Thread: A couple more SSH / VNC questions
View Single Post
cmdowns's Avatar
cmdowns is offline cmdowns
2008-04-09 , 14:16
Posts: 100 | Thanked: 13 times | Joined on Mar 2008
#31
Okay, I think I'm up and running with the whole enchilada now. I think Benson's recommendations regarding the settings on tightVNC

Originally Posted by Benson View Post
Double-click the tightVNC logo in the system tray to bring up the config dialog. On the Administration tab, there's a box with three checkboxes:

* Disable empty passwords
* Allow loopback connections
* Allow only loopback connections

The first one should be unchecked if you want to be able to use an empty password (not no password, just a password of zero length; there's a difference.). Doesn't really matter.

The second one must be checked. It's off by default, to spare you from VNCing into your console from your console (heap bad medicine), and resulting pointer freeze and such. But the way the ssh tunnel ends on the local machine means that the outcoming VNC connection is indeed a loopback connection, and we must allow that.

The third one blocks all normal connection; then all that can get through is screen-grabbing horrors (don't do those) and VNC tunneled connections. It's probably wise to enable this at some point, but not necessary.
were exactly what I needed to finally make the whole thing come together. After adjusting these settings as specified, I was able to establish the tunnel while working on my home network, and then VNC into the VNC server at 127.0.0.1:1

Then I left home and jumped onto a public wifi spot at a local cafe, replicating the above mentioned process. Except this time, I connected to my router's WAN IP address. The port forwarding I had set up for the router worked and it sent the tunnel to the XP box's port 22.

Then I was able to VNC from my nokia to 127.0.0.1:1 and pull up the XP box's screen. It's worth mentioning that the VNC display was much slower when using the public wifi than when implementing the same process on my home wlan.

Now, in order to determine if my XP machine was at risk of random VNC clients accessing it through the WAN, I killed the ssh tunnel I had established which immediately killed the VNC session as well. Then I tried to establish a VNC session again (without first establishing an ssh tunnel).

Just to make sure, I first tried to VNC to 127.0.0.1:1 and obviously that didn't do anything (which is what I expected). Then I tried to VNC to the XP box's IP, and that didn't do anything (which I also expected, as the XP box's IP is isolated within my home wlan). Finally, I tried to VNC to my router's WAN IP address. This was the only one that I was truly concerned about, because it had the potential to forward the communication to my XP box's port 5900.

Luckily, that also didn't work. So can I assume that what jldiaz is describing:

Originally Posted by jldiaz View Post
Most likely anyone can connect to your XP box directly, unless your router is blocking port 5900. This is why is a good idea to configure your VNC server either for asking a password, or alternatively for accepting only clients coming from localhost (i.e., in our case, coming from the ssh tunnel).
combined with my observations and experiences indicate that indeed my router does block port 5900? Is there a more definitive way to determine if my router is or is not blocking port 5900?

Also, I'm a little confused about what Benson said in post 29

Originally Posted by Benson View Post
I assume that's my.XP.box.IP:0 ? If it's a different display, then that would cause problems (you'd need to change which port you forward to).
Because I did use my.XP.box.IP:1 not my.XP.box.IP:0. And I thought the :1 was required because it is specified when I describe port 5901.

Since it seems like it's working, I would guess I'm doing it right. But if anyone sees an error I'm making, please tell me.

Now as far as this is concerned:

Originally Posted by jldiaz View Post
For example, you could have two secure LANs, but an insecure WAN connecting the two LANs. You can use ssh/sshd to provide a secure tunnel through the WAN, and thus allowing a secure communication between any machine on the first LAN with any machine on the second LAN.

The following convolved example is not really neccesary, but for the sake of the completness, let me elaborate it.

Llet us assume that you have a secure LAN at your home, with two machines, with IPs: 145.24.12.10 and 145.24.12.11, The first one is a WindowsXP in which you have installed Cygwin/sshd. The second one is an old Windows98, without any ssh software installed, but with a VNC server running on display 0.

At your work, you have a secure LAN, in which it is your desktop PC, running Windows2000, with IP 220.30.140.100. You have a VNC client in this PC, but no ssh software. You would like to connect this VNC client in the Windows2000 machine, with the VNC server of your Windows98 PC, at home. However, the insecure WAN connecting the two LANs is intimidating you...

Fortunately, you have your Nokia n810 with you, in which you have a ssh client installed. You connect your n810 to the LAN of your office (and it gots the IP 220.30.140.101), and then you use the ssh in your nokia to make a tunnel to your Windows98 machine at home. Then, you connect the VNC client of your Windows2000 through this tunnel, and you got the desired and secured connection.

How could this be done? I left it as an exercise to the reader.. :-)
I'm going to need a little time to work through this one. Maybe I'll have an answer tonight.