vnc / X through ssh without init.d

jetojedno · December 31, 2013, 7:48pm

I’d like to use vnc or X11 through ssh without using network ports, and using ssh’s authentication. I.e:
ssh using certificates to authenticate and create a pipe to remote server and startup vnc on remote; startup vncviewer on local machine using pipe and start working without further password prompt.

I have found instructions on how to do this using localhost ports at both ends, but that seems to me to be a security hole.

I would prefer to use local fifo pipes (or something similar) and not use ports on the two machines as that seems more secure. Is that possible?

Thanks
David

ab · December 31, 2013, 8:28pm

On 12/31/2013 12:07 PM, jetojedno wrote:
>
> I’d like to use vnc or X11 through ssh without using network ports, and
> using ssh’s authentication. I.e:
> ssh using certificates to authenticate and create a pipe to remote
> server and startup vnc on remote; startup vncviewer on local machine
> using pipe and start working without further password prompt.
>
> I have found instructions on how to do this using localhost ports at
> both ends, but that seems to me to be a security hole.

How so? The localhost address(es) can only be accessed by somebody on the
box (physically or logically) which is a lot more restrictive than the
across-the-network stuff you’ll need to do at some level to make the SSH
connection (assuming I’m understanding your goal, which is not explicit so
I am guessing).

> I would prefer to use local fifo pipes (or something similar) and not
> use ports on the two machines as that seems more secure. Is that
> possible?

Maybe, but I do not understand what benefit you are planning to get using
any kind of pipe over the network vs. just going to the SSH tunnel that is
opened and simple using SSH. Either way you can get password-less
authentication, and whether you can somehow connect to a pipe on one side
or another to get into the SSH tunnel or go through the tunnel via a
socket the entire connection is encrypted… where is the supposed
security concern?

Pipes are usually used locally because it means potentially avoiding the
network stack a bit which can have performance benefits. Across a
network, no matter what, you’re going to have something creating packets
and dealing with that overhead. I think you’re hoping for something that
looks nice but is really a hard-to-implement shiny wrapper to the same old
stuff.

The only far-fetched idea I have regarding why a pipe may be a little more
secure than a socket has to do with the possibility of somebody else on
your system also using your socket. With that option out there, if that’s
the case you should kick them off of your system. Worst case, use the
NetFilter/iptables firewall technologies to prevent access to your socket
(even locally, yes) except for your user. Still, if somebody on your
local machine is abusing your connection you should kick them out since
there is a good chance they can do a lot worse with local access than
access a VNC connection to somewhere.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

jetojedno · January 1, 2014, 12:02pm

Hi, thanks for the reply.

I wasn’t clear enough - yes, connect through ssh through the network. It’s the internal connection on the local & remote computers I have an issue with. Once the port on localhost is created (and I could be wrong here - I’m not a networking expert) then anyone on the computer can connect to it, and anyone can listen to the traffic. I believe fifo files are easier to secure, and are less “visible”.

I was asking if there’s a way to create a fifo on the local computer and connect vncviewer & ssh to it (I think I understand how to do the ssh bit). Similarly create a fifo on the remote computer & connect ssh (ditto) & Xvnc / vncserver to that. i.e. avoid ports on localhost. Better yet is to pipe directly between the commands.

Is this possible, or does the software need hacking (probably beyond me)?

Thanks for any advice,
David

ab · January 1, 2014, 6:34pm

On 01/01/2014 04:06 AM, jetojedno wrote:
>
> I wasn’t clear enough - yes, connect through ssh through the network.
> It’s the internal connection on the local & remote computers I have an
> issue with. Once the port on localhost is created (and I could be wrong
> here - I’m not a networking expert) then anyone on the computer can
> connect to it, and anyone can listen to the traffic. I believe fifo
> files are easier to secure, and are less “visible”.

Less visible I suppose, since you could put it where only you (and ‘root’)
can see it, but either using a Unix socket or a named pipe/fifo you still
need something to actually do the networking part of all of this. Both of
these are meant for local operations only. Unix sockets (commonly used to
access things like the MariaDB/MySQL server from its client) is for
inter-process communication. FIFOs are essentially the same thing… a
way to send data from here to there within the filesystem to processes
using those FIFOs. There are no magical networking properties of these.
If you are intending to use a pipe/FIFO you need to add that part
yourself, which is the SSH portion you refer to, but SSH uses TCP sockets
for moving data between systems, and one way or another any socket you
open for your user will be visible, unless NetFilter or another firewall
prevents it, to all other users on the local system. If you bind to a
socket with an exposed (non-localhost usually) IP address then anybody on
your computer’s network, or maybe beyond depending on networking
circumstances, could also access that socket.

> I was asking if there’s a way to create a fifo on the local computer and
> connect vncviewer & ssh to it (I think I understand how to do the ssh
> bit). Similarly create a fifo on the remote computer & connect ssh
> (ditto) & Xvnc / vncserver to that. i.e. avoid ports on localhost.
> Better yet is to pipe directly between the commands.

Forget the FIFO… it’s for local stuff only so using it will only
complicate the use of SSH. What you probably want is just the SSH tunnel,
but you can probably simplify this further by using the -via option for he
vncviewer client, which by default creates an SSH connection. Assuming
you have keys setup, and the SSH agent setup, your SSH connection would be
created for your VNC connection on the fly, so nobody could abuse it until
you created it, and even then you could perhaps secure it more with NetFilter.

> Is this possible, or does the software need hacking (probably beyond
> me)?

Pretty sure ‘no’ because the technologies to which you refer do not use
magic to communicate across the network; one way or another you need a
networking component, and FIFOs are filesystem components only. Combining
filesystem pieces with networking pieces (an SSH tunnel) is easy to do,
but it doesn’t add anything beyond what you have already just using SSH
unless yor program needs a FIFO instead of a TCP socket (vncviewer does
not apply here… it understands networking of course).

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…