This technote describe how to secure Virtual Network Computing (VNC) connections to a Linux server running on IBM eServer zSeries using SSH port forwarding.
For related information about this topic, refer to the following IBM Redbooks publication:
Linux on IBM eServer zSeries and S/390: Best Security Practices, SG24-7023-00
Virtual Networking Computing (VNC) is a cross-platform, remote control software package. VNC allows access to an X Windows session from Windows without running an X server on the Windows box. VNC is distributed under the GNU General Public License (GPL) and is available from RealVNC (the official home of VNC):
- A VNC server runs on a remote machine.
- A VNC client connects to the server to access the remote machine.
Install the VNC server
VNC is available as part of the SLES8 distribution on Linux for zSeries. Both the VNC server and client are part of the VNC RPM package. Use the vncserver :0 command to start the server. The VNC server listens on TCP port 5900 by default (you can verify this using the netstat --numeric --listening --tcp command). The first time a VNC server is started, you are prompted to provide a password (used when a VNC client attempts to connect to the server). The :0 parameter indicates VNC is to use display 0. Each VNC display uses the next available port after 5900. For instance, display 1 listens on port 5901.
Install the VNC client
Download and install VNC from RealVNC. To use VNC over a forwarded port, ensure the Windows System Registry contains:
Install an SSH server on Windows
Local port forwarding requires an SSH server running on the Windows machine. OpenSSH is provided as part of Cygwin (an environment similar to Linux for Windows). Cygwin is available at:
Once installed, complete the Cygwin configuration.
In My Computer->Properties->Advanced->Environment Variables:
- Add the variable CYGWIN=ntsec tty.
- Add C:\cygwin\bin to the PATH environment variable.
Configure the Windows SSH server
Configure OpenSSH from a Cygwin console window using the ssh-host-config command as shown below:
Generating /etc/ssh_config file
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read /usr/share/doc/openssh/README.privsep
Should privilege separation be used? (yes/no) yes
Generating /etc/sshd_config file
Host configuration finished. Have fun!
Create a local forwarded tunnel from Windows to Linux
Use the ssh -L 5900:127.0.0.1:5900 email@example.com command to forward port 5900 on the Windows machine (where the VNC viewer runs) to Linux host 192.168.4.1 (where the VNC server runs). The loopback interface address (127.0.0.1) must be used. If localhost is specified, connecting the VNC viewer to the loopback interface fails with the message:
- channel 2: open failed: connect failed: Connection refused
Connect to the VNC server over the SSH tunnel
To complete the procedure, start the VNC viewer on the Windows machine (pointing to the server at 127.0.0.1:0). At this point, the connection is forwarded from the Windows machine to the Linux VNC server. All network traffic is transparently encrypted by the SSH tunnel.
This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. IBM assumes no responsibility for its accuracy or completeness. The use of this information or the implementation of any of these techniques is a client responsibility and depends upon the client's ability to evaluate and integrate them into the client's operational environment. publib-b.boulder.ibm.com