewer listens on port 5500 for the server connection. That means
if
> you forward the OpenSSH server's port 5500 to the client that
communication
> should work. You would tell the server to make a connection to localhost.
>
> You also need a connection for the VNC session to go over once it is
> started. This would be over the normal port of 5900. So you need a
tunnel
> from the PuTTY machine to the OpenSSH server on port 5900.
>
> The PuTTY docs talk about how to set up the two types of tunnels here:
> http://the.earth.li/~sgtatham/putty/0.52/htmldoc/Chapter3.html#3.5
>
> Again Disclaimer - I've never tried it so I might be wrong. If the server
> sends a hard coded IP instead of localhost it could very well try to
bypass
> the SSH tunnel and try to go direct and not work.
>
> Just curious, if you can log in normally and start the session from client
> side, what advantage are you getting from starting the connection from the
> server side instead?
>
> --
> William Hooper
>
> Save the whales, collect the whole set !
> _______________________________________________
> VNC-List mailing list
> [EMAIL PROTECTED]
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
http://www.realvnc.com/mailman/listinfo/vnc-list
