Thanks for your reply, I've started collecting some log files, looks like it's a problem that also occurs solaris-solaris via openssh.
Unfortunately it'll take me a few days (or more) till I get it together to bring home all the logs (they are on my machine at work). Why? 1/ VNC makes no attempt to transfer data securely, but why the hell should it when ssh can do such a great job of this. So for real security I would always recommend that an SSH tunnel is used. 2/ ~/.vnc/passwd is mega insecure in some organisations, even if the file is placed somewhere more secure, then if once it is compromised, then someone knows my passwd for ever more, whats worse is the value in the rfbauth file is read at connect time, not startup time, so someone can quickly change the password to make a connection and then change it back. 3/ SSH forwards TCP connections, ultimately -localhost only protects me from the off host connections, if someone is legitimately allowed to connect to my box, then they can have a decent attempt at cracking my VNC session. So my conclusion is set rfbauth to be /dev/null, if the vnc server is not listening for X on tcp then the box is 100% secure against all shared users on the system, but as it stands I've lost the ability to make the connection back to the viewer secure. This is why I want to reverse tunnel, I also would like to make life easier for the slightly less able users, by throwing the VNC session back to them immediately they connect via ssh. I will send you all the info once I've collated it, this could take some time. it would also be worth allowing Xvnc to be started up with something like -reverse-localhost so that vnc connect cannot be used without an SSH tunnel (or perhaps -reverse=xxx.xxx.xxx.xxx), but thats something for the future. Tim McGarry ----- Original Message ----- From: "William Hooper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 11:18 PM Subject: Re: Reverse Tunnelling through SSH > ----- Original Message ----- > From: "Tim McGarry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, February 17, 2003 2:45 PM > Subject: Reverse Tunnelling through SSH > > > > I'm using PuTTY to connect to a vncserver (Solaris/OpenSSH) started with > > the -localhost option, works a treat. > > > > I've had no problems using vncconnect to connect directly to a listening > > vncviewer running on the PC, but what I'd really like to do is make this > > reverse connection through a Tunnel provided by SSH. > > I'm not sure what advantage you would have with this setup? > > > I've tried various combinations of local and remote forwarding with ports > > 5900,5800,5500 but have had no success at all. > > It would be a little easier if you specified the "various combinations" you > have tried. > > > I'd be greatful if anyone could shed some light on why this may not work. > > > > > > Tim McGarry > > I have two machines, a Win98 laptop "laptop" running PuTTY and a Redhat 7.3 > machine "kenny" running VNC. > > In PuTTY's configuration setup a forwarding port from kenny:5901 to the > laptop. Then forward a port from laptop:5500 to kenny. The first is setup > as a "local" forward, and the second is a "remote" forward. Your forwarded > ports should look like: > > L5901 kenny:5901 > R5500 laptop:5500 > > Once this is setup fire off the VNC connection in the SSH terminal by doing > "vncconnect -display :1 localhost". > > If that doesn't work please send the PuTTY log in a response to the list and > we can help troubleshoot. > > -- > William Hooper > > Americans who blow horns to break up traffic jams scoff at primitives who > beat drums to drive away evil spirits. > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
