Yesterday I managed to get VNC working over SSH. At least, I think I
did. Many thanks to the various pieces of documentation found on the
AT&T VNC site.
I installed TightVNC 1.2.7 and OpenSSH for Windows 3.4.3 on two Windows
machines, PC1 (Windows XP) and PC2 (Windows 2000). PC2 is the PC running
OpenSSH as a service, and is the one I want to control with VNC
On PC1 I issued the command
'ssh -l administrator -L 5900:PC2:5900 -C PC2'
After providing the appropriate password and getting a command prompt I
launched VNC Viewer and told it to connect to 127.0.0.1. After supplying
the session password I ended up with the display from PC2. TCPView -
http://www.sysinternals.com/ - seemed to confirm that, on PC2,
WINVNC.EXE was in fact connected to another port on the same PC and, on
PC1, VNCVIEWER.EXE was connected to port 5900 on itself, which was
opened by SSH.EXE.
Thus, I surmise that I got SSH working. Hurrah for me.
Now I get confused.
In its current configuration VNC will accept connections from any other
machine on the network. I don't want this to be the case. I want all VNC
traffic to come through an SSH tunnel first. I want the added layer of
security provided by having to authenticate via SSH first.
I thought that all I'd need to do, since the traffic appears to be
coming from the local host, is enable loopback connections and set
"Allow only loopback connections". This didn't work. I did not get
prompted for a password when launching VNC Viewer. TCPView showed a
connection to port 5900 (listened to by SSH) on PC1, but nothing else
happened. If I unticked "Allow only loopback connections" then I got
prompted for a password as normal.
I have successfully managed to get this working using only loopback
connections using a commercial product - WinSSHD from
http://www.bitvise.com/
There are two components needed: WinSSHD itself and a separate program
Tunnelier. WinSSHD can sit on any machine on the network, apparently,
and Tunnelier needs to be on every machine with a redirected port.
I set up Tunnelier on PC1 to listen on port 5900 and redirect to
PC2:6000. I set up Tunnelier on PC2 to listen on port 6000 and redirect
to 127.0.0.1:5900. I then told VNC Viewer to connect to 127.0.0.1 and
the traffic got redirected through to PC2 as desired. "Allow only
loopback connections" was selected.
I don't know enough about OpenSSH to know how it compares to WinSSHD and
Tunnelier, but the method used by WinSSHD makes me wonder: do I need to
set up an SSH session on PC2 which listens on a particular port and then
forwards it to 127.0.0.1:5900, instead of just forwarding straight from
PC1 to PC2:5900? If so, how would I go about it?
I've perused the various VNC/SSH pages I've managed to find through the
AT&T site, but all I can see is information about using a third PC as
the SSH man-in-the-middle. I may have missed something; if so then feel
free to catcall and jeer.
Can anyone offer any suggestions, please? If necessary I'd pay for
WinSSHD but I'd much rather use OpenSSH. It's cheaper, for a start. :-)
--
Alex Morris
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
http://www.realvnc.com/mailman/listinfo/vnc-list
- RE: Stumped by loopback with SSH Alex Morris
- RE: Stumped by loopback with SSH LUPTAK,MIROSLAV (HP-Slovakia,ex1)
- Re: Stumped by loopback with SS... Alex Morris
