Results 1 to 4 of 4

Thread: vnc / X through ssh without init.d

  1. #1
    Join Date
    Aug 2008
    Location
    London, UK
    Posts
    223

    Question vnc / X through ssh without init.d

    I'd like to use vnc or X11 through ssh without using network ports, and using ssh's authentication. I.e:
    ssh using certificates to authenticate and create a pipe to remote server and startup vnc on remote; startup vncviewer on local machine using pipe and start working without further password prompt.

    I have found instructions on how to do this using localhost ports at both ends, but that seems to me to be a security hole.

    I would prefer to use local fifo pipes (or something similar) and not use ports on the two machines as that seems more secure. Is that possible?

    Thanks
    David

  2. #2

    Default Re: vnc / X through ssh without init.d

    On 12/31/2013 12:07 PM, jetojedno wrote:
    >
    > I'd like to use vnc or X11 through ssh without using network ports, and
    > using ssh's authentication. I.e:
    > ssh using certificates to authenticate and create a pipe to remote
    > server and startup vnc on remote; startup vncviewer on local machine
    > using pipe and start working without further password prompt.
    >
    > I have found instructions on how to do this using localhost ports at
    > both ends, but that seems to me to be a security hole.


    How so? The localhost address(es) can only be accessed by somebody on the
    box (physically or logically) which is a lot more restrictive than the
    across-the-network stuff you'll need to do at some level to make the SSH
    connection (assuming I'm understanding your goal, which is not explicit so
    I am guessing).

    > I would prefer to use local fifo pipes (or something similar) and not
    > use ports on the two machines as that seems more secure. Is that
    > possible?


    Maybe, but I do not understand what benefit you are planning to get using
    any kind of pipe over the network vs. just going to the SSH tunnel that is
    opened and simple using SSH. Either way you can get password-less
    authentication, and whether you can somehow connect to a pipe on one side
    or another to get into the SSH tunnel or go through the tunnel via a
    socket the entire connection is encrypted.... where is the supposed
    security concern?

    Pipes are usually used locally because it means potentially avoiding the
    network stack a bit which can have performance benefits. Across a
    network, no matter what, you're going to have something creating packets
    and dealing with that overhead. I think you're hoping for something that
    looks nice but is really a hard-to-implement shiny wrapper to the same old
    stuff.

    The only far-fetched idea I have regarding why a pipe may be a little more
    secure than a socket has to do with the possibility of somebody else on
    your system also using your socket. With that option out there, if that's
    the case you should kick them off of your system. Worst case, use the
    NetFilter/iptables firewall technologies to prevent access to your socket
    (even locally, yes) except for your user. Still, if somebody on your
    local machine is abusing your connection you should kick them out since
    there is a good chance they can do a lot worse with local access than
    access a VNC connection to somewhere.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Aug 2008
    Location
    London, UK
    Posts
    223

    Cool Re: vnc / X through ssh without init.d

    Hi, thanks for the reply.

    I wasn't clear enough - yes, connect through ssh through the network. It's the internal connection on the local & remote computers I have an issue with. Once the port on localhost is created (and I could be wrong here - I'm not a networking expert) then anyone on the computer can connect to it, and anyone can listen to the traffic. I believe fifo files are easier to secure, and are less "visible".

    I was asking if there's a way to create a fifo on the local computer and connect vncviewer & ssh to it (I think I understand how to do the ssh bit). Similarly create a fifo on the remote computer & connect ssh (ditto) & Xvnc / vncserver to that. i.e. avoid ports on localhost. Better yet is to pipe directly between the commands.

    Is this possible, or does the software need hacking (probably beyond me)?

    Thanks for any advice,
    David

  4. #4

    Default Re: vnc / X through ssh without init.d

    On 01/01/2014 04:06 AM, jetojedno wrote:
    >
    > I wasn't clear enough - yes, connect through ssh through the network.
    > It's the internal connection on the local & remote computers I have an
    > issue with. Once the port on localhost is created (and I could be wrong
    > here - I'm not a networking expert) then anyone on the computer can
    > connect to it, and anyone can listen to the traffic. I believe fifo
    > files are easier to secure, and are less "visible".


    Less visible I suppose, since you could put it where only you (and 'root')
    can see it, but either using a Unix socket or a named pipe/fifo you still
    need something to actually do the networking part of all of this. Both of
    these are meant for local operations only. Unix sockets (commonly used to
    access things like the MariaDB/MySQL server from its client) is for
    inter-process communication. FIFOs are essentially the same thing... a
    way to send data from here to there within the filesystem to processes
    using those FIFOs. There are no magical networking properties of these.
    If you are intending to use a pipe/FIFO you need to add that part
    yourself, which is the SSH portion you refer to, but SSH uses TCP sockets
    for moving data between systems, and one way or another any socket you
    open for your user will be visible, unless NetFilter or another firewall
    prevents it, to all other users on the local system. If you bind to a
    socket with an exposed (non-localhost usually) IP address then anybody on
    your computer's network, or maybe beyond depending on networking
    circumstances, could also access that socket.

    > I was asking if there's a way to create a fifo on the local computer and
    > connect vncviewer & ssh to it (I think I understand how to do the ssh
    > bit). Similarly create a fifo on the remote computer & connect ssh
    > (ditto) & Xvnc / vncserver to that. i.e. avoid ports on localhost.
    > Better yet is to pipe directly between the commands.


    Forget the FIFO.... it's for local stuff only so using it will only
    complicate the use of SSH. What you probably want is just the SSH tunnel,
    but you can probably simplify this further by using the -via option for he
    vncviewer client, which by default creates an SSH connection. Assuming
    you have keys setup, and the SSH agent setup, your SSH connection would be
    created for your VNC connection on the fly, so nobody could abuse it until
    you created it, and even then you could perhaps secure it more with NetFilter.

    > Is this possible, or does the software need hacking (probably beyond
    > me)?


    Pretty sure 'no' because the technologies to which you refer do not use
    magic to communicate across the network; one way or another you need a
    networking component, and FIFOs are filesystem components only. Combining
    filesystem pieces with networking pieces (an SSH tunnel) is easy to do,
    but it doesn't add anything beyond what you have already just using SSH
    unless yor program needs a FIFO instead of a TCP socket (vncviewer does
    not apply here... it understands networking of course).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •