Author: Steven Neiland

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Step 5: Securing the VNCServer with SSH

Now that we have the vnc server running we should make it secure. To do this we tunnel the vnc traffic through ssh. This is important as it prevents the username and password from being captured by a third party when you first go to login to the vnc server.

VNC Port Numbering

Before I go on here is a quick note on VNC ports. Every vncserver instance that is created has a corresponding port number which is calculated as 5900 + the service instance. Thus the ':1' server has a port number of 5901.

This is important as you will need to know the port number when creating the ssh tunnel.

Limit the vnc Server to Localhost connections

The first step in configuring or vnc server to tunnel its traffic over ssh is to limit the vncserver itself to only accept traffic from localhost. To do this we add the 'localhost' argument to the vncserver start command. As we will be tunneling our traffic over ssh to the machine our vnc connection will appear as a local connection to the vnc server.

vncserver -geometry 1024x768 -alwaysshared -localhost -dpi 96 :1

Connect to the Server using SSH CLI

As the server now only accepts connections from localhost, connecting to the vnc server now consists of two steps. The first step is to connect to the actual server using SSH.

If you are using linux or have a CLI SSH service installed use the following command. Remembering that 5901 is the port number for the vncserver instance '1'. 8900 refers to the port number we assign on our local computer to accept the traffic from our vncviewer.

ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901

Now we start the vncviewer on the local computer but instead of supplying this ip:vncinstance_number we supply the localhost:8900 value.

vncviewer localhost:8900

Connect to the Server using SSH and Putty

An alternative method which I use is to use the Putty SSH client to setup the tunnel. Start putty and create a new session for your server.

VNC Putty

Once you have created the new session open the 'tunnels' option and enter the source port of 5901, where 5901 refers to the port number for the vncserver instance '1'. Then enter the destination as 'localhost:5901'. Add this to the forwarded ports, save the session and open the connection.

vnc_putty_step2 vnc_putty_step3

Now that we have established the ssh connection the last step is to open the vncviewer. This time we supply the following target 'localhost:1'

1 2 3

What Do You Think?

Reader Comments

Post a Comment

Comment Etiquette:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain or appear to be advertisments, will not be published.
  • Comments that appear to be created for the purpose of linkbuilding to commercial sites will be removed.

We are all adults here so play nice.


Archives Blog Listing

Tag Listing

Learn CF In A Week


Fork me on GitHub