8.22. Tunneling TightVNC Between Linux and Windows

Problem

You're not comfortable with VNC's lack of data encryption and its weak authentication, so you want to know how to add strong security, especially for traffic over untrusted networks. And, you want something that works cross-platform (for example, when you administer Windows PCs from your Linux workstation).

Solution

Tunnel VNC over SSH.

We'll assume the following for this recipe:

• You have a Windows 2000 machine or greater capable of running Cygwin and TightVNC.

• You have a Linux machine with the vncviewer program installed on it.

• The Windows PC is named "cygwin" and the Linux PC is named "Linux."

To install Cygwin and OpenSSH on Windows, go to Cygwin.com (http://cygwin.com), and hit "Install Cygwin Now." This downloads a tiny setup.exe file; double-click this file to bring up the Cygwin installation menu.

The default installation will work fine, except you need to add OpenSSH. You'll find this in the Net submenu. Throw in ping for good measure; it will save you the hassle of opening a DOS window when you need to use ping while you're running Cygwin.

After installation, open a Cygwin bash shell (there should be a menu command "Cygwin Bash Shell"), then run:

	$ ssh-host-config

This generates new SSH keys and configuration files. Say "yes" to:

• Privilege separation

• Create a local user "sshd"

• Install sshd as a service

Then, add the CYGWIN=ntsec tty environment variables.

Next, start up the ssh daemon:

	$ net start sshd
	The CYGWIN sshd service is starting.
	The CYGWIN sshd service was started successfully.

Download TightVNC from tightvnc.com (http://www.tightvnc.com/download.html), and install it onto your Win32 machine and reboot. You can access the Current User Properties by double-clicking on the VNC icon in the system tray. Do this to set a password, and then click the Advanced button. In the next menu, check "Allow Loopback Connections."

Test that you can get to the VNC server with the password you specified in the previous step from the Linux machine by running the vncviewer cygwin command from the Linux machine, or vncviewer [windows-IP-address].

Next, let's generate a passwordless DSA key on the Linux PC. Accept the defaults for all questions by hitting Enter for each one:

	carla@Linux :~ $ ssh-keygen -t dsa
	Generating public/private dsa key pair.
	Enter file in which to save the key (/home/carla/.ssh/id_dsa):
	Enter passphrase (empty for no passphrase):
	Enter same passphrase again:
	Your identification has been saved in /home/carla/.ssh/id_dsa.
	Your public key has been saved in /home/carla/.ssh/id_dsa.pub.
	The key fingerprint is:
	2b:cb:9a:df:f8:34:2d:2f:0c:29:76:5c:c6:52:43:92

Then, on the Windows machine, back at the Cygwin command line, copy the key from the Linux box:

	$ scp carla@Linux :.ssh/id_dsa.pub .$ cat id_dsa.pub >> .ssh/authorized_keys

Finally, test that the key allows you to log in to Windows without a password:

	carla@Linux :~$ ssh user@cygwin
	Last login: Sun Sep 24 15:42:48 2006 from 192.168.1.15

So, you can create the SSH tunnel from the Linux host to the Windows host with the following command:

	carla@Linux :~$ ssh -L 5900:localhost:5900 user@cygwin
	Last login: Sun Jun 3 20:59:54 2007 from 192.168.1.15
	Carla@cygwin ~
	$

Now that you are logged in, open a second terminal on your Linux machine, and fire up VNC:

	carla@Linux :~$ vncviewer localhost

You should be prompted for a password to the VNC server, make the connection, and just like in a bad movie, yell, "I'm in!"

Future logins will be easy—just create the tunnel, then run VNC.

Discussion

It's easy to test that your VNC session is running over the SSH tunnel. Just log out from the SSH session, and VNC will go away.

SSH tunneling works with any operating system that runs SSH; it works great for Linux -on-Linux sessions, and is a must for connecting over the Internet. SSH is efficient, so you shouldn't see a performance hit.

You don't need to do anything different to VNC, just configure and use it as you normally would. Once the tunnel is established, use all the ordinary VNC commands.

Let's take a look at the command that created the tunnel:

	ssh -L 5900:windbag:5900 user@cygwin

The -L switch tells SSH to forward everything sent to the specified local port onward to the remote port and address. So, any traffic sent to TCP 5900 will be forwarded, not just VNC. (The VNC port is specified in the VNC server configuration.) You may, of course, use IP addresses instead of hostnames.

If you're tunneling over the Internet, be sure to use fully qualified domain names:

	$ ssh -L 5900:homepc.pinball.net:5900 cygwin.work.com

The second command:

	vncviewer windbag

must be directed to the local machine instead of the remote machine because the entrance to the tunnel is on the local PC.

The CYGWIN=ntsec environment variable creates more Unix-like file permissions on Windows NTFS filesystems.

The CYGWIN=tty environment variable enables Bash job control.

Cygwin environment variables are in C:\cygwin.bat, which you may edit to suit.

See Also

• Chapter 7

• Chapter 2, "Setting Up Cygwin," in Cygwin's User Guide:

  http://www.cygwin.com/cygwin-ug-net/cygwin-ug-net.html