Securing VNC Network Traffic Using SSH Port Forwarding

Abstract

This technote describe how to secure Virtual Network Computing (VNC) connections to a Linux server running on IBM eServer zSeries using SSH port forwarding.

For related information about this topic, refer to the following IBM Redbooks publication:
Linux on IBM eServer zSeries and S/390: Best Security Practices, SG24-7023-00

Contents


Virtual Networking Computing (VNC) is a cross-platform, remote control software package. VNC allows access to an X Windows session from Windows without running an X server on the Windows box. VNC is distributed under the GNU General Public License (GPL) and is available from RealVNC (the official home of VNC): VNC is a client/server application:
  • A VNC server runs on a remote machine.
  • A VNC client connects to the server to access the remote machine.
A password is required to connect to a VNC server, and the password is encrypted when passed across the network. However, the VNC protocol is not considered secure, cleartext data is transmitted across the network. Using SSH port forwarding, it is possible to add security to a VNC connection (data is passed over an encrypted SSH tunnel).This technote outlines a procedure to secure a VNC viewer running on Windows when connecting to a Linux server running on zSeries.

Install the VNC server
VNC is available as part of the SLES8 distribution on Linux for zSeries. Both the VNC server and client are part of the VNC RPM package. Use the vncserver :0 command to start the server. The VNC server listens on TCP port 5900 by default (you can verify this using the netstat --numeric --listening --tcp command). The first time a VNC server is started, you are prompted to provide a password (used when a VNC client attempts to connect to the server). The :0 parameter indicates VNC is to use display 0. Each VNC display uses the next available port after 5900. For instance, display 1 listens on port 5901.

Install the VNC client
Download and install VNC from RealVNC. To use VNC over a forwarded port, ensure the Windows System Registry contains:
    HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\AllowLoopback=1
Use the regedit command to edit the System Registry if needed.

Install an SSH server on Windows
Local port forwarding requires an SSH server running on the Windows machine. OpenSSH is provided as part of Cygwin (an environment similar to Linux for Windows). Cygwin is available at: Cygwin provides an install and update utility (setup.exe) to retrieve packages from the Internet. When you install Cygwin, select the OpenSSH package (available in the Net category).
Once installed, complete the Cygwin configuration.
In My Computer->Properties->Advanced->Environment Variables:
  • Add the variable CYGWIN=ntsec tty.
  • Add C:\cygwin\bin to the PATH environment variable.

Configure the Windows SSH server
Configure OpenSSH from a Cygwin console window using the ssh-host-config command as shown below:

$ ssh-host-config
Generating /etc/ssh_host_key
Generating /etc/ssh_host_rsa_key
Generating /etc/ssh_host_dsa_key
Generating /etc/ssh_config file
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read /usr/share/doc/openssh/README.privsep

Should privilege separation be used? (yes/no) yes
Generating /etc/sshd_config file

Host configuration finished. Have fun!

Create a local forwarded tunnel from Windows to Linux
Use the ssh -L 5900:127.0.0.1:5900 root@192.168.4.1 command to forward port 5900 on the Windows machine (where the VNC viewer runs) to Linux host 192.168.4.1 (where the VNC server runs). The loopback interface address (127.0.0.1) must be used. If localhost is specified, connecting the VNC viewer to the loopback interface fails with the message:
    channel 2: open failed: connect failed: Connection refused

Connect to the VNC server over the SSH tunnel
To complete the procedure, start the VNC viewer on the Windows machine (pointing to the server at 127.0.0.1:0). At this point, the connection is forwarded from the Windows machine to the Linux VNC server. All network traffic is transparently encrypted by the SSH tunnel.

Special Notices

This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. IBM assumes no responsibility for its accuracy or completeness. The use of this information or the implementation of any of these techniques is a client responsibility and depends upon the client's ability to evaluate and integrate them into the client's operational environment. publib-b.boulder.ibm.com

Profile

Publish Date
19 May 2004


Rating:
(based on 1 review)


Author(s)

IBM Form Number
TIPS0408