April 21, 2019

Using VNC Tunneling over SSH - page 2

Temporary Access

  • January 30, 2006
  • By Rob Reilly

SSH is fairly secure and encrypts data that is sent over it. The tunneling technique can even be used when all the machines are behind a firewall to ensure that the data is kept from possible prying eyes.

SSH tunneling works in one of two directions. It depending on the location of the server you are using, which in this case is VNC.

For example, say I'm hammering away on my laptop in some caf� somewhere and want to view a user's desktop. The VNC server will need to be started by the user on his desktop Linux machine. x11vnc is a fine program to use because it defaults to serving whatever is on the user's desktop. Programs like vncserver are usually used to provide a remote desktop (display :1, :2, etc.) and don't necessarily mirror what is on the local user's screen. The logged in user's desktop is also known as the :0 display number. The server (display :0) can be started by:

     desktop> x11vnc

Next, a tunnel over the Internet is established so my laptop can communicate with the desktop VNC server. That is done from my laptop with the SSH command using the -L option. L stands for local. I want to make the remote server look like a local server, to my laptop. Here is the command line:

     laptop> ssh xx.xxx.xx.xx -L 5900:localhost:5900

The prompt then asks for a password to log into the user's desktop machine. In this case, don't forget that the xx.xxx.xx.xx number is really the firewall's IP address. Remember, the SSH port in the firewall was re-configured to route traffic through to the desktop that is running the VNC server. If tunneling on a LAN with the laptop and desktop both behind the firewall, you would just use the desktop's IP address for xx.xxx.xx.xx.

To speed up screen repaints as much as possible, the -o Compression and CompressionLevel options can be used, too:

     laptop> ssh xx.xxx.x.xx -o Compression=yes -o CompressionLevel=1 -L 5900:localhost:5900

The last thing to do is start the vncviewer on the laptop, so I can watch what the user is doing on the remote desktop.

     laptop> vncviewer localhost:0

This connects my vncviewer to the tunnel and brings up the user's desktop in a window on my laptop. The user can then educate me on how he carries out his work.

Most Popular LinuxPlanet Stories