VNC Java Viewer with SSH HOWTO by Michael Ossmann ([EMAIL PROTECTED]) v0.1, Feb 8, 2002
This document explains the configuration of an SSH enabled Java VNC viewer. ______________________________________________________________________ Table of Contents 1. Introduction 1.1 Intended Audience 1.2 Alternative Solutions 1.2 Related Documentation 2. Overview 3. Installing the SSH server 3.1 Installing OpenSSH on Unix 3.2 Installing ? on Windows 4. Installing the Java Client 4.1 Downloading MindVNC 4.2 Installing on a Unix VNC server 4.3 Installing on a Windows VNC server 5. Additional Stuff 5.1 Limiting VNC access to SSH only 5.2 Trimming Down the Java Archive 6. Limitations 7. Future Directions ______________________________________________________________________ 1. Introduction AT&T's VNC software is a remote display system which allows users to connect to graphical applications running on remote hosts. Various Java VNC clients (including the original one released by AT&T) are popular means to connect to VNC servers from within any web browser. It is also popular to secure VNC connections by tunneling through SSH, but there is no easy to install and configure way to take advantage of VNC over SSH with a Java client. This document will take you through a not so easy method. 1.1 Intended Audience If you use a Java VNC viewer over an insecure network, you should consider using this solution. VNC uses a protocol which sends keystrokes, mouse movements, and screen updates in the clear. Encrypting this connection with SSH is a good way to protect your VNC session from snooping and tampering. It is assumed that you are familiar with the installation and configuration of AT&T's VNC server, either on Unix or Windows, and with the use of the standard Java applet on port 58xx. It is also assumed that you have a basic knowledge of SSH and understand how VNC can be secured with SSH (not necessarily with a Java client). If you are lacking familiarity with these concepts, take a look at the related documentation (section 1.3) below. 1.2 Alternative Solutions If you are interested in encrypting VNC but only require the use of native win32 VNC servers and clients (without Java), then you may want to consider zvnc: http://people.we.mediaone.net/ddyer/znc/zvnc.html You can also use a wide variety of VPN solutions to secure all of your network communications, including VNC with or without a Java client. TODO (more) 1.3 Related Documentation AT&T's VNC site includes a documentation section: http://www.uk.research.att.com/vnc/ It also includes a page describing the use of VNC over SSH (not with the Java client): http://www.uk.research.att.com/vnc/sshvnc.html The OpenSSH project produces an open source SSH client and server for Unix platforms. It also has good documentation and links to other SSH software on a wide variety of platforms: http://www.openssh.org/ "SSH: The Secure Shell, The Definitive Guide" by Daniel J. Barrett, Ph. D. and Richard E. Silverman is an excellent book about SSH: http://www.snailbook.com/ 2. Overview We will set up an SSH server on the system which is running the VNC server and will use a Java applet which includes both the SSH client and VNC client. Because the Java applet is deployed to web clients from a minimal HTTP server built in to the VNC server, the applet installation will also take place on the server side. Our solution will use the SSH1 protocol, which is arguably inferior to the newer SSH2 protocol. Unfortunately there is no open source Java implementation of SSH2 at this time. 3. Installing the SSH server 3.1 Installing OpenSSH on Unix TODO 3.2 Installing ? on Windows TODO 4. Installing the Java Client The Java applet we will use is MindVNC, part of the MindTerm package originally released by MindBright (http://www.mindbright.se/). MindTerm was originally released under the GPL, but newer versions have not been released under an open source license. ISNetworks (http://www.isnetworks.com/) has released a fork of the original GPL version with a few improved features. This is the version we will use. This applet is digitally signed, which enables some important features. The browser will be able (after asking the user) to allow SSH connections to hosts other than the one that served the applet and even store SSH keys on the local hard drive (which allows you to preconfigure browsers with your server's public key in order to prevent man-in-the-middle attacks against the SSH connection). These are privileges which cannot normally be granted to unsigned applets. 4.1 Downloading MindVNC You can find it here: http://www.isnetworks.com/ssh/ After you unpack it, take a look in the applet directory. The netscape.html and sshNetscape.jar files are what we are interested in. You shouldn't need the ie.html and sshIE.cab files unless you are working with older Internet Explorer browsers. (Does anyone know how old? I know the jar file works with IE 5.0.) Any modern browser/JVM combination should support the jar format. 4.2 Installing on a Unix VNC server Find the VNC Java directory on your server. Mine (is this the default?) is /usr/share/vnc/classes/. Copy netscape.html and sshNetscape.jar into this directory. Test the applet by starting up vncserver and then pointing a browser to: http://server:5800/netscape.html (If you are running the VNC server on a display other than :0, use the appropriate port number for that display.) You should see the MindTerm test page, and the MindTerm applet should start up in an independent Java window. Read the information on the test page about accepting the applet signature. If you want to trust the signature, you'll need to follow the "from ISNetworks' site" link. Trusting the signature will allow this browser to take advantage of the features listed above which are not strictly necessary for our purposes but which you may find handy. Test the MindTerm applet by logging in to your server via the provided command line. TODO (If the test fails) If MindTerm works, then you are ready to try MindVNC. Copy netscape.html to mindvnc.html and edit it. The only line you need to change is this one: <applet archive="sshNetscape.jar" code=mindbright.application.MindVNC.class width=1 height=1> Notice that the code has changed from MindTerm to MindVNC. Now connect to: http://server:5800/mindvnc.html The MindVNC applet should pop up just like the MindTerm applet did, but you'll notice that it is almost identical to the AT&T Java VNC viewer. Enter valid login information in the SSH User and SSH Password fields. In the VNC Host [:display] field, enter "localhost:0" (changing the display number as appropriate). Enter the VNC password for that display in the VNC Password field. Click the Connect button, and away you go. Note that using "localhost" in the VNC Host field refers to localhost from the server's perspective. It is required. 4.3 Installing on a Windows VNC server TODO 5. Additional Stuff 5.1 Limiting VNC access to SSH only TODO 5.2 Trimming Down the Java Archive TODO 6. Limitations TODO 7. Future Directions TODO -- Mike Ossmann, Tarantella/UNIX Engineer/Instructor Alternative Technology, Inc. http://www.alttech.com/ --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
