Making VNC more secure using SSH
VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure; the password is not sent over the network. Once you are connected, however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access to the intervening network. We therefore recommend that if security is important to you, you ‘tunnel’ the VNC protocol through some more secure channel such as SSH.If you are using Unix, this is pretty easy; SSH clients and servers are freely available for Unix. Clients are also available for Windows, Macs, and other machines, but if you want servers on these platforms you may need to go for a commercial version, or to route your connection via a Unix machine (see later). There are links at the bottom of this page to point you in the right direction for all of these things. The rest of this document refers to the Unix world, though the techniques will be relevant for other systems. Frank Stajano has contributed a page which describes how he uses a free Windows SSH client to connect to a Unix server.
We won’t go into details here about how to install SSH. For my Linux machine I found two RPMs called ssh-clients and ssh-server. I downloaded the source versions, built, and installed them, and this did almost everything, including the generation of a key for my machine.
You can get RPMs at http://rufus.w3.org/linux/RPM/ – for other distributions see the SSH FAQ.
SSH normally just provides you with a ‘Secure SHell’ – i.e. a login window to a remote machine. All traffic is encrypted between the two machines using public key encryption techniques, making it really very difficult for anyone else to spy on it. Once SSH is installed, you could connect to a machine called ‘snoopy’ from elsewhere simply by running the SSH client: ssh snoopy
(You may need more options depending on your situation). You would then be prompted for the password of your account on snoopy and you would be logged in, just like a telnet session, but safer. However, SSH has some nice extra tricks up its sleeve. You can also request that it listens on a particular port on your local machine, and forwards that down the secure connection to a port on a machine at the other end. For example,
ssh -L x:localhost:y snoopy
means “Start an SSH connection to snoopy, and also listen on port x on my machine, and forward any connections there to port y on snoopy.”
Now, the VNC protocol normally uses port 59xx, where xx is the display number of the server. So a VNC server on a Windows machine, which normally uses display number 0, will listen on port 5900. Most Unix VNC servers will probably use display numbers 1,2, etc and so will be listening on ports 5901, 5902 and so forth. If you forward these ports to a remote machine, you can make the remote VNC server appear to be a server running on your local machine.
So, imagine you had a VNC server running as display :1 on machine snoopy, and you wanted a secure connection to it from your local machine. You could start the ssh session using:
ssh -L 5902:localhost:5901 snoopy
and any references to display :2 on your local machine would actually connect to display :1 on snoopy.
Note that the above SSH command-line is deliberately meant to accept incoming connections only from the local machine. This means that to use the SSH connection that we have just set up, we must connect to it from the same machine, using the special name ‘localhost’, rather than using the machine’s own unique name.
So instead of running a vncviewer:
you could run: