Vnc

[cathal]

Hey guys, im thinking of installing VNC on my network because i have many other varying desktops on my network and another user suggested I should look into VNC. Its a way of getting other users on my network to look at my Linux boxes so hopefully if they like it ther will be only Linux boxes on my network. Now i've been looking at it and im just inquirying are there any security issues i should be aware of and what do you guys out there think about it?

[crackers]

VNC is a very nice piece of work - I've used it quite a bit. As far as security, remember that VNC is not an encrypted protocol and it only has bare-bones security (it wasn't meant for security). However, if you're behind a firewall and don't go poking holes in it, VNC is pretty safe. Just make sure to create separate users for each person and make sure that your "host" machine can handle the load of several people logging in and running applications on it. If you've got a typical "desktop" machine, you'll definitely have to limit access - or you wouldn't be able to get any of your work done.

[Bana]

If you do want security you can always try the putting VNC through a secure ssh tunneling setup like this picture: For more info see this article: Linux Journal Secure VNC

[tchung]

There is unknown feature to many people in vncviewer which does ssh tunneling with following option:

man vncviewer

-via gateway
Automatically create encrypted TCP tunnel to the gateway machine
before connection, connect to the host through that tunnel
(TightVNC-specific). By default, this option invokes SSH local
port forwarding, assuming that SSH client binary can be accessed
as /usr/bin/ssh. Note that when using the -via option, the host
machine name should be specified as known to the gateway
machine, e.g. "localhost" denotes the gateway, not the machine
where vncviewer was launched. The environment variable
VNC_VIA_CMD can override the default tunnel command of
/usr/bin/ssh -f -L "$L":"$H":"$R" "$G" sleep 20. The tunnel
command is executed with the environment variables H, L, H, R,
and G taken the values of the local port number, the remote
host, the port number on the remote host, and the gateway
machine respectively.

Enough with textbook explanation. Here is an example:

1) vncviewer -via REMOTE-HOST :1 (there is a spce in front of :1)

2) Type your ssh password

3) Type your vnc password

Thomas

ps. For VNC 101, see my article at:
http://fedoranews.org/tchung/vnc/

[cathal]

Thanks for your input guys, i set a vnc server and unfortunatley the win xp box is ubale to connect although im able to view there xp desktop. When i try to connect to my fedora box from xp i get cant find server. ne ideas? Everythin is up adn running correctly most be a configuration thing somewhere. ANything on windows that needs to be open for it to connect to a linux box.

[Bana]

You probably need to open up your firewall a bit. Try running a /etc/init.d/iptables stop and then connecting from the WinXP machine to make sure that is what the problem is and then see what the ports are that you need to open.

[cathal]

Yea i have tryed that already, ah back to the drawing board

[hob]

Cathal,

There shouldn't be any problems with VNC4b4 viewer on XP - IIRC XP firewall doesn't stop you from making outbound connections, so "can't find server" suggests that either the name/IP or port number is the problem.

I would try going back a step and check that you can connect with vncviewer from the desktop on your Fedora box. When that works try basic pings and nslookup from XP to the FC system.

[gbrkathy]

yes, I would suggest manually turning firewall off via /etc/init.d/iptables stop, then restarting it via /etc/init.d/iptables start.

Your vncviewer should work now.

This is a common occurance prob with win VNC connecting to FC2 box, before you restart firewall, also edit /etc/sysconfig/iptables. You need to copy the port 80 line, then change port 80 to 5901, then stop and restart firewall.

Hope that helps