oppl’s blog

documenting my work with and on free software

«

Securing VNC access to your X-based desktop

I had security concerns regarding the default options to run VNC-access to my Ubuntu Desktop machine. Keeping the port always open didn’t seem a good idea to me, the maximum 8-char password does not add to much security.

Using an ssh-tunnel basically seemed to provide a solution. When digging a bit into the topic, I came up with a pretty neat solution, which provides sufficient security, is flexible in terms of the used desktop environment and furthermore only uses ressources when needed.

What you obviously need is an ssh-server running on the machine you want to access. Additionally, I installed x11vnc, which is a simple VNC-server capable of connecting to every running X-Server independent from the running desktop system.

I’m remotely connecting to my machine now via a ssh tunnel. Instead of letting the VNC-Server run all the time, I only start it, when the ssh-connection is established. After waiting a few seconds until the VNC-Server is up and running, you can simply connect to your machine via a secure tunnel. In it’s default configuration, x11vnc quits as soon as the VNC connection is terminated. As a consequence, I’ve created a simple shell script on the notebook I use to connect to the remote machine:

#!/bin/bash

ssh -t -L 5900:localhost:5900 <your server address> 'x11vnc -localhost -rfbauth .vnc/passwd'&
sleep 10
vinagre localhost:5900

This script simply brings up the tunnel, starts the VNC-server remotely and then starts vinagre, the VNC-client included with Ubuntu, on my notebook. As soon as I shut down the connection, the VNC-Server is closed and the SSH-tunnel is terminated. For added security, x11vnc also asks for a password (-rfbauth). The password can be set on the server machine using “x11vnc – storepassword”. SSH is configured to work with public/private-key infrastructure to avoid being asked a password for ssh-login too (using a keychain application to unlock the ssh-key). Setting up the public key authentication is pretty straightforward.

Maybe this solution is obvious anyway but it appeared pretty cool to me – so I just wrote about it.

This entry was posted on Thursday, May 6th, 2010 at 1:32 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.