Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
Step 5: Securing the VNCServer with SSH
Now that we have the vnc server running we should make it secure. To do this we tunnel the vnc traffic through ssh. This is important as it prevents the username and password from being captured by a third party when you first go to login to the vnc server.
VNC Port Numbering
Before I go on here is a quick note on VNC ports. Every vncserver instance that is created has a corresponding port number which is calculated as 5900 + the service instance. Thus the ':1' server has a port number of 5901.
This is important as you will need to know the port number when creating the ssh tunnel.
Limit the vnc Server to Localhost connections
The first step in configuring or vnc server to tunnel its traffic over ssh is to limit the vncserver itself to only accept traffic from localhost. To do this we add the 'localhost' argument to the vncserver start command. As we will be tunneling our traffic over ssh to the machine our vnc connection will appear as a local connection to the vnc server.
vncserver -geometry 1024x768 -alwaysshared -localhost -dpi 96 :1
Connect to the Server using SSH CLI
As the server now only accepts connections from localhost, connecting to the vnc server now consists of two steps. The first step is to connect to the actual server using SSH.
If you are using linux or have a CLI SSH service installed use the following command. Remembering that 5901 is the port number for the vncserver instance '1'. 8900 refers to the port number we assign on our local computer to accept the traffic from our vncviewer.
ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901
Now we start the vncviewer on the local computer but instead of supplying this ip:vncinstance_number we supply the localhost:8900 value.
Connect to the Server using SSH and Putty
An alternative method which I use is to use the Putty SSH client to setup the tunnel. Start putty and create a new session for your server.
Once you have created the new session open the 'tunnels' option and enter the source port of 5901, where 5901 refers to the port number for the vncserver instance '1'. Then enter the destination as 'localhost:5901'. Add this to the forwarded ports, save the session and open the connection.
Now that we have established the ssh connection the last step is to open the vncviewer. This time we supply the following target 'localhost:1'